import * as outputs from "../types/output";
export interface AccessApprovalPolicyApprover {
    /**
     * The ID of the approver
     */
    id?: string;
    /**
     * The type of approver. Either group or user
     */
    type: string;
    /**
     * The username of the approver. By default, this is the email
     */
    username?: string;
}
export interface AppConnection1passwordCredentials {
    /**
     * The API token to use for authentication. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/1password
     */
    apiToken: string;
    /**
     * The URL of the 1Password Connect instance to connect to. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/1password
     */
    instanceUrl: string;
}
export interface AppConnectionAwsCredentials {
    /**
     * The AWS Access Key ID used to authenticate requests to AWS services. Required for access-key access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#access-key
     */
    accessKeyId?: string;
    /**
     * The Amazon Resource Name (ARN) of the IAM role to assume for performing operations. Infisical will assume this role using AWS Security Token Service (STS). Required for assume-role access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#assume-role-recommended
     */
    roleArn?: string;
    /**
     * The AWS Secret Access Key associated with the Access Key ID to authenticate requests to AWS services. Required for access-key access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#access-key
     */
    secretAccessKey?: string;
}
export interface AppConnectionAzureAppConfigurationCredentials {
    /**
     * The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration
     */
    clientId: string;
    /**
     * The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration
     */
    clientSecret: string;
    /**
     * The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration
     */
    tenantId: string;
}
export interface AppConnectionAzureClientSecretsCredentials {
    /**
     * The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
     */
    clientId: string;
    /**
     * The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
     */
    clientSecret: string;
    /**
     * The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
     */
    tenantId: string;
}
export interface AppConnectionAzureDevopsCredentials {
    /**
     * The Azure DevOps access token. Required for access-token method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-devops
     */
    accessToken?: string;
    /**
     * The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
     */
    clientId?: string;
    /**
     * The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
     */
    clientSecret?: string;
    /**
     * The name of the Azure DevOps organization. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-devops
     */
    organizationName: string;
    /**
     * The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
     */
    tenantId?: string;
}
export interface AppConnectionAzureKeyVaultCredentials {
    /**
     * The Azure application (client) ID. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault
     */
    clientId: string;
    /**
     * The Azure client secret. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault
     */
    clientSecret: string;
    /**
     * The Azure Active Directory (AAD) tenant ID. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault
     */
    tenantId: string;
}
export interface AppConnectionBitbucketCredentials {
    /**
     * The Bitbucket API token for authentication.
     */
    apiToken: string;
    /**
     * The email address associated with the Bitbucket API token.
     */
    email: string;
}
export interface AppConnectionCloudflareCredentials {
    /**
     * The Cloudflare Account ID. This can be found in the sidebar of your Cloudflare dashboard.
     */
    accountId: string;
    /**
     * The Cloudflare API token with the necessary permissions to manage Workers scripts. The token should have Zone:Zone:Read, Zone:Zone Settings:Read, and Zone:Zone:Edit permissions.
     */
    apiToken: string;
}
export interface AppConnectionDatabricksCredentials {
    /**
     * The client ID of the Databricks service principal.
     */
    clientId: string;
    /**
     * The client secret of the Databricks service principal.
     */
    clientSecret: string;
    /**
     * The workspace URL of the Databricks instance.
     */
    workspaceUrl: string;
}
export interface AppConnectionFlyioCredentials {
    /**
     * The Fly.io access token for authentication.
     */
    accessToken: string;
}
export interface AppConnectionGcpCredentials {
    /**
     * The service account email to connect with GCP. The service account ID (the part of the email before '@') must be suffixed with the first two sections of your organization ID e.g. service-account-df92581a-0fe9@my-project.iam.gserviceaccount.com. For more details, refer to the documentation here https://infisical.com/docs/integrations/app-connections/gcp#configure-service-account-for-infisical
     */
    serviceAccountEmail?: string;
}
export interface AppConnectionGithubCredentials {
    /**
     * The hostname of your GitHub Enterprise instance. Required when<span pulumi-lang-nodejs=" instanceType " pulumi-lang-dotnet=" InstanceType " pulumi-lang-go=" instanceType " pulumi-lang-python=" instance_type " pulumi-lang-yaml=" instanceType " pulumi-lang-java=" instanceType " pulumi-lang-hcl=" instance_type "> instanceType </span>is 'server'.
     */
    host?: string;
    /**
     * The type of GitHub instance. Use 'cloud' for GitHub.com (default) or 'server' for GitHub Enterprise. When 'server', host is required.
     */
    instanceType?: string;
    /**
     * The Personal Access Token used to access GitHub.
     */
    personalAccessToken: string;
}
export interface AppConnectionGitlabCredentials {
    /**
     * The Access Token used to access GitLab.
     */
    accessToken: string;
    /**
     * The type of token used to connect with GitLab. Supported options: 'project', 'personal', and 'group'
     */
    accessTokenType: string;
    /**
     * The GitLab instance URL to connect with. (default: https://gitlab.com)
     */
    instanceUrl?: string;
}
export interface AppConnectionHashicorpVaultCredentials {
    /**
     * The Vault access token. Required for the `access-token` method.
     */
    accessToken?: string;
    /**
     * The URL of the HashiCorp Vault instance, e.g. `https://vault.example.com`. Required for all methods.
     */
    instanceUrl?: string;
    /**
     * Optional Vault namespace. Only applicable to HCP Vault Dedicated and Enterprise deployments.
     */
    namespace?: string;
    /**
     * The AppRole role ID. Required for the `app-role` method.
     */
    roleId?: string;
    /**
     * The AppRole secret ID. Required for the `app-role` method.
     */
    secretId?: string;
}
export interface AppConnectionLdapCredentials {
    /**
     * The Distinguished Name (DN) or User Principal Name (UPN) of the principal to bind with (e.g., 'CN=John,CN=Users,DC=example,DC=com').
     */
    dn: string;
    /**
     * The password to bind with for authentication.
     */
    password: string;
    /**
     * The LDAP provider (e.g., 'active-directory').
     */
    provider: string;
    /**
     * The SSL certificate (PEM format) to use for secure connection when using ldaps:// with a self-signed certificate.
     */
    sslCertificate?: string;
    /**
     * Whether or not to reject unauthorized SSL certificates (true/false) when using ldaps://. Set to false only in test environments.
     */
    sslRejectUnauthorized: boolean;
    /**
     * The LDAP server URL (e.g., 'ldap://example.com:389' or 'ldaps://example.com:636').
     */
    url: string;
}
export interface AppConnectionMssqlCredentials {
    /**
     * The name of the database to connect to.
     */
    database: string;
    /**
     * The hostname of the database server.
     */
    host: string;
    /**
     * The password to connect to the database with.
     */
    password: string;
    /**
     * The port number of the database.
     */
    port: number;
    /**
     * The SSL certificate to use for connection.
     */
    sslCertificate?: string;
    /**
     * Whether or not to use SSL when connecting to the database.
     */
    sslEnabled: boolean;
    /**
     * Whether or not to reject unauthorized SSL certificates.
     */
    sslRejectUnauthorized: boolean;
    /**
     * The username to connect to the database with.
     */
    username: string;
}
export interface AppConnectionMysqlCredentials {
    /**
     * The name of the database to connect to.
     */
    database: string;
    /**
     * The hostname of the database server.
     */
    host: string;
    /**
     * The password to connect to the database with.
     */
    password: string;
    /**
     * The port number of the database.
     */
    port: number;
    /**
     * The SSL certificate to use for connection.
     */
    sslCertificate?: string;
    /**
     * Whether or not to use SSL when connecting to the database.
     */
    sslEnabled: boolean;
    /**
     * Whether or not to reject unauthorized SSL certificates.
     */
    sslRejectUnauthorized: boolean;
    /**
     * The username to connect to the database with.
     */
    username: string;
}
export interface AppConnectionOracledbCredentials {
    /**
     * The name of the database to connect to.
     */
    database: string;
    /**
     * The hostname of the database server.
     */
    host: string;
    /**
     * The password to connect to the database with.
     */
    password: string;
    /**
     * The port number of the database.
     */
    port: number;
    /**
     * The SSL certificate to use for connection.
     */
    sslCertificate?: string;
    /**
     * Whether or not to use SSL when connecting to the database.
     */
    sslEnabled: boolean;
    /**
     * Whether or not to reject unauthorized SSL certificates.
     */
    sslRejectUnauthorized: boolean;
    /**
     * The username to connect to the database with.
     */
    username: string;
}
export interface AppConnectionPostgresCredentials {
    /**
     * The name of the database to connect to.
     */
    database: string;
    /**
     * The hostname of the database server.
     */
    host: string;
    /**
     * The password to connect to the database with.
     */
    password: string;
    /**
     * The port number of the database.
     */
    port: number;
    /**
     * The SSL certificate to use for connection.
     */
    sslCertificate?: string;
    /**
     * Whether or not to use SSL when connecting to the database.
     */
    sslEnabled: boolean;
    /**
     * Whether or not to reject unauthorized SSL certificates.
     */
    sslRejectUnauthorized: boolean;
    /**
     * The username to connect to the database with.
     */
    username: string;
}
export interface AppConnectionRenderCredentials {
    /**
     * The API key to use for authentication. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/render
     */
    apiKey: string;
}
export interface AppConnectionSupabaseCredentials {
    /**
     * The Supabase access key for authentication.
     */
    accessKey: string;
    /**
     * The Supabase instance URL (e.g., https://your-domain.com).
     */
    instanceUrl?: string;
}
export interface CertManagerApplicationProfileAcmeConfig {
    /**
     * The ACME directory URL clients should use.
     */
    directoryUrl: string;
    /**
     * External Account Binding key identifier. Populated on create and on import; routine refreshes don't re-fetch it. Rotated only by the explicit rotate endpoint, never by Terraform.
     */
    eabKid: string;
    /**
     * External Account Binding shared secret. Populated on create and on import; routine refreshes don't re-fetch it. Rotated only by the explicit rotate endpoint, never by Terraform.
     */
    eabSecret: string;
    /**
     * Skip DNS ownership verification. Defaults to false.
     */
    skipDnsOwnershipVerification: boolean;
    /**
     * Skip External Account Binding. Defaults to false. Cannot be set to true at the same time as skip_dns_ownership_verification.
     */
    skipEabBinding: boolean;
}
export interface CertManagerApplicationProfileApiConfig {
    /**
     * Whether to automatically renew certificates. Defaults to false when omitted.
     */
    autoRenew: boolean;
    /**
     * Number of days before expiration to renew (1-30). Defaults to 7 when omitted.
     */
    renewBeforeDays: number;
}
export interface CertManagerApplicationProfileEstConfig {
    /**
     * PEM-encoded CA chain used for bootstrap CA validation (only honored when<span pulumi-lang-nodejs=" disableBootstrapCaValidation " pulumi-lang-dotnet=" DisableBootstrapCaValidation " pulumi-lang-go=" disableBootstrapCaValidation " pulumi-lang-python=" disable_bootstrap_ca_validation " pulumi-lang-yaml=" disableBootstrapCaValidation " pulumi-lang-java=" disableBootstrapCaValidation " pulumi-lang-hcl=" disable_bootstrap_ca_validation "> disableBootstrapCaValidation </span>is false).
     */
    caChain?: string;
    /**
     * Whether to disable bootstrap CA validation. Defaults to false.
     */
    disableBootstrapCaValidation: boolean;
    /**
     * The EST endpoint URL clients should use.
     */
    endpointUrl: string;
    /**
     * EST passphrase used to authorize certificate requests.
     */
    passphrase: string;
}
export interface CertManagerApplicationProfileScepConfig {
    /**
     * Allow certificate-based renewal. Defaults to true.
     */
    allowCertBasedRenewal: boolean;
    /**
     * The SCEP dynamic challenge endpoint URL (only set when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic).
     */
    challengeEndpointUrl: string;
    /**
     * Static-mode SCEP challenge password (min 8 chars). Required when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is static.
     */
    challengePassword?: string;
    /**
     * SCEP challenge type. Supported values: static, dynamic. Defaults to static.
     */
    challengeType: string;
    /**
     * Expiry of a dynamic challenge in minutes (1-1440). Only used when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic.
     */
    dynamicChallengeExpiryMinutes: number;
    /**
     * Maximum pending dynamic challenges (1-1000). Only used when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic.
     */
    dynamicChallengeMaxPending: number;
    /**
     * Include the issuing CA certificate in SCEP responses. Defaults to true.
     */
    includeCaCertInResponse: boolean;
    /**
     * ISO-8601 timestamp when the RA certificate expires.
     */
    raCertExpiresAt: string;
    /**
     * The PEM-encoded RA certificate used by the SCEP service.
     */
    raCertificatePem: string;
    /**
     * The SCEP endpoint URL clients should use.
     */
    scepEndpointUrl: string;
}
export interface CertManagerCertificatePolicyAlgorithms {
    /**
     * List of allowed key algorithms (at least one required). Supported values: RSA-2048, RSA-3072, RSA-4096, ECDSA-P256, ECDSA-P521, ECDSA-P384
     */
    keyAlgorithms: string[];
    /**
     * List of allowed signature algorithms (at least one required). Supported values: SHA256-RSA, SHA512-RSA, SHA384-ECDSA, SHA384-RSA, SHA256-ECDSA, SHA512-ECDSA
     */
    signatures: string[];
}
export interface CertManagerCertificatePolicyExtendedKeyUsages {
    /**
     * List of allowed extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping
     */
    alloweds?: string[];
    /**
     * List of denied extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping
     */
    denieds?: string[];
    /**
     * List of required extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping
     */
    requireds?: string[];
}
export interface CertManagerCertificatePolicyKeyUsages {
    /**
     * List of allowed key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only
     */
    alloweds?: string[];
    /**
     * List of denied key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only
     */
    denieds?: string[];
    /**
     * List of required key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only
     */
    requireds?: string[];
}
export interface CertManagerCertificatePolicySan {
    /**
     * List of allowed values for this SAN type
     */
    alloweds?: string[];
    /**
     * List of denied values for this SAN type
     */
    denieds?: string[];
    /**
     * List of required values for this SAN type
     */
    requireds?: string[];
    /**
     * The SAN type. Possible values: dns_name, ip_address, email, uri
     */
    type: string;
}
export interface CertManagerCertificatePolicySubject {
    /**
     * List of allowed values for this subject attribute
     */
    alloweds?: string[];
    /**
     * List of denied values for this subject attribute
     */
    denieds?: string[];
    /**
     * List of required values for this subject attribute
     */
    requireds?: string[];
    /**
     * The subject attribute type. Possible values: common_name, organization, country
     */
    type: string;
}
export interface CertManagerCertificatePolicyValidity {
    /**
     * Maximum validity period (e.g., '90d', '2y', '6m')
     */
    max?: string;
}
export interface CertManagerCertificateProfileDefaults {
    /**
     * Default common name
     */
    commonName?: string;
    /**
     * Default country (C)
     */
    country?: string;
    /**
     * Default extended key usages. Supported values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping
     */
    extendedKeyUsages?: string[];
    /**
     * Default key algorithm. Supported values: RSA_2048, RSA_3072, RSA_4096, EC_prime256v1, EC_secp384r1, EC_secp521r1
     */
    keyAlgorithm?: string;
    /**
     * Default key usages. Supported values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only
     */
    keyUsages?: string[];
    /**
     * Default locality (L)
     */
    locality?: string;
    /**
     * Default organization (O)
     */
    organization?: string;
    /**
     * Default organizational unit (OU)
     */
    organizationalUnit?: string;
    /**
     * Default signature algorithm. Supported values: RSA-SHA256, RSA-SHA384, RSA-SHA512, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512
     */
    signatureAlgorithm?: string;
    /**
     * Default state/province (ST)
     */
    state?: string;
    /**
     * Default certificate validity in days
     */
    ttlDays?: number;
}
export interface DynamicSecretAwsIamConfiguration {
    /**
     * Configuration for the 'access_key' authentication method.
     */
    accessKeyConfig?: outputs.DynamicSecretAwsIamConfigurationAccessKeyConfig;
    /**
     * Configuration for the 'assume_role' authentication method.
     */
    assumeRoleConfig?: outputs.DynamicSecretAwsIamConfigurationAssumeRoleConfig;
    /**
     * IAM AWS Path to scope created IAM User resource access.
     */
    awsPath?: string;
    /**
     * The authentication method to use. Must be 'access_key' or 'assume_role'.
     */
    method: string;
    /**
     * The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role.
     */
    permissionBoundaryPolicyArn?: string;
    /**
     * The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
     */
    policyArns?: string;
    /**
     * The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas
     */
    policyDocument?: string;
    /**
     * The AWS data center region.
     */
    region: string;
    /**
     * The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
     */
    userGroups?: string;
}
export interface DynamicSecretAwsIamConfigurationAccessKeyConfig {
    /**
     * The managing AWS IAM User Access Key
     */
    accessKey: string;
    /**
     * The managing AWS IAM User Secret Key
     */
    secretAccessKey: string;
}
export interface DynamicSecretAwsIamConfigurationAssumeRoleConfig {
    /**
     * The ARN of the AWS Role to assume.
     */
    roleArn: string;
}
export interface DynamicSecretAwsIamMetadata {
    /**
     * The key of the metadata object
     */
    key: string;
    /**
     * The value of the metadata object
     */
    value: string;
}
export interface DynamicSecretKubernetesConfiguration {
    /**
     * Configuration for the 'api' authentication method.
     */
    apiConfig?: outputs.DynamicSecretKubernetesConfigurationApiConfig;
    /**
     * Optional list of audiences to include in the generated token.
     */
    audiences?: string[];
    /**
     * Choose between Token ('api') or 'gateway' authentication. If using Gateway, the Gateway must be deployed in your Kubernetes cluster.
     */
    authMethod: string;
    /**
     * Choose between 'static' (predefined service account) or 'dynamic' (temporary service accounts with role assignments).
     */
    credentialType: string;
    /**
     * Configuration for the 'dynamic' credential type.
     */
    dynamicConfig?: outputs.DynamicSecretKubernetesConfigurationDynamicConfig;
    /**
     * Select a gateway for private cluster access. If not specified, the Internet Gateway will be used.
     */
    gatewayId?: string;
    /**
     * Configuration for the 'static' credential type.
     */
    staticConfig?: outputs.DynamicSecretKubernetesConfigurationStaticConfig;
}
export interface DynamicSecretKubernetesConfigurationApiConfig {
    /**
     * Custom CA certificate for the Kubernetes API server. Leave blank to use the system/public CA.
     */
    ca?: string;
    /**
     * Service account token with permissions to create service accounts and manage RBAC.
     */
    clusterToken: string;
    /**
     * Kubernetes API server URL (e.g., https://kubernetes.default.svc).
     */
    clusterUrl: string;
    /**
     * Whether to enable SSL verification for the Kubernetes API server connection.
     */
    enableSsl?: boolean;
}
export interface DynamicSecretKubernetesConfigurationDynamicConfig {
    /**
     * Kubernetes namespace(s) where the service accounts will be created. You can specify multiple namespaces as a comma-separated list (e.g., “default,kube-system”). During lease creation, you can specify which namespace to use from this allowed list.
     */
    allowedNamespaces: string;
    /**
     * Name of the role to assign to the temporary service account.
     */
    role: string;
    /**
     * Type of role to assign ('cluster-role' or 'role').
     */
    roleType: string;
}
export interface DynamicSecretKubernetesConfigurationStaticConfig {
    /**
     * Kubernetes namespace where the service account exists.
     */
    namespace: string;
    /**
     * Name of the service account to generate tokens for.
     */
    serviceAccountName: string;
}
export interface DynamicSecretKubernetesMetadata {
    /**
     * The key of the metadata object
     */
    key: string;
    /**
     * The value of the metadata object
     */
    value: string;
}
export interface DynamicSecretMongoAtlasConfiguration {
    /**
     * Admin user private API key
     */
    adminPrivateKey: string;
    /**
     * Admin user public API key
     */
    adminPublicKey: string;
    /**
     * Unique 24-hexadecimal digit string that identifies your project. This is the same as the project ID.
     */
    groupId: string;
    roles: outputs.DynamicSecretMongoAtlasConfigurationRole[];
    scopes: outputs.DynamicSecretMongoAtlasConfigurationScope[];
}
export interface DynamicSecretMongoAtlasConfigurationRole {
    /**
     * Collection on which this role applies.
     */
    collectionName?: string;
    /**
     * Database to which the user is granted access privileges.
     */
    databaseName: string;
    /**
     * Human-readable label that identifies a group of privileges assigned to a database user. This value can either be a built-in role or a custom role.
     */
    roleName: string;
}
export interface DynamicSecretMongoAtlasConfigurationScope {
    /**
     * Human-readable label that identifies the cluster or MongoDB Atlas Data Lake that this database user can access.
     */
    name: string;
    /**
     * Category of resource that this database user can access. Supported options: CLUSTER, DATA_LAKE, STREAM
     */
    type: string;
}
export interface DynamicSecretMongoAtlasMetadata {
    /**
     * The key of the metadata object
     */
    key: string;
    /**
     * The value of the metadata object
     */
    value: string;
}
export interface DynamicSecretMongoDbConfiguration {
    /**
     * The CA certificate to use to connect to the database.
     */
    ca?: string;
    /**
     * The name of the database to use.
     */
    database: string;
    /**
     * The host of the database server.
     */
    host: string;
    /**
     * The password to use to connect to the database.
     */
    password: string;
    /**
     * The port of the database server.
     */
    port?: number;
    /**
     * A list of role names to assign to the user. The role names can either be built-in or custom.
     */
    roles: string[];
    /**
     * The username to use to connect to the database.
     */
    username: string;
}
export interface DynamicSecretMongoDbMetadata {
    /**
     * The key of the metadata object
     */
    key: string;
    /**
     * The value of the metadata object
     */
    value: string;
}
export interface DynamicSecretSqlDatabaseConfiguration {
    /**
     * The CA certificate to use to connect to the database.
     */
    ca?: string;
    /**
     * The database client to use. Currently supported values are postgres, mysql2, oracledb, mssql, sap-ase, and vertica.
     */
    client: string;
    /**
     * The creation statement to use to create the dynamic secret lease.
     */
    creationStatement: string;
    /**
     * The name of the database to use.
     */
    database: string;
    /**
     * The Gateway ID to use to connect to the database.
     */
    gatewayId?: string;
    /**
     * The host of the database server.
     */
    host: string;
    /**
     * The password to use to connect to the database.
     */
    password: string;
    /**
     * The password requirements to use to create the dynamic secret lease.
     */
    passwordRequirements?: outputs.DynamicSecretSqlDatabaseConfigurationPasswordRequirements;
    /**
     * The port of the database server.
     */
    port: number;
    /**
     * The renew statement to use to renew the dynamic secret lease.
     */
    renewStatement?: string;
    /**
     * The revocation statement to use to revoke the dynamic secret lease.
     */
    revocationStatement: string;
    /**
     * The username to use to connect to the database.
     */
    username: string;
}
export interface DynamicSecretSqlDatabaseConfigurationPasswordRequirements {
    /**
     * The symbols allowed in the password.
     */
    allowedSymbols?: string;
    /**
     * The length of the password to use to create the dynamic secret lease.
     */
    length: number;
    /**
     * The required characters to use to create the dynamic secret lease.
     */
    required: outputs.DynamicSecretSqlDatabaseConfigurationPasswordRequirementsRequired;
}
export interface DynamicSecretSqlDatabaseConfigurationPasswordRequirementsRequired {
    /**
     * The number of digits required in the password.
     */
    digits: number;
    /**
     * The number of lowercase characters required in the password.
     */
    lowercase: number;
    /**
     * The number of symbols required in the password.
     */
    symbols: number;
    /**
     * The number of uppercase characters required in the password.
     */
    uppercase: number;
}
export interface DynamicSecretSqlDatabaseMetadata {
    /**
     * The key of the metadata object
     */
    key: string;
    /**
     * The value of the metadata object
     */
    value: string;
}
export interface ExternalKmsAwsConfiguration {
    /**
     * The AWS KMS key ID to use for the external KMS. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-aws-kms-key-id
     */
    awsKmsKeyId: string;
    /**
     * The AWS region where the KMS key is located
     */
    awsRegion: string;
    /**
     * The AWS credentials for the external KMS
     */
    credential: outputs.ExternalKmsAwsConfigurationCredential;
    /**
     * The Authentication Type to use. Must be access-key or assume-role
     */
    type: string;
}
export interface ExternalKmsAwsConfigurationCredential {
    /**
     * The AWS Access Key ID used to authenticate requests to AWS services. Required for access-key type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-access-key-id
     */
    accessKeyId?: string;
    /**
     * The Amazon Resource Name (ARN) of the IAM role to assume for performing operations. Infisical will assume this role using AWS Security Token Service (STS). Required for assume-role type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-iam-role-arn-for-role-assumption
     */
    roleArn?: string;
    /**
     * The external ID of the role to assume for performing operations. Required for assume-role type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-assume-role-external-id
     */
    roleExternalId?: string;
    /**
     * The AWS Secret Access Key associated with the Access Key ID to authenticate requests to AWS services. Required for access-key type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-secret-access-key
     */
    secretAccessKey?: string;
}
export interface GetGroupsGroup {
    /**
     * The ID of the group
     */
    id: string;
    /**
     * The name of the group
     */
    name: string;
    /**
     * The organization ID of the group
     */
    orgId: string;
    /**
     * The role of the group in the organization
     */
    role: string;
    /**
     * The role ID of the group in the organization
     */
    roleId: string;
}
export interface GetIdentityDetailsOrganization {
    /**
     * The ID of the organization
     */
    id: string;
    /**
     * The name of the organization
     */
    name: string;
    /**
     * The slug of the organization
     */
    slug: string;
}
export interface GetProjectsEnvironments {
    /**
     * The ID of the environment
     */
    id: string;
    /**
     * The name of the environment
     */
    name: string;
    /**
     * The slug of the environment
     */
    slug: string;
}
export interface GetSecretFoldersFolder {
    /**
     * The ID of the folder
     */
    id: string;
    /**
     * The name of the folder
     */
    name: string;
}
export interface GetSecretMetadataSecretMetadata {
    isEncrypted?: boolean;
    key?: string;
    value?: string;
}
export interface GetSecretMetadataTag {
    color?: string;
    id?: string;
    name?: string;
    slug?: string;
}
export interface GetSecretsSecrets {
    /**
     * The secret comment
     */
    comment: string;
    /**
     * The secret type (shared or personal)
     */
    secretType: string;
    /**
     * The secret value
     */
    value: string;
}
export interface IdentityAwsAuthAccessTokenTrustedIp {
    ipAddress: string;
}
export interface IdentityAzureAuthAccessTokenTrustedIp {
    ipAddress: string;
}
export interface IdentityGcpAuthAccessTokenTrustedIp {
    ipAddress: string;
}
export interface IdentityJwtAuthAccessTokenTrustedIp {
    ipAddress: string;
}
export interface IdentityKubernetesAuthAccessTokenTrustedIp {
    ipAddress: string;
}
export interface IdentityMetadata {
    /**
     * The key of the metadata object
     */
    key: string;
    /**
     * The value of the metadata object
     */
    value: string;
}
export interface IdentityOidcAuthAccessTokenTrustedIp {
    ipAddress: string;
}
export interface IdentityTokenAuthAccessTokenTrustedIp {
    ipAddress: string;
}
export interface IdentityUniversalAuthAccessTokenTrustedIp {
    ipAddress: string;
}
export interface IdentityUniversalAuthClientSecretTrustedIp {
    ipAddress: string;
}
export interface IntegrationAwsParameterStoreOptions {
    /**
     * Tags to attach to the AWS parameter store secrets.
     */
    awsTags?: outputs.IntegrationAwsParameterStoreOptionsAwsTag[];
    /**
     * Whether to disable deletion of existing secrets in AWS Parameter Store.
     */
    shouldDisableDelete: boolean;
}
export interface IntegrationAwsParameterStoreOptionsAwsTag {
    /**
     * The key of the tag.
     */
    key?: string;
    /**
     * The value of the tag.
     */
    value?: string;
}
export interface IntegrationAwsSecretsManagerOptions {
    /**
     * Tags to attach to the AWS Secrets Manager secrets.
     */
    awsTags?: outputs.IntegrationAwsSecretsManagerOptionsAwsTag[];
    /**
     * The sync mode for AWS tags. The supported options are `secret-metadata` and <span pulumi-lang-nodejs="`custom`" pulumi-lang-dotnet="`Custom`" pulumi-lang-go="`custom`" pulumi-lang-python="`custom`" pulumi-lang-yaml="`custom`" pulumi-lang-java="`custom`" pulumi-lang-hcl="`custom`">`custom`</span>. If `secret-metadata` is selected, the metadata of the Infisical secrets are used as tags in AWS (only supported for one-to-one integrations). If <span pulumi-lang-nodejs="`custom`" pulumi-lang-dotnet="`Custom`" pulumi-lang-go="`custom`" pulumi-lang-python="`custom`" pulumi-lang-yaml="`custom`" pulumi-lang-java="`custom`" pulumi-lang-hcl="`custom`">`custom`</span> is selected, then the key/value pairs in the <span pulumi-lang-nodejs="`awsTags`" pulumi-lang-dotnet="`AwsTags`" pulumi-lang-go="`awsTags`" pulumi-lang-python="`aws_tags`" pulumi-lang-yaml="`awsTags`" pulumi-lang-java="`awsTags`" pulumi-lang-hcl="`aws_tags`">`awsTags`</span> field is used.
     */
    metadataSyncMode?: string;
    /**
     * The prefix to add to the secret name in AWS Secrets Manager.
     */
    secretPrefix?: string;
}
export interface IntegrationAwsSecretsManagerOptionsAwsTag {
    /**
     * The key of the tag.
     */
    key?: string;
    /**
     * The value of the tag.
     */
    value?: string;
}
export interface IntegrationGcpSecretManagerOptions {
    /**
     * The prefix to add to the secret name in GCP Secret Manager.
     */
    secretPrefix?: string;
    /**
     * The suffix to add to the secret name in GCP Secret Manager.
     */
    secretSuffix?: string;
}
export interface OrgRolePermission {
    /**
     * Describe what actions an entity can take.
     */
    actions: string[];
    /**
     * When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators.
     */
    conditions?: string;
    /**
     * Whether rule forbids. Set this to true if permission forbids.
     */
    inverted: boolean;
    /**
     * Describe the entity the permission pertains to.
     */
    subject: string;
}
export interface ProjectGroupRole {
    /**
     * Flag to indicate the assigned role is temporary or not. When<span pulumi-lang-nodejs=" isTemporary " pulumi-lang-dotnet=" IsTemporary " pulumi-lang-go=" isTemporary " pulumi-lang-python=" is_temporary " pulumi-lang-yaml=" isTemporary " pulumi-lang-java=" isTemporary " pulumi-lang-hcl=" is_temporary "> isTemporary </span>is true fields temporary_mode,<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and<span pulumi-lang-nodejs=" temporaryAccessStartTime " pulumi-lang-dotnet=" TemporaryAccessStartTime " pulumi-lang-go=" temporaryAccessStartTime " pulumi-lang-python=" temporary_access_start_time " pulumi-lang-yaml=" temporaryAccessStartTime " pulumi-lang-java=" temporaryAccessStartTime " pulumi-lang-hcl=" temporary_access_start_time "> temporaryAccessStartTime </span>is required.
     */
    isTemporary?: boolean;
    /**
     * The slug of the role
     */
    roleSlug: string;
    /**
     * ISO time for which temporary access should begin. This is in the format YYYY-MM-DDTHH:MM:SSZ e.g. 2024-09-19T12:43:13Z
     */
    temporaryAccessStartTime?: string;
    /**
     * TTL for the temporary time. Eg: 1m, 1h, 1d. Default: 1h
     */
    temporaryRange?: string;
}
export interface ProjectIdentityIdentity {
    /**
     * The auth methods for the identity
     */
    authMethods: string[];
    /**
     * The ID of the identity
     */
    id: string;
    /**
     * The name of the identity
     */
    name: string;
}
export interface ProjectIdentityProvisioningMetadata {
    /**
     * The key of the metadata entry.
     */
    key: string;
    /**
     * The value of the metadata entry.
     */
    value: string;
}
export interface ProjectIdentityRole {
    /**
     * The id of the custom role slug
     */
    customRoleId: string;
    /**
     * The ID of the project identity role.
     */
    id: string;
    /**
     * Flag to indicate the assigned role is temporary or not. When<span pulumi-lang-nodejs=" isTemporary " pulumi-lang-dotnet=" IsTemporary " pulumi-lang-go=" isTemporary " pulumi-lang-python=" is_temporary " pulumi-lang-yaml=" isTemporary " pulumi-lang-java=" isTemporary " pulumi-lang-hcl=" is_temporary "> isTemporary </span>is true fields temporary_mode,<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and<span pulumi-lang-nodejs=" temporaryAccessStartTime " pulumi-lang-dotnet=" TemporaryAccessStartTime " pulumi-lang-go=" temporaryAccessStartTime " pulumi-lang-python=" temporary_access_start_time " pulumi-lang-yaml=" temporaryAccessStartTime " pulumi-lang-java=" temporaryAccessStartTime " pulumi-lang-hcl=" temporary_access_start_time "> temporaryAccessStartTime </span>is required.
     */
    isTemporary: boolean;
    /**
     * The slug of the role
     */
    roleSlug: string;
    /**
     * ISO time for which temporary access will end. Computed based on<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and temporary_access_start_time
     */
    temporaryAccessEndTime: string;
    /**
     * ISO time for which temporary access should begin. The current time is used by default.
     */
    temporaryAccessStartTime: string;
    /**
     * Type of temporary access given. Types: relative. Default: relative
     */
    temporaryMode: string;
    /**
     * TTL for the temporary time. Eg: 1m, 1h, 1d. Default: 1h
     */
    temporaryRange: string;
}
export interface ProjectIdentitySpecificPrivilegePermission {
    /**
     * Describe what action an entity can take. Enum: create,edit,delete,read
     */
    actions: string[];
    /**
     * The conditions to scope permissions
     */
    conditions: outputs.ProjectIdentitySpecificPrivilegePermissionConditions;
    /**
     * Describe what action an entity can take. Enum: role,member,groups,settings,integrations,webhooks,service-tokens,environments,tags,audit-logs,ip-allowlist,workspace,secrets,secret-rollback,secret-approval,secret-rotation,identity,certificate-authorities,certificates,certificate-policies,kms,pki-alerts,pki-collections
     */
    subject: string;
}
export interface ProjectIdentitySpecificPrivilegePermissionConditions {
    /**
     * The environment slug this permission should allow.
     */
    environment: string;
    /**
     * The secret path this permission should be scoped to
     */
    secretPath?: string;
}
export interface ProjectIdentitySpecificPrivilegePermissionsV2 {
    /**
     * Describe what actions an entity can take.
     */
    actions: string[];
    /**
     * When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators.
     */
    conditions?: string;
    /**
     * Whether rule forbids. Set this to true if permission forbids.
     */
    inverted: boolean;
    /**
     * Describe the entity the permission pertains to.
     */
    subject: string;
}
export interface ProjectRolePermission {
    /**
     * Describe what action an entity can take. Enum: create,edit,delete,read
     */
    action: string;
    /**
     * The conditions to scope permissions
     */
    conditions?: outputs.ProjectRolePermissionConditions;
    /**
     * Describe what action an entity can take. Enum: role,member,groups,settings,integrations,webhooks,service-tokens,environments,tags,audit-logs,ip-allowlist,workspace,secrets,secret-rollback,secret-approval,secret-rotation,identity,certificate-authorities,certificates,certificate-policies,kms,pki-alerts,pki-collections
     */
    subject: string;
}
export interface ProjectRolePermissionConditions {
    /**
     * The environment slug this permission should allow.
     */
    environment?: string;
    /**
     * The secret path this permission should be scoped to
     */
    secretPath?: string;
}
export interface ProjectRolePermissionsV2 {
    /**
     * Describe what actions an entity can take.
     */
    actions: string[];
    /**
     * When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators.
     */
    conditions?: string;
    /**
     * Whether rule forbids. Set this to true if permission forbids.
     */
    inverted: boolean;
    /**
     * Describe the entity the permission pertains to.
     */
    subject: string;
}
export interface ProjectTemplateEnvironment {
    /**
     * The name of the environment
     */
    name: string;
    /**
     * The position of the environment
     */
    position: number;
    /**
     * The slug of the environment
     */
    slug: string;
}
export interface ProjectTemplateRole {
    /**
     * The name of the role
     */
    name: string;
    /**
     * The permissions assigned to the role. Refer to the documentation here https://infisical.com/docs/api-reference/endpoints/project-templates/create#body-roles-permissions for its usage.
     */
    permissions: outputs.ProjectTemplateRolePermission[];
    /**
     * The slug of the role
     */
    slug: string;
}
export interface ProjectTemplateRolePermission {
    /**
     * Describe what actions an entity can take.
     */
    actions: string[];
    /**
     * When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators.
     */
    conditions?: string;
    /**
     * Whether rule forbids. Set this to true if permission forbids.
     */
    inverted: boolean;
    /**
     * Describe the entity the permission pertains to.
     */
    subject: string;
}
export interface ProjectUserRole {
    /**
     * The id of the custom role slug
     */
    customRoleId: string;
    /**
     * The ID of the project user role.
     */
    id: string;
    /**
     * Flag to indicate the assigned role is temporary or not. When<span pulumi-lang-nodejs=" isTemporary " pulumi-lang-dotnet=" IsTemporary " pulumi-lang-go=" isTemporary " pulumi-lang-python=" is_temporary " pulumi-lang-yaml=" isTemporary " pulumi-lang-java=" isTemporary " pulumi-lang-hcl=" is_temporary "> isTemporary </span>is true fields temporary_mode,<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and<span pulumi-lang-nodejs=" temporaryAccessStartTime " pulumi-lang-dotnet=" TemporaryAccessStartTime " pulumi-lang-go=" temporaryAccessStartTime " pulumi-lang-python=" temporary_access_start_time " pulumi-lang-yaml=" temporaryAccessStartTime " pulumi-lang-java=" temporaryAccessStartTime " pulumi-lang-hcl=" temporary_access_start_time "> temporaryAccessStartTime </span>is required.
     */
    isTemporary: boolean;
    /**
     * The slug of the role
     */
    roleSlug: string;
    /**
     * ISO time for which temporary access will end. Computed based on<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and temporary_access_start_time
     */
    temporaryAccessEndTime: string;
    /**
     * ISO time for which temporary access should begin. The current time is used by default.
     */
    temporaryAccessStartTime: string;
    /**
     * Type of temporary access given. Types: relative. Default: relative
     */
    temporaryMode: string;
    /**
     * TTL for the temporary time. Eg: 1m, 1h, 1d. Default: 1h
     */
    temporaryRange: string;
}
export interface ProjectUserUser {
    /**
     * The email of the user
     */
    email: string;
    /**
     * The first name of the user
     */
    firstName: string;
    /**
     * The id of the user
     */
    id: string;
    /**
     * The last name of the user
     */
    lastName: string;
}
export interface SecretApprovalPolicyApprover {
    /**
     * The ID of the approver
     */
    id?: string;
    /**
     * The type of approver. Either group or user
     */
    type: string;
    /**
     * The username of the approver. By default, this is the email
     */
    username?: string;
}
export interface SecretRotationAwsIamUserSecretParameters {
    /**
     * The AWS region the client is present in.
     */
    region: string;
    /**
     * The name of the client to rotate credentials for.
     */
    userName: string;
}
export interface SecretRotationAwsIamUserSecretRotateAtUtc {
    /**
     * The hour at which the rotation should occur (UTC).
     */
    hours: number;
    /**
     * The minute at which the rotation should occur (UTC).
     */
    minutes: number;
}
export interface SecretRotationAwsIamUserSecretSecretsMapping {
    /**
     * The name of the secret that the access key ID will be mapped to.
     */
    accessKeyId: string;
    /**
     * The name of the secret that the rotated secret access key will be mapped to.
     */
    secretAccessKey: string;
}
export interface SecretRotationAwsIamUserSecretTemporaryParameters {
}
export interface SecretRotationAzureClientSecretParameters {
    /**
     * The client ID of the Azure Application to rotate the client secret for.
     */
    clientId: string;
    /**
     * The ID of the Azure Application to rotate the client secret for.
     */
    objectId: string;
}
export interface SecretRotationAzureClientSecretRotateAtUtc {
    /**
     * The hour at which the rotation should occur (UTC).
     */
    hours: number;
    /**
     * The minute at which the rotation should occur (UTC).
     */
    minutes: number;
}
export interface SecretRotationAzureClientSecretSecretsMapping {
    /**
     * The name of the secret that the client ID will be mapped to.
     */
    clientId: string;
    /**
     * The name of the secret that the rotated client secret will be mapped to.
     */
    clientSecret: string;
}
export interface SecretRotationAzureClientSecretTemporaryParameters {
}
export interface SecretRotationLdapPasswordParameters {
    /**
     * The Distinguished Name (DN) of the LDAP entry to rotate the password for.
     */
    dn: string;
    /**
     * Password generation requirements.
     */
    passwordRequirements: outputs.SecretRotationLdapPasswordParametersPasswordRequirements;
    /**
     * The method to use for rotating the password. Supported options: connection-principal and target-principal (default: connection-principal)
     */
    rotationMethod?: string;
}
export interface SecretRotationLdapPasswordParametersPasswordRequirements {
    /**
     * String of allowed symbols for password generation.
     */
    allowedSymbols?: string;
    /**
     * The length of the generated password.
     */
    length: number;
    /**
     * Required character types in the generated password.
     */
    required: outputs.SecretRotationLdapPasswordParametersPasswordRequirementsRequired;
}
export interface SecretRotationLdapPasswordParametersPasswordRequirementsRequired {
    /**
     * Minimum number of digits required in the password.
     */
    digits: number;
    /**
     * Minimum number of lowercase letters required in the password.
     */
    lowercase: number;
    /**
     * Minimum number of symbols required in the password.
     */
    symbols: number;
    /**
     * Minimum number of uppercase letters required in the password.
     */
    uppercase: number;
}
export interface SecretRotationLdapPasswordRotateAtUtc {
    /**
     * The hour at which the rotation should occur (UTC).
     */
    hours: number;
    /**
     * The minute at which the rotation should occur (UTC).
     */
    minutes: number;
}
export interface SecretRotationLdapPasswordSecretsMapping {
    /**
     * The name of the secret that the Distinguished Name will be mapped to.
     */
    dn: string;
    /**
     * The name of the secret that the generated password will be mapped to.
     */
    password: string;
}
export interface SecretRotationLdapPasswordTemporaryParameters {
    /**
     * The password of the provided principal if 'parameters.rotation_method' is set to 'target-principal'.
     */
    password?: string;
}
export interface SecretRotationMssqlCredentialsParameters {
    /**
     * The username of the first login to rotate passwords for. This user must already exists in your database.
     */
    username1: string;
    /**
     * The username of the second login to rotate passwords for. This user must already exists in your database.
     */
    username2: string;
}
export interface SecretRotationMssqlCredentialsRotateAtUtc {
    /**
     * The hour at which the rotation should occur (UTC).
     */
    hours: number;
    /**
     * The minute at which the rotation should occur (UTC).
     */
    minutes: number;
}
export interface SecretRotationMssqlCredentialsSecretsMapping {
    /**
     * The name of the secret that the generated password will be mapped to.
     */
    password: string;
    /**
     * The name of the secret that the active username will be mapped to.
     */
    username: string;
}
export interface SecretRotationMssqlCredentialsTemporaryParameters {
}
export interface SecretRotationMysqlCredentialsParameters {
    /**
     * The username of the first login to rotate passwords for. This user must already exists in your database.
     */
    username1: string;
    /**
     * The username of the second login to rotate passwords for. This user must already exists in your database.
     */
    username2: string;
}
export interface SecretRotationMysqlCredentialsRotateAtUtc {
    /**
     * The hour at which the rotation should occur (UTC).
     */
    hours: number;
    /**
     * The minute at which the rotation should occur (UTC).
     */
    minutes: number;
}
export interface SecretRotationMysqlCredentialsSecretsMapping {
    /**
     * The name of the secret that the generated password will be mapped to.
     */
    password: string;
    /**
     * The name of the secret that the active username will be mapped to.
     */
    username: string;
}
export interface SecretRotationMysqlCredentialsTemporaryParameters {
}
export interface SecretRotationOracledbCredentialsParameters {
    /**
     * The username of the first login to rotate passwords for. This user must already exists in your database.
     */
    username1: string;
    /**
     * The username of the second login to rotate passwords for. This user must already exists in your database.
     */
    username2: string;
}
export interface SecretRotationOracledbCredentialsRotateAtUtc {
    /**
     * The hour at which the rotation should occur (UTC).
     */
    hours: number;
    /**
     * The minute at which the rotation should occur (UTC).
     */
    minutes: number;
}
export interface SecretRotationOracledbCredentialsSecretsMapping {
    /**
     * The name of the secret that the generated password will be mapped to.
     */
    password: string;
    /**
     * The name of the secret that the active username will be mapped to.
     */
    username: string;
}
export interface SecretRotationOracledbCredentialsTemporaryParameters {
}
export interface SecretRotationPostgresCredentialsParameters {
    /**
     * The username of the first login to rotate passwords for. This user must already exists in your database.
     */
    username1: string;
    /**
     * The username of the second login to rotate passwords for. This user must already exists in your database.
     */
    username2: string;
}
export interface SecretRotationPostgresCredentialsRotateAtUtc {
    /**
     * The hour at which the rotation should occur (UTC).
     */
    hours: number;
    /**
     * The minute at which the rotation should occur (UTC).
     */
    minutes: number;
}
export interface SecretRotationPostgresCredentialsSecretsMapping {
    /**
     * The name of the secret that the generated password will be mapped to.
     */
    password: string;
    /**
     * The name of the secret that the active username will be mapped to.
     */
    username: string;
}
export interface SecretRotationPostgresCredentialsTemporaryParameters {
}
export interface SecretSecretReminder {
    /**
     * Note for the secret rotation reminder
     */
    note?: string;
    /**
     * Frequency of secret rotation reminder in days
     */
    repeatDays: number;
}
export interface SecretSync1passwordDestinationConfig {
    /**
     * The label of the 1Password item field which will hold your secret value. For example, if you were to sync Infisical secret 'foo: bar', the 1Password item equivalent would have an item title of 'foo', and a field on that item 'value: bar'. The field label 'value' is what gets changed by this option
     */
    valueLabel?: string;
    /**
     * The ID of the 1Password vault to sync secrets to
     */
    vaultId: string;
}
export interface SecretSync1passwordSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from 1Password. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination, import-prioritize-source, import-prioritize-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the 1Password destination.
     */
    keySchema?: string;
}
export interface SecretSyncAwsParameterStoreDestinationConfig {
    /**
     * The AWS region of your AWS Parameter Store
     */
    awsRegion: string;
    /**
     * The path in the AWS Parameter Store where the secrets will be stored, Example: /example/path/
     */
    path: string;
}
export interface SecretSyncAwsParameterStoreSyncOptions {
    /**
     * The AWS KMS key ID to use for encryption
     */
    awsKmsKeyId?: string;
    /**
     * When set to true, Infisical will not remove secrets from AWS Parameter Store. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination, import-prioritize-source, import-prioritize-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the AWS Parameter Store destination.
     */
    keySchema?: string;
    /**
     * Whether to sync the secret metadata as tags
     */
    syncSecretMetadataAsTags: boolean;
    /**
     * The tags to sync to the secret
     */
    tags?: outputs.SecretSyncAwsParameterStoreSyncOptionsTag[];
}
export interface SecretSyncAwsParameterStoreSyncOptionsTag {
    /**
     * The key of the tag
     */
    key: string;
    /**
     * The value of the tag
     */
    value: string;
}
export interface SecretSyncAwsSecretsManagerDestinationConfig {
    /**
     * The AWS region of your AWS Secrets Manager
     */
    awsRegion: string;
    /**
     * The name of the AWS secret to map to. This only applies when<span pulumi-lang-nodejs=" mappingBehavior " pulumi-lang-dotnet=" MappingBehavior " pulumi-lang-go=" mappingBehavior " pulumi-lang-python=" mapping_behavior " pulumi-lang-yaml=" mappingBehavior " pulumi-lang-java=" mappingBehavior " pulumi-lang-hcl=" mapping_behavior "> mappingBehavior </span>is set to 'many-to-one'.
     */
    awsSecretsManagerSecretName?: string;
    /**
     * The behavior of the mapping. Can be 'many-to-one' or 'one-to-one'. Many to One: All Infisical secrets will be mapped to a single AWS secret. One to One: Each Infisical secret will be mapped to its own AWS secret.
     */
    mappingBehavior: string;
}
export interface SecretSyncAwsSecretsManagerSyncOptions {
    /**
     * The AWS KMS key ID to use for encryption
     */
    awsKmsKeyId?: string;
    /**
     * When set to true, Infisical will not remove secrets from AWS Secrets Manager. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination, import-prioritize-source, import-prioritize-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the AWS Secrets Manager destination.
     */
    keySchema?: string;
    /**
     * Whether to sync the secret metadata as tags. This is only supported for the 'one-to-one' mapping behavior.
     */
    syncSecretMetadataAsTags: boolean;
    /**
     * The tags to sync to the secret
     */
    tags?: outputs.SecretSyncAwsSecretsManagerSyncOptionsTag[];
}
export interface SecretSyncAwsSecretsManagerSyncOptionsTag {
    /**
     * The key of the tag
     */
    key: string;
    /**
     * The value of the tag
     */
    value: string;
}
export interface SecretSyncAzureAppConfigurationDestinationConfig {
    /**
     * The URL of your Azure App Configuration
     */
    configurationUrl: string;
    /**
     * The label to attach to secrets created in Azure App Configuration
     */
    label: string;
}
export interface SecretSyncAzureAppConfigurationSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Azure App Configuration. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination, import-prioritize-source, import-prioritize-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Azure App Configuration destination.
     */
    keySchema?: string;
}
export interface SecretSyncAzureDevopsDestinationConfig {
    /**
     * The ID of the Azure DevOps project to sync secrets to.
     */
    devopsProjectId: string;
}
export interface SecretSyncAzureDevopsSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Azure DevOps. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * The format to use for structuring secret keys in the Azure DevOps destination.
     */
    keySchema?: string;
}
export interface SecretSyncAzureKeyVaultDestinationConfig {
    /**
     * The base URL of your Azure Key Vault
     */
    vaultBaseUrl: string;
}
export interface SecretSyncAzureKeyVaultSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Azure Key Vault. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination, import-prioritize-source, import-prioritize-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Azure Key Vault destination.
     */
    keySchema?: string;
}
export interface SecretSyncBitbucketDestinationConfig {
    /**
     * The Bitbucket deployment environment ID (optional).
     */
    environmentId?: string;
    /**
     * The Bitbucket repository slug to sync secrets to.
     */
    repositorySlug: string;
    /**
     * The Bitbucket workspace slug.
     */
    workspaceSlug: string;
}
export interface SecretSyncBitbucketSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Bitbucket. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Bitbucket destination.
     */
    keySchema?: string;
}
export interface SecretSyncCloudflarePagesDestinationConfig {
    /**
     * The Cloudflare Pages environment (production, preview) where the secrets will be synced
     */
    environment: string;
    /**
     * The Cloudflare Pages project name where the secrets will be synced
     */
    projectName: string;
}
export interface SecretSyncCloudflarePagesSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Cloudflare Pages. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination, import-prioritize-source, import-prioritize-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Cloudflare Pages destination.
     */
    keySchema?: string;
}
export interface SecretSyncCloudflareWorkersDestinationConfig {
    /**
     * The Cloudflare Workers script ID where the secrets will be synced
     */
    scriptId: string;
}
export interface SecretSyncCloudflareWorkersSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Cloudflare Workers. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination, import-prioritize-source, import-prioritize-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Cloudflare Workers destination.
     */
    keySchema?: string;
}
export interface SecretSyncDatabricksDestinationConfig {
    /**
     * The Databricks secret scope to sync secrets to.
     */
    scope: string;
}
export interface SecretSyncDatabricksSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Databricks. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Databricks destination.
     */
    keySchema?: string;
}
export interface SecretSyncFlyioDestinationConfig {
    /**
     * The Fly.io app ID to sync secrets to.
     */
    appId: string;
}
export interface SecretSyncFlyioSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Fly.io. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Fly.io destination.
     */
    keySchema?: string;
}
export interface SecretSyncGcpSecretManagerDestinationConfig {
    /**
     * The GCP region to sync secrets to (e.g. us-east1). Required when scope is 'region' and must not be set when scope is 'global'.
     */
    locationId?: string;
    /**
     * The ID of the GCP project to sync with
     */
    projectId: string;
    /**
     * The scope of the sync with GCP Secret Manager. Supported options: global, region
     */
    scope: string;
}
export interface SecretSyncGcpSecretManagerSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from GCP Secret Manager. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination, import-prioritize-source, import-prioritize-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the GCP Secret Manager destination.
     */
    keySchema?: string;
}
export interface SecretSyncGithubDestinationConfig {
    /**
     * The environment to sync the secrets to, required if scope is `repository-environment`
     */
    repositoryEnvironment?: string;
    /**
     * The repository to sync the secrets to, required if scope is <span pulumi-lang-nodejs="`repository`" pulumi-lang-dotnet="`Repository`" pulumi-lang-go="`repository`" pulumi-lang-python="`repository`" pulumi-lang-yaml="`repository`" pulumi-lang-java="`repository`" pulumi-lang-hcl="`repository`">`repository`</span> or `repository-environment`. This is only the name of the repository, without the repository owner included. As an example if you have a repository called Infisical/go-sdk, you would only need to provide `go-sdk` here.
     */
    repositoryName?: string;
    /**
     * The owner of the Github repository, required if scope is <span pulumi-lang-nodejs="`repository`" pulumi-lang-dotnet="`Repository`" pulumi-lang-go="`repository`" pulumi-lang-python="`repository`" pulumi-lang-yaml="`repository`" pulumi-lang-java="`repository`" pulumi-lang-hcl="`repository`">`repository`</span>, `repository-environment`, or <span pulumi-lang-nodejs="`organization`" pulumi-lang-dotnet="`Organization`" pulumi-lang-go="`organization`" pulumi-lang-python="`organization`" pulumi-lang-yaml="`organization`" pulumi-lang-java="`organization`" pulumi-lang-hcl="`organization`">`organization`</span>. This is the organization name, or the username for personal repositories. As an example if you have a repository called Infisical/go-sdk, you would only need to provide `Infisical` here.
     */
    repositoryOwner?: string;
    /**
     * The scope to sync the secrets to, repository|organization
     */
    scope: string;
    /**
     * The repository ids to sync the secrets to, required if scope is <span pulumi-lang-nodejs="`organization`" pulumi-lang-dotnet="`Organization`" pulumi-lang-go="`organization`" pulumi-lang-python="`organization`" pulumi-lang-yaml="`organization`" pulumi-lang-java="`organization`" pulumi-lang-hcl="`organization`">`organization`</span> and the visibility field is set to <span pulumi-lang-nodejs="`selected`" pulumi-lang-dotnet="`Selected`" pulumi-lang-go="`selected`" pulumi-lang-python="`selected`" pulumi-lang-yaml="`selected`" pulumi-lang-java="`selected`" pulumi-lang-hcl="`selected`">`selected`</span>
     */
    selectedRepositoryIds?: number[];
    /**
     * The visibility of the Github repository, required if scope is <span pulumi-lang-nodejs="`organization`" pulumi-lang-dotnet="`Organization`" pulumi-lang-go="`organization`" pulumi-lang-python="`organization`" pulumi-lang-yaml="`organization`" pulumi-lang-java="`organization`" pulumi-lang-hcl="`organization`">`organization`</span>. Accepted values are: <span pulumi-lang-nodejs="`all`" pulumi-lang-dotnet="`All`" pulumi-lang-go="`all`" pulumi-lang-python="`all`" pulumi-lang-yaml="`all`" pulumi-lang-java="`all`" pulumi-lang-hcl="`all`">`all`</span>|<span pulumi-lang-nodejs="`private`" pulumi-lang-dotnet="`Private`" pulumi-lang-go="`private`" pulumi-lang-python="`private`" pulumi-lang-yaml="`private`" pulumi-lang-java="`private`" pulumi-lang-hcl="`private`">`private`</span>|<span pulumi-lang-nodejs="`selected`" pulumi-lang-dotnet="`Selected`" pulumi-lang-go="`selected`" pulumi-lang-python="`selected`" pulumi-lang-yaml="`selected`" pulumi-lang-java="`selected`" pulumi-lang-hcl="`selected`">`selected`</span>
     */
    visibility?: string;
}
export interface SecretSyncGithubSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Github. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Github destination.
     */
    keySchema?: string;
}
export interface SecretSyncGitlabDestinationConfig {
    /**
     * The GitLab Group ID to sync secrets to. Required when scope is 'group'.
     */
    groupId?: string;
    /**
     * The GitLab Group Name to sync secrets to. Optional when scope is 'group'.
     */
    groupName?: string;
    /**
     * The GitLab Project ID to sync secrets to. Required when scope is 'project'.
     */
    projectId?: string;
    /**
     * The GitLab Project Name to sync secrets to. Optional when scope is 'project'.
     */
    projectName?: string;
    /**
     * The GitLab scope that secrets should be synced to. Supported options: 'project', 'group'
     */
    scope: string;
    /**
     * Whether variables should be hidden
     */
    shouldHideSecrets: boolean;
    /**
     * Whether variables should be masked in logs
     */
    shouldMaskSecrets: boolean;
    /**
     * Whether variables should be protected
     */
    shouldProtectSecrets: boolean;
    /**
     * The GitLab environment scope that secrets should be synced to. (default: *)
     */
    targetEnvironment: string;
}
export interface SecretSyncGitlabSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from GitLab. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the GitLab destination.
     */
    keySchema?: string;
}
export interface SecretSyncRenderDestinationConfig {
    /**
     * The Render scope that secrets should be synced to. Supported options: service
     */
    scope: string;
    /**
     * The ID of the Render service to sync secrets to.
     */
    serviceId: string;
    /**
     * The Render resource type to sync secrets to. Supported options: env, file
     */
    type: string;
}
export interface SecretSyncRenderSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Render. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Render destination.
     */
    keySchema?: string;
}
export interface SecretSyncSupabaseDestinationConfig {
    /**
     * The Supabase project ID to sync secrets to.
     */
    projectId: string;
    /**
     * The Supabase project name (optional).
     */
    projectName?: string;
}
export interface SecretSyncSupabaseSyncOptions {
    /**
     * When set to true, Infisical will not remove secrets from Supabase. Enable this option if you intend to manage some secrets manually outside of Infisical.
     */
    disableSecretDeletion: boolean;
    /**
     * Specify how Infisical should resolve the initial sync to the destination. Supported options: overwrite-destination
     */
    initialSyncBehavior: string;
    /**
     * The format to use for structuring secret keys in the Supabase destination.
     */
    keySchema?: string;
}
export declare namespace config {
    interface Auth {
        /**
         * The configuration values for AWS IAM Auth
         */
        awsIam?: outputs.config.AuthAwsIam;
        /**
         * The configuration values for Kubernetes Auth
         */
        kubernetes?: outputs.config.AuthKubernetes;
        /**
         * The configuration values for OIDC Auth
         */
        oidc?: outputs.config.AuthOidc;
        /**
         * When set, this will scope the login session to the specified organization the machine identity has access to. If left empty, the session defaults to the organization where the machine identity was created in.
         */
        organizationSlug?: string;
        /**
         * The authentication token for Machine Identity Token Auth. This attribute can also be set using the `INFISICAL_TOKEN` environment variable
         */
        token?: string;
        /**
         * The configuration values for Universal Auth
         */
        universal?: outputs.config.AuthUniversal;
    }
    interface AuthAwsIam {
        /**
         * Machine identity ID. This attribute can also be set using the `INFISICAL_MACHINE_IDENTITY_ID` environment variable
         */
        identityId?: string;
    }
    interface AuthKubernetes {
        /**
         * Machine identity ID. This attribute can also be set using the `INFISICAL_MACHINE_IDENTITY_ID` environment variable
         */
        identityId?: string;
        /**
         * The service account token. This attribute can also be set using the `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN` environment variable
         */
        serviceAccountToken?: string;
        /**
         * The path to the service account token. This attribute can also be set using the `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH` environment variable. Default is `/var/run/secrets/kubernetes.io/serviceaccount/token`.
         */
        serviceAccountTokenPath?: string;
    }
    interface AuthOidc {
        /**
         * Machine identity ID. This attribute can also be set using the `INFISICAL_MACHINE_IDENTITY_ID` environment variable
         */
        identityId?: string;
        /**
         * The environment variable name for the OIDC JWT token. This attribute can also be set using the `INFISICAL_OIDC_AUTH_TOKEN_KEY_NAME` environment variable. Default is `INFISICAL_AUTH_JWT`.
         */
        tokenEnvironmentVariableName?: string;
    }
    interface AuthUniversal {
        /**
         * Machine identity client ID. This attribute can also be set using the `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` environment variable
         */
        clientId?: string;
        /**
         * Machine identity client secret. This attribute can also be set using the `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` environment variable
         */
        clientSecret?: string;
    }
}
//# sourceMappingURL=output.d.ts.map