vendor_fabric.secrets_sync.models

Configuration and result models for native SecretSync pipelines.

Module Contents

Classes

SyncOperation

Pipeline operation types.

OutputFormat

Diff output formats.

ProviderSession

Authenticated provider material passed through to the SecretSync binding.

SyncOptions

Options for pipeline execution.

LogConfig

Logging configuration.

VaultAuthAppRole

Vault AppRole authentication config.

VaultAuthToken

Vault token authentication config.

VaultAuthKubernetes

Vault Kubernetes authentication config.

VaultAuthConfig

Vault authentication config.

VaultConfig

Vault connection config.

ExecutionRoleConfig

Control Tower execution role config.

ControlTowerConfig

AWS Control Tower config.

ExecutionContextConfig

AWS execution context config.

AWSConfig

AWS config.

VaultSource

Vault source config.

AWSSource

AWS Secrets Manager source config.

Source

Source config.

MergeStoreVault

Vault merge store config.

MergeStoreS3

S3 merge store config.

MergeStoreConfig

Merge store config.

Target

Sync destination target.

AccountNamePattern

Dynamic target account-name routing pattern.

DynamicTarget

Runtime-discovered target config.

MergeSettings

Merge phase settings.

SyncSettings

Sync phase settings.

PipelineSettings

Pipeline settings.

ConfigInfo

Public configuration information.

ResultDetails

Operation detail counts.

TargetDiff

Diff summary for one target.

OperationResult

Outcome for one target and phase.

SyncResult

Aggregate pipeline result.

SecretSyncConfig

SecretSync pipeline configuration.

Functions

redacted_error

Return a redacted exception string.

Data

API

vendor_fabric.secrets_sync.models.AWS_ACCOUNT_ID_RE = 'compile(...)'
vendor_fabric.secrets_sync.models.ENV_PATTERN = 'compile(...)'
vendor_fabric.secrets_sync.models.MAX_ENV_VALUE_LENGTH = 10000
class vendor_fabric.secrets_sync.models.SyncOperation

Bases: enum.StrEnum

Pipeline operation types.

Initialization

Initialize self. See help(type(self)) for accurate signature.

MERGE = 'merge'
SYNC = 'sync'
PIPELINE = 'pipeline'
capitalize()
casefold()
center()
count()
encode()
endswith()
expandtabs()
find()
format()
format_map()
index()
isalnum()
isalpha()
isascii()
isdecimal()
isdigit()
isidentifier()
islower()
isnumeric()
isprintable()
isspace()
istitle()
isupper()
join()
ljust()
lower()
lstrip()
partition()
removeprefix()
removesuffix()
replace()
rfind()
rindex()
rjust()
rpartition()
rsplit()
rstrip()
split()
splitlines()
startswith()
strip()
swapcase()
title()
translate()
upper()
zfill()
name()
value()
class vendor_fabric.secrets_sync.models.OutputFormat

Bases: enum.StrEnum

Diff output formats.

Initialization

Initialize self. See help(type(self)) for accurate signature.

HUMAN = 'human'
JSON = 'json'
GITHUB = 'github'
COMPACT = 'compact'
SIDE_BY_SIDE = 'side-by-side'
capitalize()
casefold()
center()
count()
encode()
endswith()
expandtabs()
find()
format()
format_map()
index()
isalnum()
isalpha()
isascii()
isdecimal()
isdigit()
isidentifier()
islower()
isnumeric()
isprintable()
isspace()
istitle()
isupper()
join()
ljust()
lower()
lstrip()
partition()
removeprefix()
removesuffix()
replace()
rfind()
rindex()
rjust()
rpartition()
rsplit()
rstrip()
split()
splitlines()
startswith()
strip()
swapcase()
title()
translate()
upper()
zfill()
name()
value()
class vendor_fabric.secrets_sync.models.ProviderSession

Authenticated provider material passed through to the SecretSync binding.

delegate_auth: bool = False
vault_address: str = <Multiline-String>
vault_namespace: str = <Multiline-String>
vault_token: str = <Multiline-String>
aws_region: str = <Multiline-String>
aws_access_key_id: str = <Multiline-String>
aws_secret_access_key: str = <Multiline-String>
aws_session_token: str = <Multiline-String>
aws_role_arn: str = <Multiline-String>
aws_endpoint_url: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.SyncOptions

Options for pipeline execution.

dry_run: bool = False
operation: vendor_fabric.secrets_sync.models.SyncOperation = None
targets: list[str] = 'field(...)'
continue_on_error: bool = True
parallelism: int = 4
compute_diff: bool = False
output_format: vendor_fabric.secrets_sync.models.OutputFormat = None
show_values: bool = False
delete_orphans: bool = False
class vendor_fabric.secrets_sync.models.LogConfig

Logging configuration.

level: str = 'info'
format: str = 'text'
class vendor_fabric.secrets_sync.models.VaultAuthAppRole

Vault AppRole authentication config.

mount: str = 'approle'
role_id: str = <Multiline-String>
secret_id: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.VaultAuthToken

Vault token authentication config.

token: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.VaultAuthKubernetes

Vault Kubernetes authentication config.

role: str = <Multiline-String>
mount_path: str = 'kubernetes'
class vendor_fabric.secrets_sync.models.VaultAuthConfig

Vault authentication config.

approle: vendor_fabric.secrets_sync.models.VaultAuthAppRole | None = None
token: vendor_fabric.secrets_sync.models.VaultAuthToken | None = None
kubernetes: vendor_fabric.secrets_sync.models.VaultAuthKubernetes | None = None
class vendor_fabric.secrets_sync.models.VaultConfig

Vault connection config.

address: str = <Multiline-String>
namespace: str = <Multiline-String>
auth: vendor_fabric.secrets_sync.models.VaultAuthConfig = 'field(...)'
max_traversal_depth: int | None = None
max_secrets_per_mount: int | None = None
queue_compaction_threshold: int | None = None
class vendor_fabric.secrets_sync.models.ExecutionRoleConfig

Control Tower execution role config.

name: str = 'AWSControlTowerExecution'
path: str = '/'
class vendor_fabric.secrets_sync.models.ControlTowerConfig

AWS Control Tower config.

enabled: bool = False
execution_role: vendor_fabric.secrets_sync.models.ExecutionRoleConfig = 'field(...)'
class vendor_fabric.secrets_sync.models.ExecutionContextConfig

AWS execution context config.

type: str = <Multiline-String>
account_id: str = <Multiline-String>
custom_role_pattern: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.AWSConfig

AWS config.

region: str = 'us-east-1'
execution_context: vendor_fabric.secrets_sync.models.ExecutionContextConfig = 'field(...)'
control_tower: vendor_fabric.secrets_sync.models.ControlTowerConfig = 'field(...)'
class vendor_fabric.secrets_sync.models.VaultSource

Vault source config.

mount: str = <Multiline-String>
paths: list[str] = 'field(...)'
address: str = <Multiline-String>
namespace: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.AWSSource

AWS Secrets Manager source config.

account_id: str = <Multiline-String>
region: str = <Multiline-String>
prefix: str = <Multiline-String>
tags: dict[str, str] = 'field(...)'
role_arn: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.Source

Source config.

vault: vendor_fabric.secrets_sync.models.VaultSource | None = None
aws: vendor_fabric.secrets_sync.models.AWSSource | None = None
class vendor_fabric.secrets_sync.models.MergeStoreVault

Vault merge store config.

mount: str = 'merged-secrets'
class vendor_fabric.secrets_sync.models.MergeStoreS3

S3 merge store config.

bucket: str = <Multiline-String>
prefix: str = 'secrets-sync'
kms_key_id: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.MergeStoreConfig

Merge store config.

vault: vendor_fabric.secrets_sync.models.MergeStoreVault | None = None
s3: vendor_fabric.secrets_sync.models.MergeStoreS3 | None = None
class vendor_fabric.secrets_sync.models.Target

Sync destination target.

account_id: str = <Multiline-String>
imports: list[str] = 'field(...)'
region: str = <Multiline-String>
secret_prefix: str = <Multiline-String>
role_arn: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.AccountNamePattern

Dynamic target account-name routing pattern.

pattern: str = <Multiline-String>
target: str = <Multiline-String>
class vendor_fabric.secrets_sync.models.DynamicTarget

Runtime-discovered target config.

imports: list[str] = 'field(...)'
exclude: list[str] = 'field(...)'
account_name_patterns: list[vendor_fabric.secrets_sync.models.AccountNamePattern] = 'field(...)'
region: str = <Multiline-String>
secret_prefix: str = <Multiline-String>
role_arn: str = <Multiline-String>
discovery: dict[str, Any] = 'field(...)'
class vendor_fabric.secrets_sync.models.MergeSettings

Merge phase settings.

parallel: int = 4
class vendor_fabric.secrets_sync.models.SyncSettings

Sync phase settings.

parallel: int = 4
delete_orphans: bool = False
class vendor_fabric.secrets_sync.models.PipelineSettings

Pipeline settings.

merge: vendor_fabric.secrets_sync.models.MergeSettings = 'field(...)'
sync: vendor_fabric.secrets_sync.models.SyncSettings = 'field(...)'
dry_run: bool = False
continue_on_error: bool = True
class vendor_fabric.secrets_sync.models.ConfigInfo

Public configuration information.

valid: bool = False
error_message: str = <Multiline-String>
source_count: int = 0
target_count: int = 0
sources: list[str] = 'field(...)'
targets: list[str] = 'field(...)'
has_merge_store: bool = False
vault_address: str = <Multiline-String>
aws_region: str = <Multiline-String>
to_dict() extended_data.containers.ExtendedDict

Return an extended config info payload.

class vendor_fabric.secrets_sync.models.ResultDetails

Operation detail counts.

secrets_processed: int = 0
secrets_added: int = 0
secrets_modified: int = 0
secrets_removed: int = 0
secrets_unchanged: int = 0
source_paths: list[str] = 'field(...)'
destination_path: str = <Multiline-String>
role_arn: str = <Multiline-String>
failed_imports: list[str] = 'field(...)'
class vendor_fabric.secrets_sync.models.TargetDiff

Diff summary for one target.

target: str = None
phase: str = None
added: list[str] = 'field(...)'
modified: list[str] = 'field(...)'
removed: list[str] = 'field(...)'
unchanged: list[str] = 'field(...)'
property has_changes: bool

Return whether the target has changes.

class vendor_fabric.secrets_sync.models.OperationResult

Outcome for one target and phase.

target: str = None
phase: str = None
operation: str = None
success: bool = False
error_message: str = <Multiline-String>
duration_ms: int = 0
details: vendor_fabric.secrets_sync.models.ResultDetails = 'field(...)'
diff: vendor_fabric.secrets_sync.models.TargetDiff | None = None
class vendor_fabric.secrets_sync.models.SyncResult

Aggregate pipeline result.

success: bool = False
target_count: int = 0
secrets_processed: int = 0
secrets_added: int = 0
secrets_modified: int = 0
secrets_removed: int = 0
secrets_unchanged: int = 0
duration_ms: int = 0
error_message: str = <Multiline-String>
results: list[vendor_fabric.secrets_sync.models.OperationResult] = 'field(...)'
diff_output: str = <Multiline-String>
to_dict() extended_data.containers.ExtendedDict

Return an extended result payload with redacted diagnostics.

class vendor_fabric.secrets_sync.models.SecretSyncConfig

SecretSync pipeline configuration.

log: vendor_fabric.secrets_sync.models.LogConfig = 'field(...)'
vault: vendor_fabric.secrets_sync.models.VaultConfig = 'field(...)'
aws: vendor_fabric.secrets_sync.models.AWSConfig = 'field(...)'
sources: dict[str, vendor_fabric.secrets_sync.models.Source] = 'field(...)'
merge_store: vendor_fabric.secrets_sync.models.MergeStoreConfig = 'field(...)'
targets: dict[str, vendor_fabric.secrets_sync.models.Target] = 'field(...)'
dynamic_targets: dict[str, vendor_fabric.secrets_sync.models.DynamicTarget] = 'field(...)'
pipeline: vendor_fabric.secrets_sync.models.PipelineSettings = 'field(...)'
classmethod from_file(path: str | pathlib.Path, *, auto_detect: bool = True) vendor_fabric.secrets_sync.models.SecretSyncConfig

Load a pipeline configuration from YAML.

classmethod from_mapping(payload: collections.abc.Mapping[str, Any] | None) vendor_fabric.secrets_sync.models.SecretSyncConfig

Build a config from a mapping.

validate() None

Validate the configuration.

validate_target_inheritance() None

Reject circular target inheritance chains.

auto_configure() None

Apply safe defaults and create placeholder sources for imports.

expand_env_vars() None

Expand ${VAR} placeholders in sensitive auth fields.

apply_environment_overrides() None

Apply explicit SecretSync environment overrides.

get_source_path(import_name: str) str

Return the deterministic source path for an import.

role_arn_for_target(target: vendor_fabric.secrets_sync.models.Target) str

Return the AWS role ARN for a target.

info() vendor_fabric.secrets_sync.models.ConfigInfo

Return public configuration info.

vendor_fabric.secrets_sync.models.redacted_error(exc: BaseException) str

Return a redacted exception string.