Viewing docs for HashiCorp Vault v7.9.0
published on Thursday, May 21, 2026 by Pulumi
published on Thursday, May 21, 2026 by Pulumi
Viewing docs for HashiCorp Vault v7.9.0
published on Thursday, May 21, 2026 by Pulumi
published on Thursday, May 21, 2026 by Pulumi
Manages external plugins registered in the plugin catalog.
Important All data provided in the resource configuration will be written in cleartext to state and plan files generated by Terraform, and will appear in the console output when Terraform runs. Protect these artifacts accordingly. See the main provider documentation for more details.
For more information on managing external plugins, please refer to the Vault documentation.
Example Usage
Register an Official Enterprise plugin (version vX.Y.Z+ent)
The version is required for enterprise plugins.
The sha256 and command shoud not be set for an enterprise plugin.
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const oracle = new vault.Plugin("oracle", {
type: "database",
name: "vault-plugin-database-oracle",
version: "v0.13.0+ent",
});
import pulumi
import pulumi_vault as vault
oracle = vault.Plugin("oracle",
type="database",
name="vault-plugin-database-oracle",
version="v0.13.0+ent")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vault.NewPlugin(ctx, "oracle", &vault.PluginArgs{
Type: pulumi.String("database"),
Name: pulumi.String("vault-plugin-database-oracle"),
Version: pulumi.String("v0.13.0+ent"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var oracle = new Vault.Plugin("oracle", new()
{
Type = "database",
Name = "vault-plugin-database-oracle",
Version = "v0.13.0+ent",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Plugin;
import com.pulumi.vault.PluginArgs;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var oracle = new Plugin("oracle", PluginArgs.builder()
.type("database")
.name("vault-plugin-database-oracle")
.version("v0.13.0+ent")
.build());
}
}
resources:
oracle:
type: vault:Plugin
properties:
type: database
name: vault-plugin-database-oracle
version: v0.13.0+ent
Example coming soon!
Register a CE plugin (version vX.Y.Z)
The sha256 and command are required to register a CE plugin.
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const jwt = new vault.Plugin("jwt", {
type: "auth",
name: "jwt",
command: "vault-plugin-auth-jwt",
version: "v0.17.0",
sha256: "6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc",
envs: ["HTTP_PROXY=http://proxy.example.com:8080"],
});
const jwtAuth = new vault.AuthBackend("jwt_auth", {type: jwt.name});
import pulumi
import pulumi_vault as vault
jwt = vault.Plugin("jwt",
type="auth",
name="jwt",
command="vault-plugin-auth-jwt",
version="v0.17.0",
sha256="6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc",
envs=["HTTP_PROXY=http://proxy.example.com:8080"])
jwt_auth = vault.AuthBackend("jwt_auth", type=jwt.name)
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
jwt, err := vault.NewPlugin(ctx, "jwt", &vault.PluginArgs{
Type: pulumi.String("auth"),
Name: pulumi.String("jwt"),
Command: pulumi.String("vault-plugin-auth-jwt"),
Version: pulumi.String("v0.17.0"),
Sha256: pulumi.String("6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc"),
Envs: pulumi.StringArray{
pulumi.String("HTTP_PROXY=http://proxy.example.com:8080"),
},
})
if err != nil {
return err
}
_, err = vault.NewAuthBackend(ctx, "jwt_auth", &vault.AuthBackendArgs{
Type: jwt.Name,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var jwt = new Vault.Plugin("jwt", new()
{
Type = "auth",
Name = "jwt",
Command = "vault-plugin-auth-jwt",
Version = "v0.17.0",
Sha256 = "6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc",
Envs = new[]
{
"HTTP_PROXY=http://proxy.example.com:8080",
},
});
var jwtAuth = new Vault.AuthBackend("jwt_auth", new()
{
Type = jwt.Name,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Plugin;
import com.pulumi.vault.PluginArgs;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var jwt = new Plugin("jwt", PluginArgs.builder()
.type("auth")
.name("jwt")
.command("vault-plugin-auth-jwt")
.version("v0.17.0")
.sha256("6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc")
.envs("HTTP_PROXY=http://proxy.example.com:8080")
.build());
var jwtAuth = new AuthBackend("jwtAuth", AuthBackendArgs.builder()
.type(jwt.name())
.build());
}
}
resources:
jwt:
type: vault:Plugin
properties:
type: auth
name: jwt
command: vault-plugin-auth-jwt
version: v0.17.0
sha256: 6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc
envs:
- HTTP_PROXY=http://proxy.example.com:8080
jwtAuth:
type: vault:AuthBackend
name: jwt_auth
properties:
type: ${jwt.name}
Example coming soon!
Create Plugin Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Plugin(name: string, args: PluginArgs, opts?: CustomResourceOptions);@overload
def Plugin(resource_name: str,
args: PluginArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Plugin(resource_name: str,
opts: Optional[ResourceOptions] = None,
type: Optional[str] = None,
args: Optional[Sequence[str]] = None,
command: Optional[str] = None,
envs: Optional[Sequence[str]] = None,
name: Optional[str] = None,
oci_image: Optional[str] = None,
runtime: Optional[str] = None,
sha256: Optional[str] = None,
version: Optional[str] = None)func NewPlugin(ctx *Context, name string, args PluginArgs, opts ...ResourceOption) (*Plugin, error)public Plugin(string name, PluginArgs args, CustomResourceOptions? opts = null)
public Plugin(String name, PluginArgs args)
public Plugin(String name, PluginArgs args, CustomResourceOptions options)
type: vault:Plugin
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
resource "vault_plugin" "name" {
# resource properties
}Parameters
- name string
- The unique name of the resource.
- args PluginArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PluginArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PluginArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PluginArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PluginArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var pluginResource = new Vault.Plugin("pluginResource", new()
{
Type = "string",
Args = new[]
{
"string",
},
Command = "string",
Envs = new[]
{
"string",
},
Name = "string",
OciImage = "string",
Runtime = "string",
Sha256 = "string",
Version = "string",
});
example, err := vault.NewPlugin(ctx, "pluginResource", &vault.PluginArgs{
Type: pulumi.String("string"),
Args: pulumi.StringArray{
pulumi.String("string"),
},
Command: pulumi.String("string"),
Envs: pulumi.StringArray{
pulumi.String("string"),
},
Name: pulumi.String("string"),
OciImage: pulumi.String("string"),
Runtime: pulumi.String("string"),
Sha256: pulumi.String("string"),
Version: pulumi.String("string"),
})
resource "vault_plugin" "pluginResource" {
type = "string"
args = ["string"]
command = "string"
envs = ["string"]
name = "string"
oci_image = "string"
runtime = "string"
sha256 = "string"
version = "string"
}
var pluginResource = new Plugin("pluginResource", PluginArgs.builder()
.type("string")
.args("string")
.command("string")
.envs("string")
.name("string")
.ociImage("string")
.runtime("string")
.sha256("string")
.version("string")
.build());
plugin_resource = vault.Plugin("pluginResource",
type="string",
args=["string"],
command="string",
envs=["string"],
name="string",
oci_image="string",
runtime="string",
sha256="string",
version="string")
const pluginResource = new vault.Plugin("pluginResource", {
type: "string",
args: ["string"],
command: "string",
envs: ["string"],
name: "string",
ociImage: "string",
runtime: "string",
sha256: "string",
version: "string",
});
type: vault:Plugin
properties:
args:
- string
command: string
envs:
- string
name: string
ociImage: string
runtime: string
sha256: string
type: string
version: string
Plugin Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Plugin resource accepts the following input properties:
- Type string
- Type of plugin; one of "auth", "secret", or "database".
- Args List<string>
- List of additional args to pass to the plugin.
- Command string
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - Envs List<string>
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- Name string
- Name of the plugin.
- Oci
Image string - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - Runtime string
- Vault plugin runtime to use if
ociImageis specified. - Sha256 string
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- Version string
- Semantic version of the plugin. Required for official enterprise plugins.
- Type string
- Type of plugin; one of "auth", "secret", or "database".
- Args []string
- List of additional args to pass to the plugin.
- Command string
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - Envs []string
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- Name string
- Name of the plugin.
- Oci
Image string - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - Runtime string
- Vault plugin runtime to use if
ociImageis specified. - Sha256 string
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- Version string
- Semantic version of the plugin. Required for official enterprise plugins.
- type string
- Type of plugin; one of "auth", "secret", or "database".
- args list(string)
- List of additional args to pass to the plugin.
- command string
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs list(string)
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name string
- Name of the plugin.
- oci_
image string - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime string
- Vault plugin runtime to use if
ociImageis specified. - sha256 string
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- version string
- Semantic version of the plugin. Required for official enterprise plugins.
- type String
- Type of plugin; one of "auth", "secret", or "database".
- args List<String>
- List of additional args to pass to the plugin.
- command String
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs List<String>
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name String
- Name of the plugin.
- oci
Image String - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime String
- Vault plugin runtime to use if
ociImageis specified. - sha256 String
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- version String
- Semantic version of the plugin. Required for official enterprise plugins.
- type string
- Type of plugin; one of "auth", "secret", or "database".
- args string[]
- List of additional args to pass to the plugin.
- command string
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs string[]
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name string
- Name of the plugin.
- oci
Image string - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime string
- Vault plugin runtime to use if
ociImageis specified. - sha256 string
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- version string
- Semantic version of the plugin. Required for official enterprise plugins.
- type str
- Type of plugin; one of "auth", "secret", or "database".
- args Sequence[str]
- List of additional args to pass to the plugin.
- command str
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs Sequence[str]
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name str
- Name of the plugin.
- oci_
image str - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime str
- Vault plugin runtime to use if
ociImageis specified. - sha256 str
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- version str
- Semantic version of the plugin. Required for official enterprise plugins.
- type String
- Type of plugin; one of "auth", "secret", or "database".
- args List<String>
- List of additional args to pass to the plugin.
- command String
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs List<String>
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name String
- Name of the plugin.
- oci
Image String - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime String
- Vault plugin runtime to use if
ociImageis specified. - sha256 String
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- version String
- Semantic version of the plugin. Required for official enterprise plugins.
Outputs
All input properties are implicitly available as output properties. Additionally, the Plugin resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Plugin Resource
Get an existing Plugin resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PluginState, opts?: CustomResourceOptions): Plugin@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
args: Optional[Sequence[str]] = None,
command: Optional[str] = None,
envs: Optional[Sequence[str]] = None,
name: Optional[str] = None,
oci_image: Optional[str] = None,
runtime: Optional[str] = None,
sha256: Optional[str] = None,
type: Optional[str] = None,
version: Optional[str] = None) -> Pluginfunc GetPlugin(ctx *Context, name string, id IDInput, state *PluginState, opts ...ResourceOption) (*Plugin, error)public static Plugin Get(string name, Input<string> id, PluginState? state, CustomResourceOptions? opts = null)public static Plugin get(String name, Output<String> id, PluginState state, CustomResourceOptions options)resources: _: type: vault:Plugin get: id: ${id}import {
to = vault_plugin.example
id = "${id}"
}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Args List<string>
- List of additional args to pass to the plugin.
- Command string
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - Envs List<string>
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- Name string
- Name of the plugin.
- Oci
Image string - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - Runtime string
- Vault plugin runtime to use if
ociImageis specified. - Sha256 string
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- Type string
- Type of plugin; one of "auth", "secret", or "database".
- Version string
- Semantic version of the plugin. Required for official enterprise plugins.
- Args []string
- List of additional args to pass to the plugin.
- Command string
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - Envs []string
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- Name string
- Name of the plugin.
- Oci
Image string - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - Runtime string
- Vault plugin runtime to use if
ociImageis specified. - Sha256 string
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- Type string
- Type of plugin; one of "auth", "secret", or "database".
- Version string
- Semantic version of the plugin. Required for official enterprise plugins.
- args list(string)
- List of additional args to pass to the plugin.
- command string
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs list(string)
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name string
- Name of the plugin.
- oci_
image string - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime string
- Vault plugin runtime to use if
ociImageis specified. - sha256 string
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- type string
- Type of plugin; one of "auth", "secret", or "database".
- version string
- Semantic version of the plugin. Required for official enterprise plugins.
- args List<String>
- List of additional args to pass to the plugin.
- command String
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs List<String>
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name String
- Name of the plugin.
- oci
Image String - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime String
- Vault plugin runtime to use if
ociImageis specified. - sha256 String
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- type String
- Type of plugin; one of "auth", "secret", or "database".
- version String
- Semantic version of the plugin. Required for official enterprise plugins.
- args string[]
- List of additional args to pass to the plugin.
- command string
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs string[]
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name string
- Name of the plugin.
- oci
Image string - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime string
- Vault plugin runtime to use if
ociImageis specified. - sha256 string
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- type string
- Type of plugin; one of "auth", "secret", or "database".
- version string
- Semantic version of the plugin. Required for official enterprise plugins.
- args Sequence[str]
- List of additional args to pass to the plugin.
- command str
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs Sequence[str]
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name str
- Name of the plugin.
- oci_
image str - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime str
- Vault plugin runtime to use if
ociImageis specified. - sha256 str
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- type str
- Type of plugin; one of "auth", "secret", or "database".
- version str
- Semantic version of the plugin. Required for official enterprise plugins.
- args List<String>
- List of additional args to pass to the plugin.
- command String
- Command to execute the plugin, relative to the server's configured
pluginDirectory. Need to be set for non-enterprise plugin. - envs List<String>
- List of additional environment variables to run the plugin with in KEY=VALUE form.
- name String
- Name of the plugin.
- oci
Image String - Specifies OCI image to run. If specified, setting
command,args, andenvwill update the container's entrypoint, args, and environment variables (append-only) respectively. - runtime String
- Vault plugin runtime to use if
ociImageis specified. - sha256 String
- SHA256 sum of the plugin binary. Need to be set for non-enterprise plugin.
- type String
- Type of plugin; one of "auth", "secret", or "database".
- version String
- Semantic version of the plugin. Required for official enterprise plugins.
Import
Plugins can be imported using :type/name/:name or :type/version/:version/name/:name as the ID if the version is non-empty, e.g.
$ pulumi import vault:index/plugin:Plugin jwt auth/name/jwt
$ pulumi import vault:index/plugin:Plugin jwt auth/version/v0.17.0/name/jwt
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.
Viewing docs for HashiCorp Vault v7.9.0
published on Thursday, May 21, 2026 by Pulumi
published on Thursday, May 21, 2026 by Pulumi