diff --git a/apis/ad/v1alpha1/zz_generated.deepcopy.go b/apis/ad/v1alpha1/zz_generated.deepcopy.go
index 7372246d..bb0e6285 100644
--- a/apis/ad/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/ad/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,186 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.AnonymousGroupSearch != nil {
+		in, out := &in.AnonymousGroupSearch, &out.AnonymousGroupSearch
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Binddn != nil {
+		in, out := &in.Binddn, &out.Binddn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CaseSensitiveNames != nil {
+		in, out := &in.CaseSensitiveNames, &out.CaseSensitiveNames
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DenyNullBind != nil {
+		in, out := &in.DenyNullBind, &out.DenyNullBind
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Discoverdn != nil {
+		in, out := &in.Discoverdn, &out.Discoverdn
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Formatter != nil {
+		in, out := &in.Formatter, &out.Formatter
+		*out = new(string)
+		**out = **in
+	}
+	if in.Groupattr != nil {
+		in, out := &in.Groupattr, &out.Groupattr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Groupdn != nil {
+		in, out := &in.Groupdn, &out.Groupdn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Groupfilter != nil {
+		in, out := &in.Groupfilter, &out.Groupfilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LastRotationTolerance != nil {
+		in, out := &in.LastRotationTolerance, &out.LastRotationTolerance
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Length != nil {
+		in, out := &in.Length, &out.Length
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PasswordPolicy != nil {
+		in, out := &in.PasswordPolicy, &out.PasswordPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequestTimeout != nil {
+		in, out := &in.RequestTimeout, &out.RequestTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Starttls != nil {
+		in, out := &in.Starttls, &out.Starttls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TLSMaxVersion != nil {
+		in, out := &in.TLSMaxVersion, &out.TLSMaxVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSMinVersion != nil {
+		in, out := &in.TLSMinVersion, &out.TLSMinVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Upndomain != nil {
+		in, out := &in.Upndomain, &out.Upndomain
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsePre111GroupCnBehavior != nil {
+		in, out := &in.UsePre111GroupCnBehavior, &out.UsePre111GroupCnBehavior
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UseTokenGroups != nil {
+		in, out := &in.UseTokenGroups, &out.UseTokenGroups
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Userattr != nil {
+		in, out := &in.Userattr, &out.Userattr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Userdn != nil {
+		in, out := &in.Userdn, &out.Userdn
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -454,6 +634,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
@@ -510,6 +691,46 @@ func (in *SecretRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceAccountName != nil {
+		in, out := &in.ServiceAccountName, &out.ServiceAccountName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRoleInitParameters.
+func (in *SecretRoleInitParameters) DeepCopy() *SecretRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretRoleList) DeepCopyInto(out *SecretRoleList) {
 	*out = *in
@@ -642,6 +863,7 @@ func (in *SecretRoleSpec) DeepCopyInto(out *SecretRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRoleSpec.
diff --git a/apis/ad/v1alpha1/zz_generated.managed.go b/apis/ad/v1alpha1/zz_generated.managed.go
index c8296112..3577b829 100644
--- a/apis/ad/v1alpha1/zz_generated.managed.go
+++ b/apis/ad/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -55,9 +55,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -93,9 +93,9 @@ func (mg *SecretRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretRole.
-func (mg *SecretRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretRole.
+func (mg *SecretRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretRole.
@@ -131,9 +131,9 @@ func (mg *SecretRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretRole.
-func (mg *SecretRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretRole.
+func (mg *SecretRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretRole.
diff --git a/apis/ad/v1alpha1/zz_generated_terraformed.go b/apis/ad/v1alpha1/zz_generated_terraformed.go
index 0b320905..6d7dce4b 100755
--- a/apis/ad/v1alpha1/zz_generated_terraformed.go
+++ b/apis/ad/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretRole
+func (tr *SecretRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/ad/v1alpha1/zz_secretbackend_types.go b/apis/ad/v1alpha1/zz_secretbackend_types.go
index 4a952b0b..2a2b764a 100755
--- a/apis/ad/v1alpha1/zz_secretbackend_types.go
+++ b/apis/ad/v1alpha1/zz_secretbackend_types.go
@@ -13,252 +13,531 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// Use anonymous binds when performing LDAP group searches
+	// (if true the initial credentials will still be used for the initial connection test).
+	// Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
+	AnonymousGroupSearch *bool `json:"anonymousGroupSearch,omitempty" tf:"anonymous_group_search,omitempty"`
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to ad.
+	// The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad".
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Distinguished name of object to bind when performing user and group search.
+	// Distinguished name of object to bind when performing user and group search.
+	Binddn *string `json:"binddn,omitempty" tf:"binddn,omitempty"`
+
+	// If set, user and group names assigned to policies within the
+	// backend will be case sensitive. Otherwise, names will be normalized to lower case.
+	// If true, case sensitivity will be used when comparing usernames and groups for matching policies.
+	CaseSensitiveNames *bool `json:"caseSensitiveNames,omitempty" tf:"case_sensitive_names,omitempty"`
+
+	// CA certificate to use when verifying LDAP server certificate, must be
+	// x509 PEM encoded.
+	// CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
+	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// Default lease duration for secrets in seconds.
+	// Default lease duration for secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// Denies an unauthenticated LDAP bind request if the user's password is empty;
+	// defaults to true.
+	// Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true
+	DenyNullBind *bool `json:"denyNullBind,omitempty" tf:"deny_null_bind,omitempty"`
+
+	// Human-friendly description of the mount for the Active Directory backend.
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// Use anonymous bind to discover the bind Distinguished Name of a user.
+	// Use anonymous bind to discover the bind DN of a user.
+	Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"`
+
+	// Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
+	// Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
+	Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"`
+
+	// LDAP attribute to follow on objects returned by  in order to enumerate
+	// user group membership. Examples: cn or memberOf, etc. Defaults to cn.
+	// LDAP attribute to follow on objects returned by <groupfilter> in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn
+	Groupattr *string `json:"groupattr,omitempty" tf:"groupattr,omitempty"`
+
+	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
+	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)
+	Groupdn *string `json:"groupdn,omitempty" tf:"groupdn,omitempty"`
+
+	// Go template for querying group membership of user  The template can access
+	// the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
+	// Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
+	Groupfilter *string `json:"groupfilter,omitempty" tf:"groupfilter,omitempty"`
+
+	// Skip LDAP server SSL Certificate verification. This is not recommended for production.
+	// Defaults to false.
+	// Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// The number of seconds after a Vault rotation where, if Active Directory
+	// shows a later rotation, it should be considered out-of-band
+	// The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.
+	LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"`
+
+	// Deprecated use password_policy. The desired length of passwords that Vault generates.
+	// Mutually exclusive with
+	// The desired length of passwords that Vault generates.
+	Length *float64 `json:"length,omitempty" tf:"length,omitempty"`
+
+	// Mark the secrets engine as local-only. Local engines are not replicated or removed by
+	// replication.Tolerance duration to use when checking the last rotation time.
+	// Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// Maximum possible lease duration for secrets in seconds.
+	// Maximum possible lease duration for secrets in seconds.
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// In seconds, the maximum password time-to-live.
+	// In seconds, the maximum password time-to-live.
+	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// 1.11+
+	// Name of the password policy to use to generate passwords.
+	PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"`
+
+	// Timeout, in seconds, for the connection when making requests against the server
+	// before returning back an error.
+	// Timeout, in seconds, for the connection when making requests against the server before returning back an error.
+	RequestTimeout *float64 `json:"requestTimeout,omitempty" tf:"request_timeout,omitempty"`
+
+	// Issue a StartTLS command after establishing unencrypted connection.
+	// Issue a StartTLS command after establishing unencrypted connection.
+	Starttls *bool `json:"starttls,omitempty" tf:"starttls,omitempty"`
+
+	// Maximum TLS version to use. Accepted values are tls10, tls11,
+	// tls12 or tls13. Defaults to tls12.
+	// Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
+	TLSMaxVersion *string `json:"tlsMaxVersion,omitempty" tf:"tls_max_version,omitempty"`
+
+	// Minimum TLS version to use. Accepted values are tls10, tls11,
+	// tls12 or tls13. Defaults to tls12.
+	// Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
+	TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"`
+
+	// In seconds, the default password time-to-live.
+	// In seconds, the default password time-to-live.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// LDAP URL to connect to. Multiple URLs can be specified by concatenating
+	// them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
+	// LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// Enables userPrincipalDomain login with [username]@UPNDomain.
+	// Enables userPrincipalDomain login with [username]@UPNDomain.
+	Upndomain *string `json:"upndomain,omitempty" tf:"upndomain,omitempty"`
+
+	// In Vault 1.1.1 a fix for handling group CN values of
+	// different cases unfortunately introduced a regression that could cause previously defined groups
+	// to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for
+	// matching group CNs will be used. This is only needed in some upgrade scenarios for backwards
+	// compatibility. It is enabled by default if the config is upgraded but disabled by default on
+	// new configurations.
+	// In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
+	UsePre111GroupCnBehavior *bool `json:"usePre111GroupCnBehavior,omitempty" tf:"use_pre111_group_cn_behavior,omitempty"`
+
+	// If true, use the Active Directory tokenGroups constructed attribute of the
+	// user to find the group memberships. This will find all security groups including nested ones.
+	// If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
+	UseTokenGroups *bool `json:"useTokenGroups,omitempty" tf:"use_token_groups,omitempty"`
+
+	// Attribute used when searching users. Defaults to cn.
+	// Attribute used for users (default: cn)
+	Userattr *string `json:"userattr,omitempty" tf:"userattr,omitempty"`
+
+	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
+	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)
+	Userdn *string `json:"userdn,omitempty" tf:"userdn,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
+	// Use anonymous binds when performing LDAP group searches
+	// (if true the initial credentials will still be used for the initial connection test).
 	// Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
 	AnonymousGroupSearch *bool `json:"anonymousGroupSearch,omitempty" tf:"anonymous_group_search,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to ad.
 	// The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad".
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Distinguished name of object to bind when performing user and group search.
 	// Distinguished name of object to bind when performing user and group search.
 	Binddn *string `json:"binddn,omitempty" tf:"binddn,omitempty"`
 
+	// If set, user and group names assigned to policies within the
+	// backend will be case sensitive. Otherwise, names will be normalized to lower case.
 	// If true, case sensitivity will be used when comparing usernames and groups for matching policies.
 	CaseSensitiveNames *bool `json:"caseSensitiveNames,omitempty" tf:"case_sensitive_names,omitempty"`
 
+	// CA certificate to use when verifying LDAP server certificate, must be
+	// x509 PEM encoded.
 	// CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
+	// Default lease duration for secrets in seconds.
 	// Default lease duration for secrets in seconds
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// Denies an unauthenticated LDAP bind request if the user's password is empty;
+	// defaults to true.
 	// Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true
 	DenyNullBind *bool `json:"denyNullBind,omitempty" tf:"deny_null_bind,omitempty"`
 
+	// Human-friendly description of the mount for the Active Directory backend.
 	// Human-friendly description of the mount for the backend.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// Use anonymous bind to discover the bind Distinguished Name of a user.
 	// Use anonymous bind to discover the bind DN of a user.
 	Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"`
 
+	// Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
 	// Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
 	Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"`
 
+	// LDAP attribute to follow on objects returned by  in order to enumerate
+	// user group membership. Examples: cn or memberOf, etc. Defaults to cn.
 	// LDAP attribute to follow on objects returned by <groupfilter> in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn
 	Groupattr *string `json:"groupattr,omitempty" tf:"groupattr,omitempty"`
 
+	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
 	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)
 	Groupdn *string `json:"groupdn,omitempty" tf:"groupdn,omitempty"`
 
+	// Go template for querying group membership of user  The template can access
+	// the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
 	// Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
 	Groupfilter *string `json:"groupfilter,omitempty" tf:"groupfilter,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Skip LDAP server SSL Certificate verification. This is not recommended for production.
+	// Defaults to false.
 	// Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The number of seconds after a Vault rotation where, if Active Directory
+	// shows a later rotation, it should be considered out-of-band
 	// The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.
 	LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"`
 
+	// Deprecated use password_policy. The desired length of passwords that Vault generates.
+	// Mutually exclusive with
 	// The desired length of passwords that Vault generates.
 	Length *float64 `json:"length,omitempty" tf:"length,omitempty"`
 
+	// Mark the secrets engine as local-only. Local engines are not replicated or removed by
+	// replication.Tolerance duration to use when checking the last rotation time.
 	// Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// Maximum possible lease duration for secrets in seconds.
 	// Maximum possible lease duration for secrets in seconds.
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// In seconds, the maximum password time-to-live.
 	// In seconds, the maximum password time-to-live.
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// 1.11+
 	// Name of the password policy to use to generate passwords.
 	PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"`
 
+	// Timeout, in seconds, for the connection when making requests against the server
+	// before returning back an error.
 	// Timeout, in seconds, for the connection when making requests against the server before returning back an error.
 	RequestTimeout *float64 `json:"requestTimeout,omitempty" tf:"request_timeout,omitempty"`
 
+	// Issue a StartTLS command after establishing unencrypted connection.
 	// Issue a StartTLS command after establishing unencrypted connection.
 	Starttls *bool `json:"starttls,omitempty" tf:"starttls,omitempty"`
 
+	// Maximum TLS version to use. Accepted values are tls10, tls11,
+	// tls12 or tls13. Defaults to tls12.
 	// Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
 	TLSMaxVersion *string `json:"tlsMaxVersion,omitempty" tf:"tls_max_version,omitempty"`
 
+	// Minimum TLS version to use. Accepted values are tls10, tls11,
+	// tls12 or tls13. Defaults to tls12.
 	// Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
 	TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"`
 
+	// In seconds, the default password time-to-live.
 	// In seconds, the default password time-to-live.
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// LDAP URL to connect to. Multiple URLs can be specified by concatenating
+	// them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
 	// LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// Enables userPrincipalDomain login with [username]@UPNDomain.
 	// Enables userPrincipalDomain login with [username]@UPNDomain.
 	Upndomain *string `json:"upndomain,omitempty" tf:"upndomain,omitempty"`
 
+	// In Vault 1.1.1 a fix for handling group CN values of
+	// different cases unfortunately introduced a regression that could cause previously defined groups
+	// to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for
+	// matching group CNs will be used. This is only needed in some upgrade scenarios for backwards
+	// compatibility. It is enabled by default if the config is upgraded but disabled by default on
+	// new configurations.
 	// In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
 	UsePre111GroupCnBehavior *bool `json:"usePre111GroupCnBehavior,omitempty" tf:"use_pre111_group_cn_behavior,omitempty"`
 
+	// If true, use the Active Directory tokenGroups constructed attribute of the
+	// user to find the group memberships. This will find all security groups including nested ones.
 	// If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
 	UseTokenGroups *bool `json:"useTokenGroups,omitempty" tf:"use_token_groups,omitempty"`
 
+	// Attribute used when searching users. Defaults to cn.
 	// Attribute used for users (default: cn)
 	Userattr *string `json:"userattr,omitempty" tf:"userattr,omitempty"`
 
+	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
 	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)
 	Userdn *string `json:"userdn,omitempty" tf:"userdn,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// Use anonymous binds when performing LDAP group searches
+	// (if true the initial credentials will still be used for the initial connection test).
 	// Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
 	// +kubebuilder:validation:Optional
 	AnonymousGroupSearch *bool `json:"anonymousGroupSearch,omitempty" tf:"anonymous_group_search,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to ad.
 	// The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad".
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Distinguished name of object to bind when performing user and group search.
 	// Distinguished name of object to bind when performing user and group search.
 	// +kubebuilder:validation:Optional
 	Binddn *string `json:"binddn,omitempty" tf:"binddn,omitempty"`
 
+	// Password to use along with binddn when performing user search.
 	// LDAP password for searching for the user DN.
 	// +kubebuilder:validation:Optional
 	BindpassSecretRef v1.SecretKeySelector `json:"bindpassSecretRef" tf:"-"`
 
+	// If set, user and group names assigned to policies within the
+	// backend will be case sensitive. Otherwise, names will be normalized to lower case.
 	// If true, case sensitivity will be used when comparing usernames and groups for matching policies.
 	// +kubebuilder:validation:Optional
 	CaseSensitiveNames *bool `json:"caseSensitiveNames,omitempty" tf:"case_sensitive_names,omitempty"`
 
+	// CA certificate to use when verifying LDAP server certificate, must be
+	// x509 PEM encoded.
 	// CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
 	// +kubebuilder:validation:Optional
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
+	// Client certificate to provide to the LDAP server, must be x509 PEM encoded.
 	// Client certificate to provide to the LDAP server, must be x509 PEM encoded.
 	// +kubebuilder:validation:Optional
 	ClientTLSCertSecretRef *v1.SecretKeySelector `json:"clientTlsCertSecretRef,omitempty" tf:"-"`
 
+	// Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
 	// Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
 	// +kubebuilder:validation:Optional
 	ClientTLSKeySecretRef *v1.SecretKeySelector `json:"clientTlsKeySecretRef,omitempty" tf:"-"`
 
+	// Default lease duration for secrets in seconds.
 	// Default lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// Denies an unauthenticated LDAP bind request if the user's password is empty;
+	// defaults to true.
 	// Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true
 	// +kubebuilder:validation:Optional
 	DenyNullBind *bool `json:"denyNullBind,omitempty" tf:"deny_null_bind,omitempty"`
 
+	// Human-friendly description of the mount for the Active Directory backend.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// Use anonymous bind to discover the bind Distinguished Name of a user.
 	// Use anonymous bind to discover the bind DN of a user.
 	// +kubebuilder:validation:Optional
 	Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"`
 
+	// Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
 	// Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
 	// +kubebuilder:validation:Optional
 	Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"`
 
+	// LDAP attribute to follow on objects returned by  in order to enumerate
+	// user group membership. Examples: cn or memberOf, etc. Defaults to cn.
 	// LDAP attribute to follow on objects returned by <groupfilter> in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn
 	// +kubebuilder:validation:Optional
 	Groupattr *string `json:"groupattr,omitempty" tf:"groupattr,omitempty"`
 
+	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
 	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)
 	// +kubebuilder:validation:Optional
 	Groupdn *string `json:"groupdn,omitempty" tf:"groupdn,omitempty"`
 
+	// Go template for querying group membership of user  The template can access
+	// the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
 	// Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
 	// +kubebuilder:validation:Optional
 	Groupfilter *string `json:"groupfilter,omitempty" tf:"groupfilter,omitempty"`
 
+	// Skip LDAP server SSL Certificate verification. This is not recommended for production.
+	// Defaults to false.
 	// Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.
 	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The number of seconds after a Vault rotation where, if Active Directory
+	// shows a later rotation, it should be considered out-of-band
 	// The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.
 	// +kubebuilder:validation:Optional
 	LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"`
 
+	// Deprecated use password_policy. The desired length of passwords that Vault generates.
+	// Mutually exclusive with
 	// The desired length of passwords that Vault generates.
 	// +kubebuilder:validation:Optional
 	Length *float64 `json:"length,omitempty" tf:"length,omitempty"`
 
+	// Mark the secrets engine as local-only. Local engines are not replicated or removed by
+	// replication.Tolerance duration to use when checking the last rotation time.
 	// Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// Maximum possible lease duration for secrets in seconds.
 	// Maximum possible lease duration for secrets in seconds.
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// In seconds, the maximum password time-to-live.
 	// In seconds, the maximum password time-to-live.
 	// +kubebuilder:validation:Optional
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// 1.11+
 	// Name of the password policy to use to generate passwords.
 	// +kubebuilder:validation:Optional
 	PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"`
 
+	// Timeout, in seconds, for the connection when making requests against the server
+	// before returning back an error.
 	// Timeout, in seconds, for the connection when making requests against the server before returning back an error.
 	// +kubebuilder:validation:Optional
 	RequestTimeout *float64 `json:"requestTimeout,omitempty" tf:"request_timeout,omitempty"`
 
+	// Issue a StartTLS command after establishing unencrypted connection.
 	// Issue a StartTLS command after establishing unencrypted connection.
 	// +kubebuilder:validation:Optional
 	Starttls *bool `json:"starttls,omitempty" tf:"starttls,omitempty"`
 
+	// Maximum TLS version to use. Accepted values are tls10, tls11,
+	// tls12 or tls13. Defaults to tls12.
 	// Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
 	// +kubebuilder:validation:Optional
 	TLSMaxVersion *string `json:"tlsMaxVersion,omitempty" tf:"tls_max_version,omitempty"`
 
+	// Minimum TLS version to use. Accepted values are tls10, tls11,
+	// tls12 or tls13. Defaults to tls12.
 	// Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
 	// +kubebuilder:validation:Optional
 	TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"`
 
+	// In seconds, the default password time-to-live.
 	// In seconds, the default password time-to-live.
 	// +kubebuilder:validation:Optional
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// LDAP URL to connect to. Multiple URLs can be specified by concatenating
+	// them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
 	// LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.
 	// +kubebuilder:validation:Optional
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// Enables userPrincipalDomain login with [username]@UPNDomain.
 	// Enables userPrincipalDomain login with [username]@UPNDomain.
 	// +kubebuilder:validation:Optional
 	Upndomain *string `json:"upndomain,omitempty" tf:"upndomain,omitempty"`
 
+	// In Vault 1.1.1 a fix for handling group CN values of
+	// different cases unfortunately introduced a regression that could cause previously defined groups
+	// to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for
+	// matching group CNs will be used. This is only needed in some upgrade scenarios for backwards
+	// compatibility. It is enabled by default if the config is upgraded but disabled by default on
+	// new configurations.
 	// In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
 	// +kubebuilder:validation:Optional
 	UsePre111GroupCnBehavior *bool `json:"usePre111GroupCnBehavior,omitempty" tf:"use_pre111_group_cn_behavior,omitempty"`
 
+	// If true, use the Active Directory tokenGroups constructed attribute of the
+	// user to find the group memberships. This will find all security groups including nested ones.
 	// If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
 	// +kubebuilder:validation:Optional
 	UseTokenGroups *bool `json:"useTokenGroups,omitempty" tf:"use_token_groups,omitempty"`
 
+	// Attribute used when searching users. Defaults to cn.
 	// Attribute used for users (default: cn)
 	// +kubebuilder:validation:Optional
 	Userattr *string `json:"userattr,omitempty" tf:"userattr,omitempty"`
 
+	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
 	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)
 	// +kubebuilder:validation:Optional
 	Userdn *string `json:"userdn,omitempty" tf:"userdn,omitempty"`
@@ -268,6 +547,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -278,7 +569,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates an Active Directory secret backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -288,8 +579,8 @@ type SecretBackendStatus struct {
 type SecretBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.binddn)",message="binddn is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bindpassSecretRef)",message="bindpassSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.binddn) || has(self.initProvider.binddn)",message="binddn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.bindpassSecretRef)",message="bindpassSecretRef is a required parameter"
 	Spec   SecretBackendSpec   `json:"spec"`
 	Status SecretBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/ad/v1alpha1/zz_secretrole_types.go b/apis/ad/v1alpha1/zz_secretrole_types.go
index 2a874f3c..24e32cb5 100755
--- a/apis/ad/v1alpha1/zz_secretrole_types.go
+++ b/apis/ad/v1alpha1/zz_secretrole_types.go
@@ -13,50 +13,106 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretRoleInitParameters struct {
+
+	// The path the AD secret backend is mounted at,
+	// with no leading or trailing /s.
+	// The mount path for the AD backend.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
+	// Name of the role.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// Specifies the name of the Active Directory service
+	// account mapped to this role.
+	// The username/logon name for the service account with which this role will be associated.
+	ServiceAccountName *string `json:"serviceAccountName,omitempty" tf:"service_account_name,omitempty"`
+
+	// The password time-to-live in seconds. Defaults to the configuration
+	// ttl if not provided.
+	// In seconds, the default password time-to-live.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+}
+
 type SecretRoleObservation struct {
 
+	// The path the AD secret backend is mounted at,
+	// with no leading or trailing /s.
 	// The mount path for the AD backend.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Timestamp of the last password rotation by Vault.
 	// Last time Vault rotated this service account's password.
 	LastVaultRotation *string `json:"lastVaultRotation,omitempty" tf:"last_vault_rotation,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Timestamp of the last password set by Vault.
 	// Last time Vault set this service account's password.
 	PasswordLastSet *string `json:"passwordLastSet,omitempty" tf:"password_last_set,omitempty"`
 
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
 	// Name of the role.
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// Specifies the name of the Active Directory service
+	// account mapped to this role.
 	// The username/logon name for the service account with which this role will be associated.
 	ServiceAccountName *string `json:"serviceAccountName,omitempty" tf:"service_account_name,omitempty"`
 
+	// The password time-to-live in seconds. Defaults to the configuration
+	// ttl if not provided.
 	// In seconds, the default password time-to-live.
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
 
 type SecretRoleParameters struct {
 
+	// The path the AD secret backend is mounted at,
+	// with no leading or trailing /s.
 	// The mount path for the AD backend.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// Specifies the name of the Active Directory service
+	// account mapped to this role.
 	// The username/logon name for the service account with which this role will be associated.
 	// +kubebuilder:validation:Optional
 	ServiceAccountName *string `json:"serviceAccountName,omitempty" tf:"service_account_name,omitempty"`
 
+	// The password time-to-live in seconds. Defaults to the configuration
+	// ttl if not provided.
 	// In seconds, the default password time-to-live.
 	// +kubebuilder:validation:Optional
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
@@ -66,6 +122,18 @@ type SecretRoleParameters struct {
 type SecretRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretRoleStatus defines the observed state of SecretRole.
@@ -76,7 +144,7 @@ type SecretRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretRole is the Schema for the SecretRoles API. <no value>
+// SecretRole is the Schema for the SecretRoles API. Creates a role on the Active Directory Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -86,9 +154,9 @@ type SecretRoleStatus struct {
 type SecretRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceAccountName)",message="serviceAccountName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountName) || has(self.initProvider.serviceAccountName)",message="serviceAccountName is a required parameter"
 	Spec   SecretRoleSpec   `json:"spec"`
 	Status SecretRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/alicloud/v1alpha1/zz_authbackendrole_types.go b/apis/alicloud/v1alpha1/zz_authbackendrole_types.go
index 235c1203..6175260f 100755
--- a/apis/alicloud/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/alicloud/v1alpha1/zz_authbackendrole_types.go
@@ -13,100 +13,247 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+
+	// The role's arn.
+	// The role's arn.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Path to the mounted AliCloud auth backend.
+	// Defaults to alicloud
+	// Auth backend.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Name of the role. Must correspond with the name of
+	// the role reflected in the arn.
+	// Name of the role. Must correspond with the name of the role reflected in the arn.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 
+	// The role's arn.
 	// The role's arn.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Path to the mounted AliCloud auth backend.
+	// Defaults to alicloud
 	// Auth backend.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the role. Must correspond with the name of
+	// the role reflected in the arn.
 	// Name of the role. Must correspond with the name of the role reflected in the arn.
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
 type AuthBackendRoleParameters struct {
 
+	// The role's arn.
 	// The role's arn.
 	// +kubebuilder:validation:Optional
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Path to the mounted AliCloud auth backend.
+	// Defaults to alicloud
 	// Auth backend.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the role. Must correspond with the name of
+	// the role reflected in the arn.
 	// Name of the role. Must correspond with the name of the role reflected in the arn.
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
@@ -116,6 +263,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -126,7 +285,7 @@ type AuthBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRole is the Schema for the AuthBackendRoles API. <no value>
+// AuthBackendRole is the Schema for the AuthBackendRoles API. Managing roles in an AliCloud auth backend in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -136,8 +295,8 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.arn)",message="arn is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.arn) || has(self.initProvider.arn)",message="arn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/alicloud/v1alpha1/zz_generated.deepcopy.go b/apis/alicloud/v1alpha1/zz_generated.deepcopy.go
index caf9ffe7..811d680a 100644
--- a/apis/alicloud/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/alicloud/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,98 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
+	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
 	*out = *in
@@ -266,6 +358,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
diff --git a/apis/alicloud/v1alpha1/zz_generated.managed.go b/apis/alicloud/v1alpha1/zz_generated.managed.go
index b79200d3..836c358b 100644
--- a/apis/alicloud/v1alpha1/zz_generated.managed.go
+++ b/apis/alicloud/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -55,9 +55,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
diff --git a/apis/alicloud/v1alpha1/zz_generated_terraformed.go b/apis/alicloud/v1alpha1/zz_generated_terraformed.go
index 49badfb4..8585cd03 100755
--- a/apis/alicloud/v1alpha1/zz_generated_terraformed.go
+++ b/apis/alicloud/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/approle/v1alpha1/zz_authbackendlogin_types.go b/apis/approle/v1alpha1/zz_authbackendlogin_types.go
index e70d0d99..b8949b1a 100755
--- a/apis/approle/v1alpha1/zz_authbackendlogin_types.go
+++ b/apis/approle/v1alpha1/zz_authbackendlogin_types.go
@@ -13,57 +13,103 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendLoginInitParameters struct {
+
+	// The unique path of the Vault backend to log in with.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The ID of the role to log in with.
+	// The RoleID to log in with.
+	RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"`
+
+	// The secret ID of the role to log in with. Required
+	// unless bind_secret_id is set to false on the role.
+	// The SecretID to log in with.
+	SecretID *string `json:"secretId,omitempty" tf:"secret_id,omitempty"`
+}
+
 type AuthBackendLoginObservation struct {
 
+	// The accessor for the token.
 	// The accessor for the token.
 	Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"`
 
+	// The unique path of the Vault backend to log in with.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The Vault token created.
 	// The token.
 	ClientToken *string `json:"clientToken,omitempty" tf:"client_token,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// How long the token is valid for, in seconds.
 	// How long the token is valid for.
 	LeaseDuration *float64 `json:"leaseDuration,omitempty" tf:"lease_duration,omitempty"`
 
+	// The date and time the lease started, in RFC 3339 format.
 	LeaseStarted *string `json:"leaseStarted,omitempty" tf:"lease_started,omitempty"`
 
+	// The metadata associated with the token.
 	// Metadata associated with the token.
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// A list of policies applied to the token.
 	// Policies set on the token.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// Whether the token is renewable or not.
 	// Whether the token is renewable or not.
 	Renewable *bool `json:"renewable,omitempty" tf:"renewable,omitempty"`
 
+	// The ID of the role to log in with.
 	// The RoleID to log in with.
 	RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"`
 
+	// The secret ID of the role to log in with. Required
+	// unless bind_secret_id is set to false on the role.
 	// The SecretID to log in with.
 	SecretID *string `json:"secretId,omitempty" tf:"secret_id,omitempty"`
 }
 
 type AuthBackendLoginParameters struct {
 
+	// The unique path of the Vault backend to log in with.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The ID of the role to log in with.
 	// The RoleID to log in with.
 	// +kubebuilder:validation:Optional
 	RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"`
 
+	// The secret ID of the role to log in with. Required
+	// unless bind_secret_id is set to false on the role.
 	// The SecretID to log in with.
 	// +kubebuilder:validation:Optional
 	SecretID *string `json:"secretId,omitempty" tf:"secret_id,omitempty"`
@@ -73,6 +119,18 @@ type AuthBackendLoginParameters struct {
 type AuthBackendLoginSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendLoginParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendLoginInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendLoginStatus defines the observed state of AuthBackendLogin.
@@ -83,7 +141,7 @@ type AuthBackendLoginStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendLogin is the Schema for the AuthBackendLogins API. <no value>
+// AuthBackendLogin is the Schema for the AuthBackendLogins API. Log into Vault using the AppRole auth backend.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -93,7 +151,7 @@ type AuthBackendLoginStatus struct {
 type AuthBackendLogin struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleId)",message="roleId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleId) || has(self.initProvider.roleId)",message="roleId is a required parameter"
 	Spec   AuthBackendLoginSpec   `json:"spec"`
 	Status AuthBackendLoginStatus `json:"status,omitempty"`
 }
diff --git a/apis/approle/v1alpha1/zz_authbackendrole_types.go b/apis/approle/v1alpha1/zz_authbackendrole_types.go
index f13813f9..107dbef9 100755
--- a/apis/approle/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/approle/v1alpha1/zz_authbackendrole_types.go
@@ -13,128 +13,314 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+
+	// The unique name of the auth backend to configure.
+	// Defaults to approle.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Whether or not to require secret_id to be
+	// presented when logging in using this AppRole. Defaults to true.
+	// Whether or not to require secret_id to be present when logging in using this AppRole.
+	BindSecretID *bool `json:"bindSecretId,omitempty" tf:"bind_secret_id,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The RoleID of this role. If not specified, one will be
+	// auto-generated.
+	// The RoleID of the role. Autogenerated if not set.
+	RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"`
+
+	// The name of the role.
+	// Name of the role.
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	// If set,
+	// specifies blocks of IP addresses which can perform the login operation.
+	// List of CIDR blocks that can log in using the AppRole.
+	SecretIDBoundCidrs []*string `json:"secretIdBoundCidrs,omitempty" tf:"secret_id_bound_cidrs,omitempty"`
+
+	// The number of times any particular SecretID
+	// can be used to fetch a token from this AppRole, after which the SecretID will
+	// expire. A value of zero will allow unlimited uses.
+	// Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.
+	SecretIDNumUses *float64 `json:"secretIdNumUses,omitempty" tf:"secret_id_num_uses,omitempty"`
+
+	// The number of seconds after which any SecretID
+	// expires.
+	// Number of seconds a SecretID remains valid for.
+	SecretIDTTL *float64 `json:"secretIdTtl,omitempty" tf:"secret_id_ttl,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 
+	// The unique name of the auth backend to configure.
+	// Defaults to approle.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Whether or not to require secret_id to be
+	// presented when logging in using this AppRole. Defaults to true.
 	// Whether or not to require secret_id to be present when logging in using this AppRole.
 	BindSecretID *bool `json:"bindSecretId,omitempty" tf:"bind_secret_id,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The RoleID of this role. If not specified, one will be
+	// auto-generated.
 	// The RoleID of the role. Autogenerated if not set.
 	RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// If set,
+	// specifies blocks of IP addresses which can perform the login operation.
 	// List of CIDR blocks that can log in using the AppRole.
 	SecretIDBoundCidrs []*string `json:"secretIdBoundCidrs,omitempty" tf:"secret_id_bound_cidrs,omitempty"`
 
+	// The number of times any particular SecretID
+	// can be used to fetch a token from this AppRole, after which the SecretID will
+	// expire. A value of zero will allow unlimited uses.
 	// Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.
 	SecretIDNumUses *float64 `json:"secretIdNumUses,omitempty" tf:"secret_id_num_uses,omitempty"`
 
+	// The number of seconds after which any SecretID
+	// expires.
 	// Number of seconds a SecretID remains valid for.
 	SecretIDTTL *float64 `json:"secretIdTtl,omitempty" tf:"secret_id_ttl,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
 type AuthBackendRoleParameters struct {
 
+	// The unique name of the auth backend to configure.
+	// Defaults to approle.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Whether or not to require secret_id to be
+	// presented when logging in using this AppRole. Defaults to true.
 	// Whether or not to require secret_id to be present when logging in using this AppRole.
 	// +kubebuilder:validation:Optional
 	BindSecretID *bool `json:"bindSecretId,omitempty" tf:"bind_secret_id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The RoleID of this role. If not specified, one will be
+	// auto-generated.
 	// The RoleID of the role. Autogenerated if not set.
 	// +kubebuilder:validation:Optional
 	RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// If set,
+	// specifies blocks of IP addresses which can perform the login operation.
 	// List of CIDR blocks that can log in using the AppRole.
 	// +kubebuilder:validation:Optional
 	SecretIDBoundCidrs []*string `json:"secretIdBoundCidrs,omitempty" tf:"secret_id_bound_cidrs,omitempty"`
 
+	// The number of times any particular SecretID
+	// can be used to fetch a token from this AppRole, after which the SecretID will
+	// expire. A value of zero will allow unlimited uses.
 	// Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.
 	// +kubebuilder:validation:Optional
 	SecretIDNumUses *float64 `json:"secretIdNumUses,omitempty" tf:"secret_id_num_uses,omitempty"`
 
+	// The number of seconds after which any SecretID
+	// expires.
 	// Number of seconds a SecretID remains valid for.
 	// +kubebuilder:validation:Optional
 	SecretIDTTL *float64 `json:"secretIdTtl,omitempty" tf:"secret_id_ttl,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
@@ -144,6 +330,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -154,7 +352,7 @@ type AuthBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRole is the Schema for the AuthBackendRoles API. <no value>
+// AuthBackendRole is the Schema for the AuthBackendRoles API. Manages AppRole auth backend roles in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -164,7 +362,7 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)",message="roleName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/approle/v1alpha1/zz_authbackendrolesecretid_types.go b/apis/approle/v1alpha1/zz_authbackendrolesecretid_types.go
index 4601dd85..dc2d8729 100755
--- a/apis/approle/v1alpha1/zz_authbackendrolesecretid_types.go
+++ b/apis/approle/v1alpha1/zz_authbackendrolesecretid_types.go
@@ -13,34 +13,93 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleSecretIDInitParameters struct {
+
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// If set, specifies blocks of IP addresses which can
+	// perform the login operation using this SecretID.
+	// List of CIDR blocks that can log in using the SecretID.
+	CidrList []*string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"`
+
+	// A JSON-encoded string containing metadata in
+	// key-value pairs to be set on tokens issued with this SecretID.
+	// JSON-encoded secret data to write.
+	Metadata *string `json:"metadata,omitempty" tf:"metadata,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The name of the role to create the SecretID for.
+	// Name of the role.
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	// Set to true to use the wrapped secret-id accessor as the resource ID.
+	// If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or
+	// invalidated through unwrapping.
+	// Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.
+	WithWrappedAccessor *bool `json:"withWrappedAccessor,omitempty" tf:"with_wrapped_accessor,omitempty"`
+
+	// If set, the SecretID response will be
+	// response-wrapped
+	// and available for the duration specified. Only a single unwrapping of the
+	// token is allowed.
+	// The TTL duration of the wrapped SecretID.
+	WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"`
+}
+
 type AuthBackendRoleSecretIDObservation struct {
 
+	// The unique ID for this SecretID that can be safely logged.
 	// The unique ID used to access this SecretID.
 	Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"`
 
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set, specifies blocks of IP addresses which can
+	// perform the login operation using this SecretID.
 	// List of CIDR blocks that can log in using the SecretID.
 	CidrList []*string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A JSON-encoded string containing metadata in
+	// key-value pairs to be set on tokens issued with this SecretID.
 	// JSON-encoded secret data to write.
 	Metadata *string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The name of the role to create the SecretID for.
 	// Name of the role.
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// Set to true to use the wrapped secret-id accessor as the resource ID.
+	// If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or
+	// invalidated through unwrapping.
 	// Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.
 	WithWrappedAccessor *bool `json:"withWrappedAccessor,omitempty" tf:"with_wrapped_accessor,omitempty"`
 
+	// The unique ID for the response-wrapped SecretID that can
+	// be safely logged.
 	// The wrapped SecretID accessor.
 	WrappingAccessor *string `json:"wrappingAccessor,omitempty" tf:"wrapping_accessor,omitempty"`
 
+	// If set, the SecretID response will be
+	// response-wrapped
+	// and available for the duration specified. Only a single unwrapping of the
+	// token is allowed.
 	// The TTL duration of the wrapped SecretID.
 	WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"`
 }
@@ -51,30 +110,48 @@ type AuthBackendRoleSecretIDParameters struct {
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set, specifies blocks of IP addresses which can
+	// perform the login operation using this SecretID.
 	// List of CIDR blocks that can log in using the SecretID.
 	// +kubebuilder:validation:Optional
 	CidrList []*string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"`
 
+	// A JSON-encoded string containing metadata in
+	// key-value pairs to be set on tokens issued with this SecretID.
 	// JSON-encoded secret data to write.
 	// +kubebuilder:validation:Optional
 	Metadata *string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The name of the role to create the SecretID for.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// The SecretID to be created. If set, uses "Push"
+	// mode.  Defaults to Vault auto-generating SecretIDs.
 	// The SecretID to be managed. If not specified, Vault auto-generates one.
 	// +kubebuilder:validation:Optional
 	SecretIDSecretRef *v1.SecretKeySelector `json:"secretIdSecretRef,omitempty" tf:"-"`
 
+	// Set to true to use the wrapped secret-id accessor as the resource ID.
+	// If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or
+	// invalidated through unwrapping.
 	// Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.
 	// +kubebuilder:validation:Optional
 	WithWrappedAccessor *bool `json:"withWrappedAccessor,omitempty" tf:"with_wrapped_accessor,omitempty"`
 
+	// If set, the SecretID response will be
+	// response-wrapped
+	// and available for the duration specified. Only a single unwrapping of the
+	// token is allowed.
 	// The TTL duration of the wrapped SecretID.
 	// +kubebuilder:validation:Optional
 	WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"`
@@ -84,6 +161,18 @@ type AuthBackendRoleSecretIDParameters struct {
 type AuthBackendRoleSecretIDSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleSecretIDParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleSecretIDInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleSecretIDStatus defines the observed state of AuthBackendRoleSecretID.
@@ -94,7 +183,7 @@ type AuthBackendRoleSecretIDStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRoleSecretID is the Schema for the AuthBackendRoleSecretIDs API. <no value>
+// AuthBackendRoleSecretID is the Schema for the AuthBackendRoleSecretIDs API. Manages AppRole auth backend role SecretIDs in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -104,7 +193,7 @@ type AuthBackendRoleSecretIDStatus struct {
 type AuthBackendRoleSecretID struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)",message="roleName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter"
 	Spec   AuthBackendRoleSecretIDSpec   `json:"spec"`
 	Status AuthBackendRoleSecretIDStatus `json:"status,omitempty"`
 }
diff --git a/apis/approle/v1alpha1/zz_generated.deepcopy.go b/apis/approle/v1alpha1/zz_generated.deepcopy.go
index 77c00381..2a1d8445 100644
--- a/apis/approle/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/approle/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,41 @@ func (in *AuthBackendLogin) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendLoginInitParameters) DeepCopyInto(out *AuthBackendLoginInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleID != nil {
+		in, out := &in.RoleID, &out.RoleID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretID != nil {
+		in, out := &in.SecretID, &out.SecretID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendLoginInitParameters.
+func (in *AuthBackendLoginInitParameters) DeepCopy() *AuthBackendLoginInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendLoginInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendLoginList) DeepCopyInto(out *AuthBackendLoginList) {
 	*out = *in
@@ -204,6 +239,7 @@ func (in *AuthBackendLoginSpec) DeepCopyInto(out *AuthBackendLoginSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendLoginSpec.
@@ -260,6 +296,124 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.BindSecretID != nil {
+		in, out := &in.BindSecretID, &out.BindSecretID
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleID != nil {
+		in, out := &in.RoleID, &out.RoleID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretIDBoundCidrs != nil {
+		in, out := &in.SecretIDBoundCidrs, &out.SecretIDBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecretIDNumUses != nil {
+		in, out := &in.SecretIDNumUses, &out.SecretIDNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SecretIDTTL != nil {
+		in, out := &in.SecretIDTTL, &out.SecretIDTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
 	*out = *in
@@ -560,6 +714,62 @@ func (in *AuthBackendRoleSecretID) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleSecretIDInitParameters) DeepCopyInto(out *AuthBackendRoleSecretIDInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CidrList != nil {
+		in, out := &in.CidrList, &out.CidrList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.WithWrappedAccessor != nil {
+		in, out := &in.WithWrappedAccessor, &out.WithWrappedAccessor
+		*out = new(bool)
+		**out = **in
+	}
+	if in.WrappingTTL != nil {
+		in, out := &in.WrappingTTL, &out.WrappingTTL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSecretIDInitParameters.
+func (in *AuthBackendRoleSecretIDInitParameters) DeepCopy() *AuthBackendRoleSecretIDInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleSecretIDInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleSecretIDList) DeepCopyInto(out *AuthBackendRoleSecretIDList) {
 	*out = *in
@@ -729,6 +939,7 @@ func (in *AuthBackendRoleSecretIDSpec) DeepCopyInto(out *AuthBackendRoleSecretID
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSecretIDSpec.
@@ -763,6 +974,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
diff --git a/apis/approle/v1alpha1/zz_generated.managed.go b/apis/approle/v1alpha1/zz_generated.managed.go
index 50ca13e0..c4f83732 100644
--- a/apis/approle/v1alpha1/zz_generated.managed.go
+++ b/apis/approle/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackendLogin) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendLogin.
-func (mg *AuthBackendLogin) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendLogin.
+func (mg *AuthBackendLogin) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendLogin.
@@ -55,9 +55,9 @@ func (mg *AuthBackendLogin) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendLogin.
-func (mg *AuthBackendLogin) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendLogin.
+func (mg *AuthBackendLogin) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendLogin.
@@ -93,9 +93,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -131,9 +131,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
@@ -169,9 +169,9 @@ func (mg *AuthBackendRoleSecretID) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRoleSecretID.
-func (mg *AuthBackendRoleSecretID) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRoleSecretID.
+func (mg *AuthBackendRoleSecretID) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRoleSecretID.
@@ -207,9 +207,9 @@ func (mg *AuthBackendRoleSecretID) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRoleSecretID.
-func (mg *AuthBackendRoleSecretID) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRoleSecretID.
+func (mg *AuthBackendRoleSecretID) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRoleSecretID.
diff --git a/apis/approle/v1alpha1/zz_generated_terraformed.go b/apis/approle/v1alpha1/zz_generated_terraformed.go
index d458858b..20e824d4 100755
--- a/apis/approle/v1alpha1/zz_generated_terraformed.go
+++ b/apis/approle/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackendLogin) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendLogin
+func (tr *AuthBackendLogin) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendLogin using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendLogin) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *AuthBackendRoleSecretID) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRoleSecretID
+func (tr *AuthBackendRoleSecretID) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRoleSecretID using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRoleSecretID) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/audit/v1alpha1/zz_generated.deepcopy.go b/apis/audit/v1alpha1/zz_generated.deepcopy.go
index 292d3508..cfd34743 100644
--- a/apis/audit/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/audit/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,36 @@ func (in *RequestHeader) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestHeaderInitParameters) DeepCopyInto(out *RequestHeaderInitParameters) {
+	*out = *in
+	if in.HMAC != nil {
+		in, out := &in.HMAC, &out.HMAC
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestHeaderInitParameters.
+func (in *RequestHeaderInitParameters) DeepCopy() *RequestHeaderInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RequestHeaderInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RequestHeaderList) DeepCopyInto(out *RequestHeaderList) {
 	*out = *in
@@ -142,6 +172,7 @@ func (in *RequestHeaderSpec) DeepCopyInto(out *RequestHeaderSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestHeaderSpec.
diff --git a/apis/audit/v1alpha1/zz_generated.managed.go b/apis/audit/v1alpha1/zz_generated.managed.go
index 8180309b..8a9203bb 100644
--- a/apis/audit/v1alpha1/zz_generated.managed.go
+++ b/apis/audit/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *RequestHeader) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this RequestHeader.
-func (mg *RequestHeader) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this RequestHeader.
+func (mg *RequestHeader) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this RequestHeader.
@@ -55,9 +55,9 @@ func (mg *RequestHeader) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this RequestHeader.
-func (mg *RequestHeader) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this RequestHeader.
+func (mg *RequestHeader) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this RequestHeader.
diff --git a/apis/audit/v1alpha1/zz_generated_terraformed.go b/apis/audit/v1alpha1/zz_generated_terraformed.go
index 0678538e..c83cd2ab 100755
--- a/apis/audit/v1alpha1/zz_generated_terraformed.go
+++ b/apis/audit/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *RequestHeader) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this RequestHeader
+func (tr *RequestHeader) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this RequestHeader using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *RequestHeader) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/audit/v1alpha1/zz_requestheader_types.go b/apis/audit/v1alpha1/zz_requestheader_types.go
index 3f92949a..6edbb4cf 100755
--- a/apis/audit/v1alpha1/zz_requestheader_types.go
+++ b/apis/audit/v1alpha1/zz_requestheader_types.go
@@ -13,13 +13,29 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type RequestHeaderInitParameters struct {
+
+	// Whether this header's value should be HMAC'd in the audit logs.
+	// Whether this header's value should be HMAC'd in the audit logs.
+	HMAC *bool `json:"hmac,omitempty" tf:"hmac,omitempty"`
+
+	// The name of the request header to audit.
+	// The name of the request header to audit.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type RequestHeaderObservation struct {
 
+	// Whether this header's value should be HMAC'd in the audit logs.
 	// Whether this header's value should be HMAC'd in the audit logs.
 	HMAC *bool `json:"hmac,omitempty" tf:"hmac,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the request header to audit.
 	// The name of the request header to audit.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
@@ -29,10 +45,12 @@ type RequestHeaderObservation struct {
 
 type RequestHeaderParameters struct {
 
+	// Whether this header's value should be HMAC'd in the audit logs.
 	// Whether this header's value should be HMAC'd in the audit logs.
 	// +kubebuilder:validation:Optional
 	HMAC *bool `json:"hmac,omitempty" tf:"hmac,omitempty"`
 
+	// The name of the request header to audit.
 	// The name of the request header to audit.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
@@ -46,6 +64,18 @@ type RequestHeaderParameters struct {
 type RequestHeaderSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     RequestHeaderParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider RequestHeaderInitParameters `json:"initProvider,omitempty"`
 }
 
 // RequestHeaderStatus defines the observed state of RequestHeader.
@@ -56,7 +86,7 @@ type RequestHeaderStatus struct {
 
 // +kubebuilder:object:root=true
 
-// RequestHeader is the Schema for the RequestHeaders API. <no value>
+// RequestHeader is the Schema for the RequestHeaders API. Manages audited request headers in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -66,7 +96,7 @@ type RequestHeaderStatus struct {
 type RequestHeader struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   RequestHeaderSpec   `json:"spec"`
 	Status RequestHeaderStatus `json:"status,omitempty"`
 }
diff --git a/apis/auth/v1alpha1/zz_backend_types.go b/apis/auth/v1alpha1/zz_backend_types.go
index 5f76ef41..1e76eb88 100755
--- a/apis/auth/v1alpha1/zz_backend_types.go
+++ b/apis/auth/v1alpha1/zz_backend_types.go
@@ -13,6 +13,33 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type BackendInitParameters struct {
+
+	// The description of the auth backend
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// Specifies if the auth method is local only
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// path to mount the backend. This defaults to the type.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"`
+
+	// Name of the auth backend
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type BackendObservation struct {
 
 	// The accessor of the auth backend
@@ -29,6 +56,10 @@ type BackendObservation struct {
 	// Specifies if the auth method is local only
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
@@ -55,6 +86,10 @@ type BackendParameters struct {
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -71,6 +106,29 @@ type BackendParameters struct {
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
+type TuneInitParameters struct {
+	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"`
+
+	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"`
+
+	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"`
+
+	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"`
+
+	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"`
+
+	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"`
+
+	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type"`
+}
+
 type TuneObservation struct {
 	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"`
 
@@ -86,6 +144,11 @@ type TuneObservation struct {
 
 	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
@@ -112,6 +175,11 @@ type TuneParameters struct {
 	// +kubebuilder:validation:Optional
 	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type"`
 }
@@ -120,6 +188,18 @@ type TuneParameters struct {
 type BackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     BackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider BackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // BackendStatus defines the observed state of Backend.
@@ -130,7 +210,7 @@ type BackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Backend is the Schema for the Backends API. <no value>
+// Backend is the Schema for the Backends API. Managing roles in an Cert auth backend in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -140,7 +220,7 @@ type BackendStatus struct {
 type Backend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter"
 	Spec   BackendSpec   `json:"spec"`
 	Status BackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/auth/v1alpha1/zz_generated.deepcopy.go b/apis/auth/v1alpha1/zz_generated.deepcopy.go
index 78b4fbac..1eb5e9be 100644
--- a/apis/auth/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/auth/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,58 @@ func (in *Backend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackendInitParameters) DeepCopyInto(out *BackendInitParameters) {
+	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tune != nil {
+		in, out := &in.Tune, &out.Tune
+		*out = make([]TuneInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendInitParameters.
+func (in *BackendInitParameters) DeepCopy() *BackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(BackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendList) DeepCopyInto(out *BackendList) {
 	*out = *in
@@ -191,6 +243,7 @@ func (in *BackendSpec) DeepCopyInto(out *BackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendSpec.
@@ -220,6 +273,85 @@ func (in *BackendStatus) DeepCopy() *BackendStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TuneInitParameters) DeepCopyInto(out *TuneInitParameters) {
+	*out = *in
+	if in.AllowedResponseHeaders != nil {
+		in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACRequestKeys != nil {
+		in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACResponseKeys != nil {
+		in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DefaultLeaseTTL != nil {
+		in, out := &in.DefaultLeaseTTL, &out.DefaultLeaseTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.ListingVisibility != nil {
+		in, out := &in.ListingVisibility, &out.ListingVisibility
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxLeaseTTL != nil {
+		in, out := &in.MaxLeaseTTL, &out.MaxLeaseTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.PassthroughRequestHeaders != nil {
+		in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneInitParameters.
+func (in *TuneInitParameters) DeepCopy() *TuneInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(TuneInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TuneObservation) DeepCopyInto(out *TuneObservation) {
 	*out = *in
diff --git a/apis/auth/v1alpha1/zz_generated.managed.go b/apis/auth/v1alpha1/zz_generated.managed.go
index 28676c44..305ee420 100644
--- a/apis/auth/v1alpha1/zz_generated.managed.go
+++ b/apis/auth/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Backend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Backend.
-func (mg *Backend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Backend.
+func (mg *Backend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Backend.
@@ -55,9 +55,9 @@ func (mg *Backend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Backend.
-func (mg *Backend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Backend.
+func (mg *Backend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Backend.
diff --git a/apis/auth/v1alpha1/zz_generated_terraformed.go b/apis/auth/v1alpha1/zz_generated_terraformed.go
index e1d12ed8..774e1d2d 100755
--- a/apis/auth/v1alpha1/zz_generated_terraformed.go
+++ b/apis/auth/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Backend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Backend
+func (tr *Backend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Backend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Backend) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/aws/v1alpha1/zz_authbackendcert_types.go b/apis/aws/v1alpha1/zz_authbackendcert_types.go
index 2593e6d8..a8fcd6ef 100755
--- a/apis/aws/v1alpha1/zz_authbackendcert_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendcert_types.go
@@ -13,44 +13,104 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendCertInitParameters struct {
+
+	// The  Base64 encoded AWS Public key required to
+	// verify PKCS7 signature of the EC2 instance metadata. You can find this key in
+	// the AWS
+	// documentation.
+	// Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.
+	AwsPublicCert *string `json:"awsPublicCert,omitempty" tf:"aws_public_cert,omitempty"`
+
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The name of the certificate.
+	// Name of the certificate to configure.
+	CertName *string `json:"certName,omitempty" tf:"cert_name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Either "pkcs7" or "identity", indicating the type of
+	// document which can be verified using the given certificate. Defaults to
+	// "pkcs7".
+	// The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type AuthBackendCertObservation struct {
 
+	// The  Base64 encoded AWS Public key required to
+	// verify PKCS7 signature of the EC2 instance metadata. You can find this key in
+	// the AWS
+	// documentation.
 	// Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.
 	AwsPublicCert *string `json:"awsPublicCert,omitempty" tf:"aws_public_cert,omitempty"`
 
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The name of the certificate.
 	// Name of the certificate to configure.
 	CertName *string `json:"certName,omitempty" tf:"cert_name,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Either "pkcs7" or "identity", indicating the type of
+	// document which can be verified using the given certificate. Defaults to
+	// "pkcs7".
 	// The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity".
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type AuthBackendCertParameters struct {
 
+	// The  Base64 encoded AWS Public key required to
+	// verify PKCS7 signature of the EC2 instance metadata. You can find this key in
+	// the AWS
+	// documentation.
 	// Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.
 	// +kubebuilder:validation:Optional
 	AwsPublicCert *string `json:"awsPublicCert,omitempty" tf:"aws_public_cert,omitempty"`
 
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The name of the certificate.
 	// Name of the certificate to configure.
 	// +kubebuilder:validation:Optional
 	CertName *string `json:"certName,omitempty" tf:"cert_name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Either "pkcs7" or "identity", indicating the type of
+	// document which can be verified using the given certificate. Defaults to
+	// "pkcs7".
 	// The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity".
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -60,6 +120,18 @@ type AuthBackendCertParameters struct {
 type AuthBackendCertSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendCertParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendCertInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendCertStatus defines the observed state of AuthBackendCert.
@@ -70,7 +142,7 @@ type AuthBackendCertStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendCert is the Schema for the AuthBackendCerts API. <no value>
+// AuthBackendCert is the Schema for the AuthBackendCerts API. Manages a certificate for an AWS Auth Backend in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -80,8 +152,8 @@ type AuthBackendCertStatus struct {
 type AuthBackendCert struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.awsPublicCert)",message="awsPublicCert is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certName)",message="certName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.awsPublicCert) || has(self.initProvider.awsPublicCert)",message="awsPublicCert is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.certName) || has(self.initProvider.certName)",message="certName is a required parameter"
 	Spec   AuthBackendCertSpec   `json:"spec"`
 	Status AuthBackendCertStatus `json:"status,omitempty"`
 }
diff --git a/apis/aws/v1alpha1/zz_authbackendclient_types.go b/apis/aws/v1alpha1/zz_authbackendclient_types.go
index 58622879..812e4cf2 100755
--- a/apis/aws/v1alpha1/zz_authbackendclient_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendclient_types.go
@@ -13,66 +13,145 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendClientInitParameters struct {
+
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Override the URL Vault uses when making EC2 API
+	// calls.
+	// URL to override the default generated endpoint for making AWS EC2 API calls.
+	EC2Endpoint *string `json:"ec2Endpoint,omitempty" tf:"ec2_endpoint,omitempty"`
+
+	// Override the URL Vault uses when making IAM API
+	// calls.
+	// URL to override the default generated endpoint for making AWS IAM API calls.
+	IAMEndpoint *string `json:"iamEndpoint,omitempty" tf:"iam_endpoint,omitempty"`
+
+	// The value to require in the
+	// X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests
+	// that are used in the IAM auth method.
+	// The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.
+	IAMServerIDHeaderValue *string `json:"iamServerIdHeaderValue,omitempty" tf:"iam_server_id_header_value,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Override the URL Vault uses when making STS API
+	// calls.
+	// URL to override the default generated endpoint for making AWS STS API calls.
+	StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"`
+
+	// Override the default region when making STS API
+	// calls. The sts_endpoint argument must be set when using sts_region.
+	// Region to override the default region for making AWS STS API calls.
+	StsRegion *string `json:"stsRegion,omitempty" tf:"sts_region,omitempty"`
+}
+
 type AuthBackendClientObservation struct {
 
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Override the URL Vault uses when making EC2 API
+	// calls.
 	// URL to override the default generated endpoint for making AWS EC2 API calls.
 	EC2Endpoint *string `json:"ec2Endpoint,omitempty" tf:"ec2_endpoint,omitempty"`
 
+	// Override the URL Vault uses when making IAM API
+	// calls.
 	// URL to override the default generated endpoint for making AWS IAM API calls.
 	IAMEndpoint *string `json:"iamEndpoint,omitempty" tf:"iam_endpoint,omitempty"`
 
+	// The value to require in the
+	// X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests
+	// that are used in the IAM auth method.
 	// The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.
 	IAMServerIDHeaderValue *string `json:"iamServerIdHeaderValue,omitempty" tf:"iam_server_id_header_value,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Override the URL Vault uses when making STS API
+	// calls.
 	// URL to override the default generated endpoint for making AWS STS API calls.
 	StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"`
 
+	// Override the default region when making STS API
+	// calls. The sts_endpoint argument must be set when using sts_region.
 	// Region to override the default region for making AWS STS API calls.
 	StsRegion *string `json:"stsRegion,omitempty" tf:"sts_region,omitempty"`
 }
 
 type AuthBackendClientParameters struct {
 
+	// The AWS access key that Vault should use for the
+	// auth backend.
 	// AWS Access key with permissions to query AWS APIs.
 	// +kubebuilder:validation:Optional
 	AccessKeySecretRef *v1.SecretKeySelector `json:"accessKeySecretRef,omitempty" tf:"-"`
 
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Override the URL Vault uses when making EC2 API
+	// calls.
 	// URL to override the default generated endpoint for making AWS EC2 API calls.
 	// +kubebuilder:validation:Optional
 	EC2Endpoint *string `json:"ec2Endpoint,omitempty" tf:"ec2_endpoint,omitempty"`
 
+	// Override the URL Vault uses when making IAM API
+	// calls.
 	// URL to override the default generated endpoint for making AWS IAM API calls.
 	// +kubebuilder:validation:Optional
 	IAMEndpoint *string `json:"iamEndpoint,omitempty" tf:"iam_endpoint,omitempty"`
 
+	// The value to require in the
+	// X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests
+	// that are used in the IAM auth method.
 	// The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.
 	// +kubebuilder:validation:Optional
 	IAMServerIDHeaderValue *string `json:"iamServerIdHeaderValue,omitempty" tf:"iam_server_id_header_value,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The AWS secret key that Vault should use for the
+	// auth backend.
 	// AWS Secret key with permissions to query AWS APIs.
 	// +kubebuilder:validation:Optional
 	SecretKeySecretRef *v1.SecretKeySelector `json:"secretKeySecretRef,omitempty" tf:"-"`
 
+	// Override the URL Vault uses when making STS API
+	// calls.
 	// URL to override the default generated endpoint for making AWS STS API calls.
 	// +kubebuilder:validation:Optional
 	StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"`
 
+	// Override the default region when making STS API
+	// calls. The sts_endpoint argument must be set when using sts_region.
 	// Region to override the default region for making AWS STS API calls.
 	// +kubebuilder:validation:Optional
 	StsRegion *string `json:"stsRegion,omitempty" tf:"sts_region,omitempty"`
@@ -82,6 +161,18 @@ type AuthBackendClientParameters struct {
 type AuthBackendClientSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendClientParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendClientInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendClientStatus defines the observed state of AuthBackendClient.
@@ -92,7 +183,7 @@ type AuthBackendClientStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendClient is the Schema for the AuthBackendClients API. <no value>
+// AuthBackendClient is the Schema for the AuthBackendClients API. Configures the client used by an AWS Auth Backend in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go b/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go
index b2e3eb0a..9facbc32 100755
--- a/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go
@@ -13,20 +13,54 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendConfigIdentityInitParameters struct {
+
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// How to generate the identity alias when using the ec2 auth method. Valid choices are
+	// role_id, instance_id, and image_id. Defaults to role_id
+	// Configures how to generate the identity alias when using the ec2 auth method.
+	EC2Alias *string `json:"ec2Alias,omitempty" tf:"ec2_alias,omitempty"`
+
+	// The metadata to include on the token returned by the login endpoint. This metadata will be
+	// added to both audit logs, and on the ec2_alias
+	// The metadata to include on the token returned by the login endpoint.
+	EC2Metadata []*string `json:"ec2Metadata,omitempty" tf:"ec2_metadata,omitempty"`
+
+	// How to generate the identity alias when using the iam auth method. Valid choices are
+	// role_id, unique_id, and full_arn. Defaults to role_id
+	// How to generate the identity alias when using the iam auth method.
+	IAMAlias *string `json:"iamAlias,omitempty" tf:"iam_alias,omitempty"`
+
+	// The metadata to include on the token returned by the login endpoint. This metadata will be
+	// added to both audit logs, and on the iam_alias
+	// The metadata to include on the token returned by the login endpoint.
+	IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"`
+}
+
 type AuthBackendConfigIdentityObservation struct {
 
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// How to generate the identity alias when using the ec2 auth method. Valid choices are
+	// role_id, instance_id, and image_id. Defaults to role_id
 	// Configures how to generate the identity alias when using the ec2 auth method.
 	EC2Alias *string `json:"ec2Alias,omitempty" tf:"ec2_alias,omitempty"`
 
+	// The metadata to include on the token returned by the login endpoint. This metadata will be
+	// added to both audit logs, and on the ec2_alias
 	// The metadata to include on the token returned by the login endpoint.
 	EC2Metadata []*string `json:"ec2Metadata,omitempty" tf:"ec2_metadata,omitempty"`
 
+	// How to generate the identity alias when using the iam auth method. Valid choices are
+	// role_id, unique_id, and full_arn. Defaults to role_id
 	// How to generate the identity alias when using the iam auth method.
 	IAMAlias *string `json:"iamAlias,omitempty" tf:"iam_alias,omitempty"`
 
+	// The metadata to include on the token returned by the login endpoint. This metadata will be
+	// added to both audit logs, and on the iam_alias
 	// The metadata to include on the token returned by the login endpoint.
 	IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"`
 
@@ -39,18 +73,26 @@ type AuthBackendConfigIdentityParameters struct {
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// How to generate the identity alias when using the ec2 auth method. Valid choices are
+	// role_id, instance_id, and image_id. Defaults to role_id
 	// Configures how to generate the identity alias when using the ec2 auth method.
 	// +kubebuilder:validation:Optional
 	EC2Alias *string `json:"ec2Alias,omitempty" tf:"ec2_alias,omitempty"`
 
+	// The metadata to include on the token returned by the login endpoint. This metadata will be
+	// added to both audit logs, and on the ec2_alias
 	// The metadata to include on the token returned by the login endpoint.
 	// +kubebuilder:validation:Optional
 	EC2Metadata []*string `json:"ec2Metadata,omitempty" tf:"ec2_metadata,omitempty"`
 
+	// How to generate the identity alias when using the iam auth method. Valid choices are
+	// role_id, unique_id, and full_arn. Defaults to role_id
 	// How to generate the identity alias when using the iam auth method.
 	// +kubebuilder:validation:Optional
 	IAMAlias *string `json:"iamAlias,omitempty" tf:"iam_alias,omitempty"`
 
+	// The metadata to include on the token returned by the login endpoint. This metadata will be
+	// added to both audit logs, and on the iam_alias
 	// The metadata to include on the token returned by the login endpoint.
 	// +kubebuilder:validation:Optional
 	IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"`
@@ -60,6 +102,18 @@ type AuthBackendConfigIdentityParameters struct {
 type AuthBackendConfigIdentitySpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendConfigIdentityParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendConfigIdentityInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendConfigIdentityStatus defines the observed state of AuthBackendConfigIdentity.
@@ -70,7 +124,7 @@ type AuthBackendConfigIdentityStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendConfigIdentity is the Schema for the AuthBackendConfigIdentitys API. <no value>
+// AuthBackendConfigIdentity is the Schema for the AuthBackendConfigIdentitys API. Manages AWS auth backend identity configuration in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_types.go b/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_types.go
index bafbf890..f212a160 100755
--- a/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_types.go
@@ -13,37 +13,82 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendIdentityWhitelistInitParameters struct {
+
+	// The path of the AWS backend being configured.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// If set to true, disables the periodic
+	// tidying of the identity-whitelist entries.
+	// If true, disables the periodic tidying of the identiy whitelist entries.
+	DisablePeriodicTidy *bool `json:"disablePeriodicTidy,omitempty" tf:"disable_periodic_tidy,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The amount of extra time, in minutes, that must
+	// have passed beyond the roletag expiration, before it is removed from the
+	// backend storage.
+	// The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.
+	SafetyBuffer *float64 `json:"safetyBuffer,omitempty" tf:"safety_buffer,omitempty"`
+}
+
 type AuthBackendIdentityWhitelistObservation struct {
 
+	// The path of the AWS backend being configured.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set to true, disables the periodic
+	// tidying of the identity-whitelist entries.
 	// If true, disables the periodic tidying of the identiy whitelist entries.
 	DisablePeriodicTidy *bool `json:"disablePeriodicTidy,omitempty" tf:"disable_periodic_tidy,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The amount of extra time, in minutes, that must
+	// have passed beyond the roletag expiration, before it is removed from the
+	// backend storage.
 	// The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.
 	SafetyBuffer *float64 `json:"safetyBuffer,omitempty" tf:"safety_buffer,omitempty"`
 }
 
 type AuthBackendIdentityWhitelistParameters struct {
 
+	// The path of the AWS backend being configured.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set to true, disables the periodic
+	// tidying of the identity-whitelist entries.
 	// If true, disables the periodic tidying of the identiy whitelist entries.
 	// +kubebuilder:validation:Optional
 	DisablePeriodicTidy *bool `json:"disablePeriodicTidy,omitempty" tf:"disable_periodic_tidy,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The amount of extra time, in minutes, that must
+	// have passed beyond the roletag expiration, before it is removed from the
+	// backend storage.
 	// The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.
 	// +kubebuilder:validation:Optional
 	SafetyBuffer *float64 `json:"safetyBuffer,omitempty" tf:"safety_buffer,omitempty"`
@@ -53,6 +98,18 @@ type AuthBackendIdentityWhitelistParameters struct {
 type AuthBackendIdentityWhitelistSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendIdentityWhitelistParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendIdentityWhitelistInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendIdentityWhitelistStatus defines the observed state of AuthBackendIdentityWhitelist.
@@ -63,7 +120,7 @@ type AuthBackendIdentityWhitelistStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendIdentityWhitelist is the Schema for the AuthBackendIdentityWhitelists API. <no value>
+// AuthBackendIdentityWhitelist is the Schema for the AuthBackendIdentityWhitelists API. Configures the periodic tidying operation of the whitelisted identity entries.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/aws/v1alpha1/zz_authbackendlogin_types.go b/apis/aws/v1alpha1/zz_authbackendlogin_types.go
index 0805ef39..66661041 100755
--- a/apis/aws/v1alpha1/zz_authbackendlogin_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendlogin_types.go
@@ -13,107 +13,237 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendLoginInitParameters struct {
+
+	// The unique name of the AWS auth backend. Defaults to
+	// 'aws'.
+	// AWS Auth Backend to read the token from.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The HTTP method used in the signed IAM
+	// request.
+	// The HTTP method used in the signed request.
+	IAMHTTPRequestMethod *string `json:"iamHttpRequestMethod,omitempty" tf:"iam_http_request_method,omitempty"`
+
+	// The base64-encoded body of the signed
+	// request.
+	// The Base64-encoded body of the signed request.
+	IAMRequestBody *string `json:"iamRequestBody,omitempty" tf:"iam_request_body,omitempty"`
+
+	// The base64-encoded, JSON serialized
+	// representation of the GetCallerIdentity HTTP request headers.
+	// The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.
+	IAMRequestHeaders *string `json:"iamRequestHeaders,omitempty" tf:"iam_request_headers,omitempty"`
+
+	// The base64-encoded HTTP URL used in the signed
+	// request.
+	// The Base64-encoded HTTP URL used in the signed request.
+	IAMRequestURL *string `json:"iamRequestUrl,omitempty" tf:"iam_request_url,omitempty"`
+
+	// The base64-encoded EC2 instance identity document to
+	// authenticate with. Can be retrieved from the EC2 metadata server.
+	// Base64-encoded EC2 instance identity document to authenticate with.
+	Identity *string `json:"identity,omitempty" tf:"identity,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The unique nonce to be used for login requests. Can be
+	// set to a user-specified value, or will contain the server-generated value
+	// once a token is issued. EC2 instances can only acquire a single token until
+	// the whitelist is tidied again unless they keep track of this nonce.
+	// The nonce to be used for subsequent login requests.
+	Nonce *string `json:"nonce,omitempty" tf:"nonce,omitempty"`
+
+	// The PKCS#7 signature of the identity document to
+	// authenticate with, with all newline characters removed. Can be retrieved from
+	// the EC2 metadata server.
+	// PKCS7 signature of the identity document to authenticate with, with all newline characters removed.
+	Pkcs7 *string `json:"pkcs7,omitempty" tf:"pkcs7,omitempty"`
+
+	// The name of the AWS auth backend role to create tokens
+	// against.
+	// AWS Auth Role to read the token from.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// The base64-encoded SHA256 RSA signature of the
+	// instance identity document to authenticate with, with all newline characters
+	// removed. Can be retrieved from the EC2 metadata server.
+	// Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.
+	Signature *string `json:"signature,omitempty" tf:"signature,omitempty"`
+}
+
 type AuthBackendLoginObservation struct {
 
+	// The token's accessor.
 	// The accessor returned from Vault for this token.
 	Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"`
 
+	// The authentication type used to generate this token.
 	// The auth method used to generate this token.
 	AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"`
 
+	// The unique name of the AWS auth backend. Defaults to
+	// 'aws'.
 	// AWS Auth Backend to read the token from.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The HTTP method used in the signed IAM
+	// request.
 	// The HTTP method used in the signed request.
 	IAMHTTPRequestMethod *string `json:"iamHttpRequestMethod,omitempty" tf:"iam_http_request_method,omitempty"`
 
+	// The base64-encoded body of the signed
+	// request.
 	// The Base64-encoded body of the signed request.
 	IAMRequestBody *string `json:"iamRequestBody,omitempty" tf:"iam_request_body,omitempty"`
 
+	// The base64-encoded, JSON serialized
+	// representation of the GetCallerIdentity HTTP request headers.
 	// The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.
 	IAMRequestHeaders *string `json:"iamRequestHeaders,omitempty" tf:"iam_request_headers,omitempty"`
 
+	// The base64-encoded HTTP URL used in the signed
+	// request.
 	// The Base64-encoded HTTP URL used in the signed request.
 	IAMRequestURL *string `json:"iamRequestUrl,omitempty" tf:"iam_request_url,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The base64-encoded EC2 instance identity document to
+	// authenticate with. Can be retrieved from the EC2 metadata server.
 	// Base64-encoded EC2 instance identity document to authenticate with.
 	Identity *string `json:"identity,omitempty" tf:"identity,omitempty"`
 
+	// The duration in seconds the token will be valid, relative
+	// to the time in lease_start_time.
 	// Lease duration in seconds relative to the time in lease_start_time.
 	LeaseDuration *float64 `json:"leaseDuration,omitempty" tf:"lease_duration,omitempty"`
 
+	// the approximate time at which the token was created,
+	// using the clock of the system where Upbound official provider was running.
 	// time at which the lease was read, using the clock of the system where Upbound official provider was running
 	LeaseStartTime *string `json:"leaseStartTime,omitempty" tf:"lease_start_time,omitempty"`
 
+	// A map of information returned by the Vault server about the
+	// authentication used to generate this token.
 	// The metadata reported by the Vault server.
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique nonce to be used for login requests. Can be
+	// set to a user-specified value, or will contain the server-generated value
+	// once a token is issued. EC2 instances can only acquire a single token until
+	// the whitelist is tidied again unless they keep track of this nonce.
 	// The nonce to be used for subsequent login requests.
 	Nonce *string `json:"nonce,omitempty" tf:"nonce,omitempty"`
 
+	// The PKCS#7 signature of the identity document to
+	// authenticate with, with all newline characters removed. Can be retrieved from
+	// the EC2 metadata server.
 	// PKCS7 signature of the identity document to authenticate with, with all newline characters removed.
 	Pkcs7 *string `json:"pkcs7,omitempty" tf:"pkcs7,omitempty"`
 
+	// The Vault policies assigned to this token.
 	// The policies assigned to this token.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// Set to true if the token can be extended through renewal.
 	// True if the duration of this lease can be extended through renewal.
 	Renewable *bool `json:"renewable,omitempty" tf:"renewable,omitempty"`
 
+	// The name of the AWS auth backend role to create tokens
+	// against.
 	// AWS Auth Role to read the token from.
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// The base64-encoded SHA256 RSA signature of the
+	// instance identity document to authenticate with, with all newline characters
+	// removed. Can be retrieved from the EC2 metadata server.
 	// Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.
 	Signature *string `json:"signature,omitempty" tf:"signature,omitempty"`
 }
 
 type AuthBackendLoginParameters struct {
 
+	// The unique name of the AWS auth backend. Defaults to
+	// 'aws'.
 	// AWS Auth Backend to read the token from.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The HTTP method used in the signed IAM
+	// request.
 	// The HTTP method used in the signed request.
 	// +kubebuilder:validation:Optional
 	IAMHTTPRequestMethod *string `json:"iamHttpRequestMethod,omitempty" tf:"iam_http_request_method,omitempty"`
 
+	// The base64-encoded body of the signed
+	// request.
 	// The Base64-encoded body of the signed request.
 	// +kubebuilder:validation:Optional
 	IAMRequestBody *string `json:"iamRequestBody,omitempty" tf:"iam_request_body,omitempty"`
 
+	// The base64-encoded, JSON serialized
+	// representation of the GetCallerIdentity HTTP request headers.
 	// The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.
 	// +kubebuilder:validation:Optional
 	IAMRequestHeaders *string `json:"iamRequestHeaders,omitempty" tf:"iam_request_headers,omitempty"`
 
+	// The base64-encoded HTTP URL used in the signed
+	// request.
 	// The Base64-encoded HTTP URL used in the signed request.
 	// +kubebuilder:validation:Optional
 	IAMRequestURL *string `json:"iamRequestUrl,omitempty" tf:"iam_request_url,omitempty"`
 
+	// The base64-encoded EC2 instance identity document to
+	// authenticate with. Can be retrieved from the EC2 metadata server.
 	// Base64-encoded EC2 instance identity document to authenticate with.
 	// +kubebuilder:validation:Optional
 	Identity *string `json:"identity,omitempty" tf:"identity,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique nonce to be used for login requests. Can be
+	// set to a user-specified value, or will contain the server-generated value
+	// once a token is issued. EC2 instances can only acquire a single token until
+	// the whitelist is tidied again unless they keep track of this nonce.
 	// The nonce to be used for subsequent login requests.
 	// +kubebuilder:validation:Optional
 	Nonce *string `json:"nonce,omitempty" tf:"nonce,omitempty"`
 
+	// The PKCS#7 signature of the identity document to
+	// authenticate with, with all newline characters removed. Can be retrieved from
+	// the EC2 metadata server.
 	// PKCS7 signature of the identity document to authenticate with, with all newline characters removed.
 	// +kubebuilder:validation:Optional
 	Pkcs7 *string `json:"pkcs7,omitempty" tf:"pkcs7,omitempty"`
 
+	// The name of the AWS auth backend role to create tokens
+	// against.
 	// AWS Auth Role to read the token from.
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// The base64-encoded SHA256 RSA signature of the
+	// instance identity document to authenticate with, with all newline characters
+	// removed. Can be retrieved from the EC2 metadata server.
 	// Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.
 	// +kubebuilder:validation:Optional
 	Signature *string `json:"signature,omitempty" tf:"signature,omitempty"`
@@ -123,6 +253,18 @@ type AuthBackendLoginParameters struct {
 type AuthBackendLoginSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendLoginParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendLoginInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendLoginStatus defines the observed state of AuthBackendLogin.
@@ -133,7 +275,7 @@ type AuthBackendLoginStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendLogin is the Schema for the AuthBackendLogins API. <no value>
+// AuthBackendLogin is the Schema for the AuthBackendLogins API. Manages Vault tokens acquired using the AWS auth backend.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/aws/v1alpha1/zz_authbackendrole_types.go b/apis/aws/v1alpha1/zz_authbackendrole_types.go
index 55a3de83..da83b02c 100755
--- a/apis/aws/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendrole_types.go
@@ -13,104 +13,390 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+
+	// If set to true, allows migration of
+	// the underlying instance where the client resides.
+	// When true, allows migration of the underlying instance where the client resides. Use with caution.
+	AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"`
+
+	// The auth type permitted for this role. Valid choices
+	// are ec2 and iam. Defaults to iam.
+	// The auth type permitted for this role.
+	AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"`
+
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that they should be using the AMI ID
+	// specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
+	// Only EC2 instances using this AMI ID will be permitted to log in.
+	BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"`
+
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they should be using the
+	// account ID specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
+	// Only EC2 instances with this account ID in their identity document will be permitted to log in.
+	BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"`
+
+	// Only EC2 instances that match this instance ID will be permitted to log in.
+	BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"`
+
+	// If set, defines a constraint on
+	// the EC2 instances that can perform the login operation that they must be
+	// associated with an IAM instance profile ARN which has a prefix that matches
+	// the value specified by this field. The value is prefix-matched as though it
+	// were a glob ending in *. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
+	// Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.
+	BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"`
+
+	// If set, defines the IAM principal that
+	// must be authenticated when auth_type is set to iam. Wildcards are
+	// supported at the end of the ARN.
+	// The IAM principal that must be authenticated using the iam auth method.
+	BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"`
+
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they must match the IAM
+	// role ARN specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
+	// Only EC2 instances that match this IAM role ARN will be permitted to log in.
+	BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"`
+
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that the region in their identity
+	// document must match the one specified by this field. auth_type must be set
+	// to ec2 or inferred_entity_type must be set to ec2_instance to use this
+	// constraint.
+	// Only EC2 instances in this region will be permitted to log in.
+	BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"`
+
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they be associated with
+	// the subnet ID that matches the value specified by this field. auth_type
+	// must be set to ec2 or inferred_entity_type must be set to ec2_instance
+	// to use this constraint.
+	// Only EC2 instances associated with this subnet ID will be permitted to log in.
+	BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"`
+
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that they be associated with the VPC ID
+	// that matches the value specified by this field. auth_type must be set to
+	// ec2 or inferred_entity_type must be set to ec2_instance to use this
+	// constraint.
+	// Only EC2 instances associated with this VPC ID will be permitted to log in.
+	BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"`
+
+	// IF set to true, only allows a
+	// single token to be granted per instance ID. This can only be set when
+	// auth_type is set to ec2.
+	// When true, only allows a single token to be granted per instance ID.
+	DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"`
+
+	// When inferred_entity_type is set, this
+	// is the region to search for the inferred entities. Required if
+	// inferred_entity_type is set. This only applies when auth_type is set to
+	// iam.
+	// The region to search for the inferred entities in.
+	InferredAwsRegion *string `json:"inferredAwsRegion,omitempty" tf:"inferred_aws_region,omitempty"`
+
+	// If set, instructs Vault to turn on
+	// inferencing. The only valid value is ec2_instance, which instructs Vault to
+	// infer that the role comes from an EC2 instance in an IAM instance profile.
+	// This only applies when auth_type is set to iam.
+	// The type of inferencing Vault should do.
+	InferredEntityType *string `json:"inferredEntityType,omitempty" tf:"inferred_entity_type,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Only valid when
+	// auth_type is iam. If set to true, the bound_iam_principal_arns are
+	// resolved to AWS Unique
+	// IDs
+	// for the bound principal ARN. This field is ignored when a
+	// bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more
+	// closely mimics the behavior of AWS services in that if an IAM user or role is
+	// deleted and a new one is recreated with the same name, those new users or
+	// roles won't get access to roles in Vault that were permissioned to the prior
+	// principals of the same name. Defaults to true.
+	// Once set to true, this cannot be changed to false without recreating the role.
+	// Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.
+	ResolveAwsUniqueIds *bool `json:"resolveAwsUniqueIds,omitempty" tf:"resolve_aws_unique_ids,omitempty"`
+
+	// The name of the role.
+	// Name of the role.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// If set, enable role tags for this role. The value set
+	// for this field should be the key of the tag on the EC2 instance. auth_type
+	// must be set to ec2 or inferred_entity_type must be set to ec2_instance
+	// to use this constraint.
+	// The key of the tag on EC2 instance to use for role tags.
+	RoleTag *string `json:"roleTag,omitempty" tf:"role_tag,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 
+	// If set to true, allows migration of
+	// the underlying instance where the client resides.
 	// When true, allows migration of the underlying instance where the client resides. Use with caution.
 	AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"`
 
+	// The auth type permitted for this role. Valid choices
+	// are ec2 and iam. Defaults to iam.
 	// The auth type permitted for this role.
 	AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"`
 
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that they should be using the AMI ID
+	// specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
 	// Only EC2 instances using this AMI ID will be permitted to log in.
 	BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"`
 
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they should be using the
+	// account ID specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
 	// Only EC2 instances with this account ID in their identity document will be permitted to log in.
 	BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"`
 
 	// Only EC2 instances that match this instance ID will be permitted to log in.
 	BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"`
 
+	// If set, defines a constraint on
+	// the EC2 instances that can perform the login operation that they must be
+	// associated with an IAM instance profile ARN which has a prefix that matches
+	// the value specified by this field. The value is prefix-matched as though it
+	// were a glob ending in *. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
 	// Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.
 	BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"`
 
+	// If set, defines the IAM principal that
+	// must be authenticated when auth_type is set to iam. Wildcards are
+	// supported at the end of the ARN.
 	// The IAM principal that must be authenticated using the iam auth method.
 	BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"`
 
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they must match the IAM
+	// role ARN specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
 	// Only EC2 instances that match this IAM role ARN will be permitted to log in.
 	BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"`
 
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that the region in their identity
+	// document must match the one specified by this field. auth_type must be set
+	// to ec2 or inferred_entity_type must be set to ec2_instance to use this
+	// constraint.
 	// Only EC2 instances in this region will be permitted to log in.
 	BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"`
 
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they be associated with
+	// the subnet ID that matches the value specified by this field. auth_type
+	// must be set to ec2 or inferred_entity_type must be set to ec2_instance
+	// to use this constraint.
 	// Only EC2 instances associated with this subnet ID will be permitted to log in.
 	BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"`
 
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that they be associated with the VPC ID
+	// that matches the value specified by this field. auth_type must be set to
+	// ec2 or inferred_entity_type must be set to ec2_instance to use this
+	// constraint.
 	// Only EC2 instances associated with this VPC ID will be permitted to log in.
 	BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"`
 
+	// IF set to true, only allows a
+	// single token to be granted per instance ID. This can only be set when
+	// auth_type is set to ec2.
 	// When true, only allows a single token to be granted per instance ID.
 	DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// When inferred_entity_type is set, this
+	// is the region to search for the inferred entities. Required if
+	// inferred_entity_type is set. This only applies when auth_type is set to
+	// iam.
 	// The region to search for the inferred entities in.
 	InferredAwsRegion *string `json:"inferredAwsRegion,omitempty" tf:"inferred_aws_region,omitempty"`
 
+	// If set, instructs Vault to turn on
+	// inferencing. The only valid value is ec2_instance, which instructs Vault to
+	// infer that the role comes from an EC2 instance in an IAM instance profile.
+	// This only applies when auth_type is set to iam.
 	// The type of inferencing Vault should do.
 	InferredEntityType *string `json:"inferredEntityType,omitempty" tf:"inferred_entity_type,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Only valid when
+	// auth_type is iam. If set to true, the bound_iam_principal_arns are
+	// resolved to AWS Unique
+	// IDs
+	// for the bound principal ARN. This field is ignored when a
+	// bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more
+	// closely mimics the behavior of AWS services in that if an IAM user or role is
+	// deleted and a new one is recreated with the same name, those new users or
+	// roles won't get access to roles in Vault that were permissioned to the prior
+	// principals of the same name. Defaults to true.
+	// Once set to true, this cannot be changed to false without recreating the role.
 	// Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.
 	ResolveAwsUniqueIds *bool `json:"resolveAwsUniqueIds,omitempty" tf:"resolve_aws_unique_ids,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// The Vault generated role ID.
 	// The Vault generated role ID.
 	RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"`
 
+	// If set, enable role tags for this role. The value set
+	// for this field should be the key of the tag on the EC2 instance. auth_type
+	// must be set to ec2 or inferred_entity_type must be set to ec2_instance
+	// to use this constraint.
 	// The key of the tag on EC2 instance to use for role tags.
 	RoleTag *string `json:"roleTag,omitempty" tf:"role_tag,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
 type AuthBackendRoleParameters struct {
 
+	// If set to true, allows migration of
+	// the underlying instance where the client resides.
 	// When true, allows migration of the underlying instance where the client resides. Use with caution.
 	// +kubebuilder:validation:Optional
 	AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"`
 
+	// The auth type permitted for this role. Valid choices
+	// are ec2 and iam. Defaults to iam.
 	// The auth type permitted for this role.
 	// +kubebuilder:validation:Optional
 	AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"`
@@ -119,10 +405,18 @@ type AuthBackendRoleParameters struct {
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that they should be using the AMI ID
+	// specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
 	// Only EC2 instances using this AMI ID will be permitted to log in.
 	// +kubebuilder:validation:Optional
 	BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"`
 
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they should be using the
+	// account ID specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
 	// Only EC2 instances with this account ID in their identity document will be permitted to log in.
 	// +kubebuilder:validation:Optional
 	BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"`
@@ -131,90 +425,175 @@ type AuthBackendRoleParameters struct {
 	// +kubebuilder:validation:Optional
 	BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"`
 
+	// If set, defines a constraint on
+	// the EC2 instances that can perform the login operation that they must be
+	// associated with an IAM instance profile ARN which has a prefix that matches
+	// the value specified by this field. The value is prefix-matched as though it
+	// were a glob ending in *. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
 	// Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.
 	// +kubebuilder:validation:Optional
 	BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"`
 
+	// If set, defines the IAM principal that
+	// must be authenticated when auth_type is set to iam. Wildcards are
+	// supported at the end of the ARN.
 	// The IAM principal that must be authenticated using the iam auth method.
 	// +kubebuilder:validation:Optional
 	BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"`
 
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they must match the IAM
+	// role ARN specified by this field. auth_type must be set to ec2 or
+	// inferred_entity_type must be set to ec2_instance to use this constraint.
 	// Only EC2 instances that match this IAM role ARN will be permitted to log in.
 	// +kubebuilder:validation:Optional
 	BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"`
 
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that the region in their identity
+	// document must match the one specified by this field. auth_type must be set
+	// to ec2 or inferred_entity_type must be set to ec2_instance to use this
+	// constraint.
 	// Only EC2 instances in this region will be permitted to log in.
 	// +kubebuilder:validation:Optional
 	BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"`
 
+	// If set, defines a constraint on the EC2
+	// instances that can perform the login operation that they be associated with
+	// the subnet ID that matches the value specified by this field. auth_type
+	// must be set to ec2 or inferred_entity_type must be set to ec2_instance
+	// to use this constraint.
 	// Only EC2 instances associated with this subnet ID will be permitted to log in.
 	// +kubebuilder:validation:Optional
 	BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"`
 
+	// If set, defines a constraint on the EC2 instances
+	// that can perform the login operation that they be associated with the VPC ID
+	// that matches the value specified by this field. auth_type must be set to
+	// ec2 or inferred_entity_type must be set to ec2_instance to use this
+	// constraint.
 	// Only EC2 instances associated with this VPC ID will be permitted to log in.
 	// +kubebuilder:validation:Optional
 	BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"`
 
+	// IF set to true, only allows a
+	// single token to be granted per instance ID. This can only be set when
+	// auth_type is set to ec2.
 	// When true, only allows a single token to be granted per instance ID.
 	// +kubebuilder:validation:Optional
 	DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"`
 
+	// When inferred_entity_type is set, this
+	// is the region to search for the inferred entities. Required if
+	// inferred_entity_type is set. This only applies when auth_type is set to
+	// iam.
 	// The region to search for the inferred entities in.
 	// +kubebuilder:validation:Optional
 	InferredAwsRegion *string `json:"inferredAwsRegion,omitempty" tf:"inferred_aws_region,omitempty"`
 
+	// If set, instructs Vault to turn on
+	// inferencing. The only valid value is ec2_instance, which instructs Vault to
+	// infer that the role comes from an EC2 instance in an IAM instance profile.
+	// This only applies when auth_type is set to iam.
 	// The type of inferencing Vault should do.
 	// +kubebuilder:validation:Optional
 	InferredEntityType *string `json:"inferredEntityType,omitempty" tf:"inferred_entity_type,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Only valid when
+	// auth_type is iam. If set to true, the bound_iam_principal_arns are
+	// resolved to AWS Unique
+	// IDs
+	// for the bound principal ARN. This field is ignored when a
+	// bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more
+	// closely mimics the behavior of AWS services in that if an IAM user or role is
+	// deleted and a new one is recreated with the same name, those new users or
+	// roles won't get access to roles in Vault that were permissioned to the prior
+	// principals of the same name. Defaults to true.
+	// Once set to true, this cannot be changed to false without recreating the role.
 	// Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.
 	// +kubebuilder:validation:Optional
 	ResolveAwsUniqueIds *bool `json:"resolveAwsUniqueIds,omitempty" tf:"resolve_aws_unique_ids,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// If set, enable role tags for this role. The value set
+	// for this field should be the key of the tag on the EC2 instance. auth_type
+	// must be set to ec2 or inferred_entity_type must be set to ec2_instance
+	// to use this constraint.
 	// The key of the tag on EC2 instance to use for role tags.
 	// +kubebuilder:validation:Optional
 	RoleTag *string `json:"roleTag,omitempty" tf:"role_tag,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
@@ -224,6 +603,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -234,7 +625,7 @@ type AuthBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRole is the Schema for the AuthBackendRoles API. <no value>
+// AuthBackendRole is the Schema for the AuthBackendRoles API. Manages AWS auth backend roles in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -244,7 +635,7 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/aws/v1alpha1/zz_authbackendroletag_types.go b/apis/aws/v1alpha1/zz_authbackendroletag_types.go
index e041e928..86b7e2ec 100755
--- a/apis/aws/v1alpha1/zz_authbackendroletag_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendroletag_types.go
@@ -13,69 +13,137 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleTagInitParameters struct {
+
+	// If set, allows migration of the underlying instances where the client resides. Use with caution.
+	// Allows migration of the underlying instance where the client resides.
+	AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"`
+
+	// The path to the AWS auth backend to
+	// read role tags from, with no leading or trailing /s. Defaults to "aws".
+	// AWS auth backend to read tags from.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// If set, only allows a single token to be granted per instance ID.
+	// Only allow a single token to be granted per instance ID.
+	DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"`
+
+	// Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.
+	// Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// The maximum TTL of the tokens issued using this role.
+	// The maximum allowed lifetime of tokens issued using this role.
+	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The policies to be associated with the tag. Must be a subset of the policies associated with the role.
+	// Policies to be associated with the tag.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	// The name of the AWS auth backend role to read
+	// role tags from, with no leading or trailing /s.
+	// Name of the role.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+}
+
 type AuthBackendRoleTagObservation struct {
 
+	// If set, allows migration of the underlying instances where the client resides. Use with caution.
 	// Allows migration of the underlying instance where the client resides.
 	AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"`
 
+	// The path to the AWS auth backend to
+	// read role tags from, with no leading or trailing /s. Defaults to "aws".
 	// AWS auth backend to read tags from.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set, only allows a single token to be granted per instance ID.
 	// Only allow a single token to be granted per instance ID.
 	DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.
 	// Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.
 	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
 
+	// The maximum TTL of the tokens issued using this role.
 	// The maximum allowed lifetime of tokens issued using this role.
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The policies to be associated with the tag. Must be a subset of the policies associated with the role.
 	// Policies to be associated with the tag.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// The name of the AWS auth backend role to read
+	// role tags from, with no leading or trailing /s.
 	// Name of the role.
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// The key of the role tag.
 	TagKey *string `json:"tagKey,omitempty" tf:"tag_key,omitempty"`
 
+	// The value to set the role key.
 	TagValue *string `json:"tagValue,omitempty" tf:"tag_value,omitempty"`
 }
 
 type AuthBackendRoleTagParameters struct {
 
+	// If set, allows migration of the underlying instances where the client resides. Use with caution.
 	// Allows migration of the underlying instance where the client resides.
 	// +kubebuilder:validation:Optional
 	AllowInstanceMigration *bool `json:"allowInstanceMigration,omitempty" tf:"allow_instance_migration,omitempty"`
 
+	// The path to the AWS auth backend to
+	// read role tags from, with no leading or trailing /s. Defaults to "aws".
 	// AWS auth backend to read tags from.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set, only allows a single token to be granted per instance ID.
 	// Only allow a single token to be granted per instance ID.
 	// +kubebuilder:validation:Optional
 	DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"`
 
+	// Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.
 	// Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.
 	// +kubebuilder:validation:Optional
 	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
 
+	// The maximum TTL of the tokens issued using this role.
 	// The maximum allowed lifetime of tokens issued using this role.
 	// +kubebuilder:validation:Optional
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The policies to be associated with the tag. Must be a subset of the policies associated with the role.
 	// Policies to be associated with the tag.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// The name of the AWS auth backend role to read
+	// role tags from, with no leading or trailing /s.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
@@ -85,6 +153,18 @@ type AuthBackendRoleTagParameters struct {
 type AuthBackendRoleTagSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleTagParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleTagInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleTagStatus defines the observed state of AuthBackendRoleTag.
@@ -95,7 +175,7 @@ type AuthBackendRoleTagStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRoleTag is the Schema for the AuthBackendRoleTags API. <no value>
+// AuthBackendRoleTag is the Schema for the AuthBackendRoleTags API. Reads role tags from a Vault AWS auth backend.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -105,7 +185,7 @@ type AuthBackendRoleTagStatus struct {
 type AuthBackendRoleTag struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
 	Spec   AuthBackendRoleTagSpec   `json:"spec"`
 	Status AuthBackendRoleTagStatus `json:"status,omitempty"`
 }
diff --git a/apis/aws/v1alpha1/zz_authbackendroletagblacklist_types.go b/apis/aws/v1alpha1/zz_authbackendroletagblacklist_types.go
index 04eb366a..3ea617bb 100755
--- a/apis/aws/v1alpha1/zz_authbackendroletagblacklist_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendroletagblacklist_types.go
@@ -13,37 +13,85 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoletagBlacklistInitParameters struct {
+
+	// The path the AWS auth backend being configured was
+	// mounted at.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// If set to true, disables the periodic
+	// tidying of the roletag blacklist entries. Defaults to false.
+	// If true, disables the periodic tidying of the roletag blacklist entries.
+	DisablePeriodicTidy *bool `json:"disablePeriodicTidy,omitempty" tf:"disable_periodic_tidy,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The amount of extra time that must have passed
+	// beyond the roletag expiration, before it is removed from the backend storage.
+	// Defaults to 259,200 seconds, or 72 hours.
+	// The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.
+	SafetyBuffer *float64 `json:"safetyBuffer,omitempty" tf:"safety_buffer,omitempty"`
+}
+
 type AuthBackendRoletagBlacklistObservation struct {
 
+	// The path the AWS auth backend being configured was
+	// mounted at.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set to true, disables the periodic
+	// tidying of the roletag blacklist entries. Defaults to false.
 	// If true, disables the periodic tidying of the roletag blacklist entries.
 	DisablePeriodicTidy *bool `json:"disablePeriodicTidy,omitempty" tf:"disable_periodic_tidy,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The amount of extra time that must have passed
+	// beyond the roletag expiration, before it is removed from the backend storage.
+	// Defaults to 259,200 seconds, or 72 hours.
 	// The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.
 	SafetyBuffer *float64 `json:"safetyBuffer,omitempty" tf:"safety_buffer,omitempty"`
 }
 
 type AuthBackendRoletagBlacklistParameters struct {
 
+	// The path the AWS auth backend being configured was
+	// mounted at.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set to true, disables the periodic
+	// tidying of the roletag blacklist entries. Defaults to false.
 	// If true, disables the periodic tidying of the roletag blacklist entries.
 	// +kubebuilder:validation:Optional
 	DisablePeriodicTidy *bool `json:"disablePeriodicTidy,omitempty" tf:"disable_periodic_tidy,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The amount of extra time that must have passed
+	// beyond the roletag expiration, before it is removed from the backend storage.
+	// Defaults to 259,200 seconds, or 72 hours.
 	// The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.
 	// +kubebuilder:validation:Optional
 	SafetyBuffer *float64 `json:"safetyBuffer,omitempty" tf:"safety_buffer,omitempty"`
@@ -53,6 +101,18 @@ type AuthBackendRoletagBlacklistParameters struct {
 type AuthBackendRoletagBlacklistSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoletagBlacklistParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoletagBlacklistInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoletagBlacklistStatus defines the observed state of AuthBackendRoletagBlacklist.
@@ -63,7 +123,7 @@ type AuthBackendRoletagBlacklistStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRoletagBlacklist is the Schema for the AuthBackendRoletagBlacklists API. <no value>
+// AuthBackendRoletagBlacklist is the Schema for the AuthBackendRoletagBlacklists API. Configures the periodic tidying operation of the blacklisted role tag entries.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,7 +133,7 @@ type AuthBackendRoletagBlacklistStatus struct {
 type AuthBackendRoletagBlacklist struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
 	Spec   AuthBackendRoletagBlacklistSpec   `json:"spec"`
 	Status AuthBackendRoletagBlacklistStatus `json:"status,omitempty"`
 }
diff --git a/apis/aws/v1alpha1/zz_authbackendstsrole_types.go b/apis/aws/v1alpha1/zz_authbackendstsrole_types.go
index e28af26a..e71e3e27 100755
--- a/apis/aws/v1alpha1/zz_authbackendstsrole_types.go
+++ b/apis/aws/v1alpha1/zz_authbackendstsrole_types.go
@@ -13,37 +13,79 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendStsRoleInitParameters struct {
+
+	// The AWS account ID to configure the STS role for.
+	// AWS account ID to be associated with STS role.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The STS role to assume when verifying requests made
+	// by EC2 instances in the account specified by account_id.
+	// AWS ARN for STS role to be assumed when interacting with the account specified.
+	StsRole *string `json:"stsRole,omitempty" tf:"sts_role,omitempty"`
+}
+
 type AuthBackendStsRoleObservation struct {
 
+	// The AWS account ID to configure the STS role for.
 	// AWS account ID to be associated with STS role.
 	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The STS role to assume when verifying requests made
+	// by EC2 instances in the account specified by account_id.
 	// AWS ARN for STS role to be assumed when interacting with the account specified.
 	StsRole *string `json:"stsRole,omitempty" tf:"sts_role,omitempty"`
 }
 
 type AuthBackendStsRoleParameters struct {
 
+	// The AWS account ID to configure the STS role for.
 	// AWS account ID to be associated with STS role.
 	// +kubebuilder:validation:Optional
 	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
+	// The path the AWS auth backend being configured was
+	// mounted at.  Defaults to aws.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The STS role to assume when verifying requests made
+	// by EC2 instances in the account specified by account_id.
 	// AWS ARN for STS role to be assumed when interacting with the account specified.
 	// +kubebuilder:validation:Optional
 	StsRole *string `json:"stsRole,omitempty" tf:"sts_role,omitempty"`
@@ -53,6 +95,18 @@ type AuthBackendStsRoleParameters struct {
 type AuthBackendStsRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendStsRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendStsRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendStsRoleStatus defines the observed state of AuthBackendStsRole.
@@ -63,7 +117,7 @@ type AuthBackendStsRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendStsRole is the Schema for the AuthBackendStsRoles API. <no value>
+// AuthBackendStsRole is the Schema for the AuthBackendStsRoles API. Configures an STS role in the Vault AWS Auth backend.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,8 +127,8 @@ type AuthBackendStsRoleStatus struct {
 type AuthBackendStsRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)",message="accountId is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.stsRole)",message="stsRole is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.accountId) || has(self.initProvider.accountId)",message="accountId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.stsRole) || has(self.initProvider.stsRole)",message="stsRole is a required parameter"
 	Spec   AuthBackendStsRoleSpec   `json:"spec"`
 	Status AuthBackendStsRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/aws/v1alpha1/zz_generated.deepcopy.go b/apis/aws/v1alpha1/zz_generated.deepcopy.go
index 2db2e60a..af8957cf 100644
--- a/apis/aws/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/aws/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,46 @@ func (in *AuthBackendCert) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendCertInitParameters) DeepCopyInto(out *AuthBackendCertInitParameters) {
+	*out = *in
+	if in.AwsPublicCert != nil {
+		in, out := &in.AwsPublicCert, &out.AwsPublicCert
+		*out = new(string)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertName != nil {
+		in, out := &in.CertName, &out.CertName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendCertInitParameters.
+func (in *AuthBackendCertInitParameters) DeepCopy() *AuthBackendCertInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendCertInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendCertList) DeepCopyInto(out *AuthBackendCertList) {
 	*out = *in
@@ -163,6 +203,7 @@ func (in *AuthBackendCertSpec) DeepCopyInto(out *AuthBackendCertSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendCertSpec.
@@ -219,6 +260,56 @@ func (in *AuthBackendClient) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendClientInitParameters) DeepCopyInto(out *AuthBackendClientInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.EC2Endpoint != nil {
+		in, out := &in.EC2Endpoint, &out.EC2Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMEndpoint != nil {
+		in, out := &in.IAMEndpoint, &out.IAMEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMServerIDHeaderValue != nil {
+		in, out := &in.IAMServerIDHeaderValue, &out.IAMServerIDHeaderValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.StsEndpoint != nil {
+		in, out := &in.StsEndpoint, &out.StsEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.StsRegion != nil {
+		in, out := &in.StsRegion, &out.StsRegion
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendClientInitParameters.
+func (in *AuthBackendClientInitParameters) DeepCopy() *AuthBackendClientInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendClientInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendClientList) DeepCopyInto(out *AuthBackendClientList) {
 	*out = *in
@@ -371,6 +462,7 @@ func (in *AuthBackendClientSpec) DeepCopyInto(out *AuthBackendClientSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendClientSpec.
@@ -427,6 +519,58 @@ func (in *AuthBackendConfigIdentity) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendConfigIdentityInitParameters) DeepCopyInto(out *AuthBackendConfigIdentityInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.EC2Alias != nil {
+		in, out := &in.EC2Alias, &out.EC2Alias
+		*out = new(string)
+		**out = **in
+	}
+	if in.EC2Metadata != nil {
+		in, out := &in.EC2Metadata, &out.EC2Metadata
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IAMAlias != nil {
+		in, out := &in.IAMAlias, &out.IAMAlias
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMMetadata != nil {
+		in, out := &in.IAMMetadata, &out.IAMMetadata
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigIdentityInitParameters.
+func (in *AuthBackendConfigIdentityInitParameters) DeepCopy() *AuthBackendConfigIdentityInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendConfigIdentityInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendConfigIdentityList) DeepCopyInto(out *AuthBackendConfigIdentityList) {
 	*out = *in
@@ -573,6 +717,7 @@ func (in *AuthBackendConfigIdentitySpec) DeepCopyInto(out *AuthBackendConfigIden
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigIdentitySpec.
@@ -629,6 +774,41 @@ func (in *AuthBackendIdentityWhitelist) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendIdentityWhitelistInitParameters) DeepCopyInto(out *AuthBackendIdentityWhitelistInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisablePeriodicTidy != nil {
+		in, out := &in.DisablePeriodicTidy, &out.DisablePeriodicTidy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.SafetyBuffer != nil {
+		in, out := &in.SafetyBuffer, &out.SafetyBuffer
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendIdentityWhitelistInitParameters.
+func (in *AuthBackendIdentityWhitelistInitParameters) DeepCopy() *AuthBackendIdentityWhitelistInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendIdentityWhitelistInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendIdentityWhitelistList) DeepCopyInto(out *AuthBackendIdentityWhitelistList) {
 	*out = *in
@@ -741,6 +921,7 @@ func (in *AuthBackendIdentityWhitelistSpec) DeepCopyInto(out *AuthBackendIdentit
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendIdentityWhitelistSpec.
@@ -797,6 +978,76 @@ func (in *AuthBackendLogin) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendLoginInitParameters) DeepCopyInto(out *AuthBackendLoginInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMHTTPRequestMethod != nil {
+		in, out := &in.IAMHTTPRequestMethod, &out.IAMHTTPRequestMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRequestBody != nil {
+		in, out := &in.IAMRequestBody, &out.IAMRequestBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRequestHeaders != nil {
+		in, out := &in.IAMRequestHeaders, &out.IAMRequestHeaders
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRequestURL != nil {
+		in, out := &in.IAMRequestURL, &out.IAMRequestURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Identity != nil {
+		in, out := &in.Identity, &out.Identity
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Nonce != nil {
+		in, out := &in.Nonce, &out.Nonce
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pkcs7 != nil {
+		in, out := &in.Pkcs7, &out.Pkcs7
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.Signature != nil {
+		in, out := &in.Signature, &out.Signature
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendLoginInitParameters.
+func (in *AuthBackendLoginInitParameters) DeepCopy() *AuthBackendLoginInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendLoginInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendLoginList) DeepCopyInto(out *AuthBackendLoginList) {
 	*out = *in
@@ -1030,6 +1281,7 @@ func (in *AuthBackendLoginSpec) DeepCopyInto(out *AuthBackendLoginSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendLoginSpec.
@@ -1087,30 +1339,251 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]AuthBackendRole, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.AllowInstanceMigration != nil {
+		in, out := &in.AllowInstanceMigration, &out.AllowInstanceMigration
+		*out = new(bool)
+		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleList.
-func (in *AuthBackendRoleList) DeepCopy() *AuthBackendRoleList {
-	if in == nil {
-		return nil
+	if in.AuthType != nil {
+		in, out := &in.AuthType, &out.AuthType
+		*out = new(string)
+		**out = **in
 	}
-	out := new(AuthBackendRoleList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.BoundAMIIds != nil {
+		in, out := &in.BoundAMIIds, &out.BoundAMIIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundAccountIds != nil {
+		in, out := &in.BoundAccountIds, &out.BoundAccountIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundEC2InstanceIds != nil {
+		in, out := &in.BoundEC2InstanceIds, &out.BoundEC2InstanceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundIAMInstanceProfileArns != nil {
+		in, out := &in.BoundIAMInstanceProfileArns, &out.BoundIAMInstanceProfileArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundIAMPrincipalArns != nil {
+		in, out := &in.BoundIAMPrincipalArns, &out.BoundIAMPrincipalArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundIAMRoleArns != nil {
+		in, out := &in.BoundIAMRoleArns, &out.BoundIAMRoleArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundRegions != nil {
+		in, out := &in.BoundRegions, &out.BoundRegions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundSubnetIds != nil {
+		in, out := &in.BoundSubnetIds, &out.BoundSubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundVPCIds != nil {
+		in, out := &in.BoundVPCIds, &out.BoundVPCIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DisallowReauthentication != nil {
+		in, out := &in.DisallowReauthentication, &out.DisallowReauthentication
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InferredAwsRegion != nil {
+		in, out := &in.InferredAwsRegion, &out.InferredAwsRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.InferredEntityType != nil {
+		in, out := &in.InferredEntityType, &out.InferredEntityType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResolveAwsUniqueIds != nil {
+		in, out := &in.ResolveAwsUniqueIds, &out.ResolveAwsUniqueIds
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleTag != nil {
+		in, out := &in.RoleTag, &out.RoleTag
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]AuthBackendRole, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleList.
+func (in *AuthBackendRoleList) DeepCopy() *AuthBackendRoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
 func (in *AuthBackendRoleList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
@@ -1575,6 +2048,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
@@ -1631,6 +2105,67 @@ func (in *AuthBackendRoleTag) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleTagInitParameters) DeepCopyInto(out *AuthBackendRoleTagInitParameters) {
+	*out = *in
+	if in.AllowInstanceMigration != nil {
+		in, out := &in.AllowInstanceMigration, &out.AllowInstanceMigration
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisallowReauthentication != nil {
+		in, out := &in.DisallowReauthentication, &out.DisallowReauthentication
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleTagInitParameters.
+func (in *AuthBackendRoleTagInitParameters) DeepCopy() *AuthBackendRoleTagInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleTagInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleTagList) DeepCopyInto(out *AuthBackendRoleTagList) {
 	*out = *in
@@ -1805,6 +2340,7 @@ func (in *AuthBackendRoleTagSpec) DeepCopyInto(out *AuthBackendRoleTagSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleTagSpec.
@@ -1861,6 +2397,41 @@ func (in *AuthBackendRoletagBlacklist) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoletagBlacklistInitParameters) DeepCopyInto(out *AuthBackendRoletagBlacklistInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisablePeriodicTidy != nil {
+		in, out := &in.DisablePeriodicTidy, &out.DisablePeriodicTidy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.SafetyBuffer != nil {
+		in, out := &in.SafetyBuffer, &out.SafetyBuffer
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoletagBlacklistInitParameters.
+func (in *AuthBackendRoletagBlacklistInitParameters) DeepCopy() *AuthBackendRoletagBlacklistInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoletagBlacklistInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoletagBlacklistList) DeepCopyInto(out *AuthBackendRoletagBlacklistList) {
 	*out = *in
@@ -1973,6 +2544,7 @@ func (in *AuthBackendRoletagBlacklistSpec) DeepCopyInto(out *AuthBackendRoletagB
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoletagBlacklistSpec.
@@ -2029,6 +2601,41 @@ func (in *AuthBackendStsRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendStsRoleInitParameters) DeepCopyInto(out *AuthBackendStsRoleInitParameters) {
+	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.StsRole != nil {
+		in, out := &in.StsRole, &out.StsRole
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendStsRoleInitParameters.
+func (in *AuthBackendStsRoleInitParameters) DeepCopy() *AuthBackendStsRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendStsRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendStsRoleList) DeepCopyInto(out *AuthBackendStsRoleList) {
 	*out = *in
@@ -2141,6 +2748,7 @@ func (in *AuthBackendStsRoleSpec) DeepCopyInto(out *AuthBackendStsRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendStsRoleSpec.
@@ -2197,6 +2805,71 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IAMEndpoint != nil {
+		in, out := &in.IAMEndpoint, &out.IAMEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.StsEndpoint != nil {
+		in, out := &in.StsEndpoint, &out.StsEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -2401,6 +3074,99 @@ func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CredentialType != nil {
+		in, out := &in.CredentialType, &out.CredentialType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultStsTTL != nil {
+		in, out := &in.DefaultStsTTL, &out.DefaultStsTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IAMGroups != nil {
+		in, out := &in.IAMGroups, &out.IAMGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxStsTTL != nil {
+		in, out := &in.MaxStsTTL, &out.MaxStsTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermissionsBoundaryArn != nil {
+		in, out := &in.PermissionsBoundaryArn, &out.PermissionsBoundaryArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PolicyArns != nil {
+		in, out := &in.PolicyArns, &out.PolicyArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PolicyDocument != nil {
+		in, out := &in.PolicyDocument, &out.PolicyDocument
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArns != nil {
+		in, out := &in.RoleArns, &out.RoleArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.UserPath != nil {
+		in, out := &in.UserPath, &out.UserPath
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters.
+func (in *SecretBackendRoleInitParameters) DeepCopy() *SecretBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
 	*out = *in
@@ -2629,6 +3395,7 @@ func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
@@ -2663,6 +3430,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
diff --git a/apis/aws/v1alpha1/zz_generated.managed.go b/apis/aws/v1alpha1/zz_generated.managed.go
index c5b72f09..7519b349 100644
--- a/apis/aws/v1alpha1/zz_generated.managed.go
+++ b/apis/aws/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackendCert) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendCert.
-func (mg *AuthBackendCert) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendCert.
+func (mg *AuthBackendCert) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendCert.
@@ -55,9 +55,9 @@ func (mg *AuthBackendCert) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendCert.
-func (mg *AuthBackendCert) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendCert.
+func (mg *AuthBackendCert) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendCert.
@@ -93,9 +93,9 @@ func (mg *AuthBackendClient) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendClient.
-func (mg *AuthBackendClient) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendClient.
+func (mg *AuthBackendClient) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendClient.
@@ -131,9 +131,9 @@ func (mg *AuthBackendClient) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendClient.
-func (mg *AuthBackendClient) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendClient.
+func (mg *AuthBackendClient) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendClient.
@@ -169,9 +169,9 @@ func (mg *AuthBackendConfigIdentity) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendConfigIdentity.
-func (mg *AuthBackendConfigIdentity) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendConfigIdentity.
+func (mg *AuthBackendConfigIdentity) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendConfigIdentity.
@@ -207,9 +207,9 @@ func (mg *AuthBackendConfigIdentity) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendConfigIdentity.
-func (mg *AuthBackendConfigIdentity) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendConfigIdentity.
+func (mg *AuthBackendConfigIdentity) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendConfigIdentity.
@@ -245,9 +245,9 @@ func (mg *AuthBackendIdentityWhitelist) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendIdentityWhitelist.
-func (mg *AuthBackendIdentityWhitelist) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendIdentityWhitelist.
+func (mg *AuthBackendIdentityWhitelist) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendIdentityWhitelist.
@@ -283,9 +283,9 @@ func (mg *AuthBackendIdentityWhitelist) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendIdentityWhitelist.
-func (mg *AuthBackendIdentityWhitelist) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendIdentityWhitelist.
+func (mg *AuthBackendIdentityWhitelist) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendIdentityWhitelist.
@@ -321,9 +321,9 @@ func (mg *AuthBackendLogin) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendLogin.
-func (mg *AuthBackendLogin) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendLogin.
+func (mg *AuthBackendLogin) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendLogin.
@@ -359,9 +359,9 @@ func (mg *AuthBackendLogin) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendLogin.
-func (mg *AuthBackendLogin) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendLogin.
+func (mg *AuthBackendLogin) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendLogin.
@@ -397,9 +397,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -435,9 +435,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
@@ -473,9 +473,9 @@ func (mg *AuthBackendRoleTag) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRoleTag.
-func (mg *AuthBackendRoleTag) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRoleTag.
+func (mg *AuthBackendRoleTag) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRoleTag.
@@ -511,9 +511,9 @@ func (mg *AuthBackendRoleTag) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRoleTag.
-func (mg *AuthBackendRoleTag) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRoleTag.
+func (mg *AuthBackendRoleTag) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRoleTag.
@@ -549,9 +549,9 @@ func (mg *AuthBackendRoletagBlacklist) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRoletagBlacklist.
-func (mg *AuthBackendRoletagBlacklist) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRoletagBlacklist.
+func (mg *AuthBackendRoletagBlacklist) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRoletagBlacklist.
@@ -587,9 +587,9 @@ func (mg *AuthBackendRoletagBlacklist) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRoletagBlacklist.
-func (mg *AuthBackendRoletagBlacklist) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRoletagBlacklist.
+func (mg *AuthBackendRoletagBlacklist) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRoletagBlacklist.
@@ -625,9 +625,9 @@ func (mg *AuthBackendStsRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendStsRole.
-func (mg *AuthBackendStsRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendStsRole.
+func (mg *AuthBackendStsRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendStsRole.
@@ -663,9 +663,9 @@ func (mg *AuthBackendStsRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendStsRole.
-func (mg *AuthBackendStsRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendStsRole.
+func (mg *AuthBackendStsRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendStsRole.
@@ -701,9 +701,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -739,9 +739,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -777,9 +777,9 @@ func (mg *SecretBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRole.
@@ -815,9 +815,9 @@ func (mg *SecretBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRole.
diff --git a/apis/aws/v1alpha1/zz_generated_terraformed.go b/apis/aws/v1alpha1/zz_generated_terraformed.go
index 0b948266..d3b5d785 100755
--- a/apis/aws/v1alpha1/zz_generated_terraformed.go
+++ b/apis/aws/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackendCert) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendCert
+func (tr *AuthBackendCert) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendCert using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendCert) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *AuthBackendClient) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendClient
+func (tr *AuthBackendClient) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendClient using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendClient) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *AuthBackendConfigIdentity) SetParameters(params map[string]any) error
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendConfigIdentity
+func (tr *AuthBackendConfigIdentity) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendConfigIdentity using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendConfigIdentity) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *AuthBackendIdentityWhitelist) SetParameters(params map[string]any) err
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendIdentityWhitelist
+func (tr *AuthBackendIdentityWhitelist) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendIdentityWhitelist using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendIdentityWhitelist) LateInitialize(attrs []byte) (bool, error) {
@@ -365,6 +405,16 @@ func (tr *AuthBackendLogin) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendLogin
+func (tr *AuthBackendLogin) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendLogin using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendLogin) LateInitialize(attrs []byte) (bool, error) {
@@ -439,6 +489,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
@@ -513,6 +573,16 @@ func (tr *AuthBackendRoleTag) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRoleTag
+func (tr *AuthBackendRoleTag) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRoleTag using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRoleTag) LateInitialize(attrs []byte) (bool, error) {
@@ -587,6 +657,16 @@ func (tr *AuthBackendRoletagBlacklist) SetParameters(params map[string]any) erro
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRoletagBlacklist
+func (tr *AuthBackendRoletagBlacklist) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRoletagBlacklist using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRoletagBlacklist) LateInitialize(attrs []byte) (bool, error) {
@@ -661,6 +741,16 @@ func (tr *AuthBackendStsRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendStsRole
+func (tr *AuthBackendStsRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendStsRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendStsRole) LateInitialize(attrs []byte) (bool, error) {
@@ -735,6 +825,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -809,6 +909,16 @@ func (tr *SecretBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRole
+func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/aws/v1alpha1/zz_secretbackend_types.go b/apis/aws/v1alpha1/zz_secretbackend_types.go
index 4c602edf..2f5f93c3 100755
--- a/apis/aws/v1alpha1/zz_secretbackend_types.go
+++ b/apis/aws/v1alpha1/zz_secretbackend_types.go
@@ -13,87 +13,175 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// The default TTL for credentials
+	// issued by this backend.
+	// Default lease duration for secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// A human-friendly description for this backend.
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// Specifies a custom HTTP IAM endpoint to use.
+	// Specifies a custom HTTP IAM endpoint to use.
+	IAMEndpoint *string `json:"iamEndpoint,omitempty" tf:"iam_endpoint,omitempty"`
+
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
+	// Maximum possible lease duration for secrets in seconds
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to aws.
+	// Path to mount the backend at.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The AWS region for API calls. Defaults to us-east-1.
+	// The AWS region to make API calls against. Defaults to us-east-1.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// Specifies a custom HTTP STS endpoint to use.
+	// Specifies a custom HTTP STS endpoint to use.
+	StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"`
+
+	// Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
+	// Template describing how dynamic usernames are generated.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
+	// The default TTL for credentials
+	// issued by this backend.
 	// Default lease duration for secrets in seconds
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// Specifies a custom HTTP IAM endpoint to use.
 	// Specifies a custom HTTP IAM endpoint to use.
 	IAMEndpoint *string `json:"iamEndpoint,omitempty" tf:"iam_endpoint,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
 	// Maximum possible lease duration for secrets in seconds
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to aws.
 	// Path to mount the backend at.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The AWS region for API calls. Defaults to us-east-1.
 	// The AWS region to make API calls against. Defaults to us-east-1.
 	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 
+	// Specifies a custom HTTP STS endpoint to use.
 	// Specifies a custom HTTP STS endpoint to use.
 	StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"`
 
+	// Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
 	// Template describing how dynamic usernames are generated.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// The AWS Access Key ID this backend should use to
+	// issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
 	// The AWS Access Key ID to use when generating new credentials.
 	// +kubebuilder:validation:Optional
 	AccessKeySecretRef *v1.SecretKeySelector `json:"accessKeySecretRef,omitempty" tf:"-"`
 
+	// The default TTL for credentials
+	// issued by this backend.
 	// Default lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// Specifies a custom HTTP IAM endpoint to use.
 	// Specifies a custom HTTP IAM endpoint to use.
 	// +kubebuilder:validation:Optional
 	IAMEndpoint *string `json:"iamEndpoint,omitempty" tf:"iam_endpoint,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
 	// Maximum possible lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to aws.
 	// Path to mount the backend at.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The AWS region for API calls. Defaults to us-east-1.
 	// The AWS region to make API calls against. Defaults to us-east-1.
 	// +kubebuilder:validation:Optional
 	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 
+	// The AWS Secret Key this backend should use to
+	// issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
 	// The AWS Secret Access Key to use when generating new credentials.
 	// +kubebuilder:validation:Optional
 	SecretKeySecretRef *v1.SecretKeySelector `json:"secretKeySecretRef,omitempty" tf:"-"`
 
+	// Specifies a custom HTTP STS endpoint to use.
 	// Specifies a custom HTTP STS endpoint to use.
 	// +kubebuilder:validation:Optional
 	StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"`
 
+	// Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
 	// Template describing how dynamic usernames are generated.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
@@ -103,6 +191,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -113,7 +213,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates an AWS secret backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/aws/v1alpha1/zz_secretbackendrole_types.go b/apis/aws/v1alpha1/zz_secretbackendrole_types.go
index efff5e66..b7172132 100755
--- a/apis/aws/v1alpha1/zz_secretbackendrole_types.go
+++ b/apis/aws/v1alpha1/zz_secretbackendrole_types.go
@@ -13,93 +13,270 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendRoleInitParameters struct {
+
+	// The path the AWS secret backend is mounted at,
+	// with no leading or trailing /s.
+	// The path of the AWS Secret Backend the role belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Specifies the type of credential to be used when
+	// retrieving credentials from the role. Must be one of iam_user, assumed_role, or
+	// federation_token.
+	// Role credential type.
+	CredentialType *string `json:"credentialType,omitempty" tf:"credential_type,omitempty"`
+
+	// The default TTL in seconds for STS credentials.
+	// When a TTL is not specified when STS credentials are requested,
+	// and a default TTL is specified on the role,
+	// then this default TTL will be used. Valid only when credential_type is one of
+	// assumed_role or federation_token.
+	// The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
+	DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"`
+
+	// A list of IAM group names. IAM users generated
+	// against this vault role will be added to these IAM Groups. For a credential
+	// type of assumed_role or federation_token, the policies sent to the
+	// corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
+	// policies from each group in iam_groups combined with the policy_document
+	// and policy_arns parameters.
+	// A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
+	IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"`
+
+	// The max allowed TTL in seconds for STS credentials
+	// (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is
+	// one of assumed_role or federation_token.
+	// The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
+	MaxStsTTL *float64 `json:"maxStsTtl,omitempty" tf:"max_sts_ttl,omitempty"`
+
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
+	// Unique name for the role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The ARN of the AWS Permissions
+	// Boundary to attach to IAM users created in the role. Valid only when
+	// credential_type is iam_user. If not specified, then no permissions boundary
+	// policy will be attached.
+	// The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
+	PermissionsBoundaryArn *string `json:"permissionsBoundaryArn,omitempty" tf:"permissions_boundary_arn,omitempty"`
+
+	// Specifies a list of AWS managed policy ARNs. The
+	// behavior depends on the credential type. With iam_user, the policies will be
+	// attached to IAM users when they are requested. With assumed_role and
+	// federation_token, the policy ARNs will act as a filter on what the credentials
+	// can do, similar to policy_document. When credential_type is iam_user or
+	// federation_token, at least one of policy_document or policy_arns must
+	// be specified.
+	// ARN for an existing IAM policy the role should use.
+	PolicyArns []*string `json:"policyArns,omitempty" tf:"policy_arns,omitempty"`
+
+	// The IAM policy document for the role. The
+	// behavior depends on the credential type. With iam_user, the policy document
+	// will be attached to the IAM user generated and augment the permissions the IAM
+	// user has. With assumed_role and federation_token, the policy document will
+	// act as a filter on what the credentials can do, similar to policy_arns.
+	// IAM policy the role should use in JSON format.
+	PolicyDocument *string `json:"policyDocument,omitempty" tf:"policy_document,omitempty"`
+
+	// Specifies the ARNs of the AWS roles this Vault role
+	// is allowed to assume. Required when credential_type is assumed_role and
+	// prohibited otherwise.
+	// ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'
+	RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"`
+
+	// The path for the user name. Valid only when
+	// credential_type is iam_user. Default is /.
+	// The path for the user name. Valid only when credential_type is iam_user. Default is /
+	UserPath *string `json:"userPath,omitempty" tf:"user_path,omitempty"`
+}
+
 type SecretBackendRoleObservation struct {
 
+	// The path the AWS secret backend is mounted at,
+	// with no leading or trailing /s.
 	// The path of the AWS Secret Backend the role belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Specifies the type of credential to be used when
+	// retrieving credentials from the role. Must be one of iam_user, assumed_role, or
+	// federation_token.
 	// Role credential type.
 	CredentialType *string `json:"credentialType,omitempty" tf:"credential_type,omitempty"`
 
+	// The default TTL in seconds for STS credentials.
+	// When a TTL is not specified when STS credentials are requested,
+	// and a default TTL is specified on the role,
+	// then this default TTL will be used. Valid only when credential_type is one of
+	// assumed_role or federation_token.
 	// The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
 	DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"`
 
+	// A list of IAM group names. IAM users generated
+	// against this vault role will be added to these IAM Groups. For a credential
+	// type of assumed_role or federation_token, the policies sent to the
+	// corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
+	// policies from each group in iam_groups combined with the policy_document
+	// and policy_arns parameters.
 	// A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
 	IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The max allowed TTL in seconds for STS credentials
+	// (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is
+	// one of assumed_role or federation_token.
 	// The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
 	MaxStsTTL *float64 `json:"maxStsTtl,omitempty" tf:"max_sts_ttl,omitempty"`
 
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
 	// Unique name for the role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The ARN of the AWS Permissions
+	// Boundary to attach to IAM users created in the role. Valid only when
+	// credential_type is iam_user. If not specified, then no permissions boundary
+	// policy will be attached.
 	// The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
 	PermissionsBoundaryArn *string `json:"permissionsBoundaryArn,omitempty" tf:"permissions_boundary_arn,omitempty"`
 
+	// Specifies a list of AWS managed policy ARNs. The
+	// behavior depends on the credential type. With iam_user, the policies will be
+	// attached to IAM users when they are requested. With assumed_role and
+	// federation_token, the policy ARNs will act as a filter on what the credentials
+	// can do, similar to policy_document. When credential_type is iam_user or
+	// federation_token, at least one of policy_document or policy_arns must
+	// be specified.
 	// ARN for an existing IAM policy the role should use.
 	PolicyArns []*string `json:"policyArns,omitempty" tf:"policy_arns,omitempty"`
 
+	// The IAM policy document for the role. The
+	// behavior depends on the credential type. With iam_user, the policy document
+	// will be attached to the IAM user generated and augment the permissions the IAM
+	// user has. With assumed_role and federation_token, the policy document will
+	// act as a filter on what the credentials can do, similar to policy_arns.
 	// IAM policy the role should use in JSON format.
 	PolicyDocument *string `json:"policyDocument,omitempty" tf:"policy_document,omitempty"`
 
+	// Specifies the ARNs of the AWS roles this Vault role
+	// is allowed to assume. Required when credential_type is assumed_role and
+	// prohibited otherwise.
 	// ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'
 	RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"`
 
+	// The path for the user name. Valid only when
+	// credential_type is iam_user. Default is /.
 	// The path for the user name. Valid only when credential_type is iam_user. Default is /
 	UserPath *string `json:"userPath,omitempty" tf:"user_path,omitempty"`
 }
 
 type SecretBackendRoleParameters struct {
 
+	// The path the AWS secret backend is mounted at,
+	// with no leading or trailing /s.
 	// The path of the AWS Secret Backend the role belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Specifies the type of credential to be used when
+	// retrieving credentials from the role. Must be one of iam_user, assumed_role, or
+	// federation_token.
 	// Role credential type.
 	// +kubebuilder:validation:Optional
 	CredentialType *string `json:"credentialType,omitempty" tf:"credential_type,omitempty"`
 
+	// The default TTL in seconds for STS credentials.
+	// When a TTL is not specified when STS credentials are requested,
+	// and a default TTL is specified on the role,
+	// then this default TTL will be used. Valid only when credential_type is one of
+	// assumed_role or federation_token.
 	// The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
 	// +kubebuilder:validation:Optional
 	DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"`
 
+	// A list of IAM group names. IAM users generated
+	// against this vault role will be added to these IAM Groups. For a credential
+	// type of assumed_role or federation_token, the policies sent to the
+	// corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
+	// policies from each group in iam_groups combined with the policy_document
+	// and policy_arns parameters.
 	// A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
 	// +kubebuilder:validation:Optional
 	IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"`
 
+	// The max allowed TTL in seconds for STS credentials
+	// (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is
+	// one of assumed_role or federation_token.
 	// The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
 	// +kubebuilder:validation:Optional
 	MaxStsTTL *float64 `json:"maxStsTtl,omitempty" tf:"max_sts_ttl,omitempty"`
 
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
 	// Unique name for the role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The ARN of the AWS Permissions
+	// Boundary to attach to IAM users created in the role. Valid only when
+	// credential_type is iam_user. If not specified, then no permissions boundary
+	// policy will be attached.
 	// The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
 	// +kubebuilder:validation:Optional
 	PermissionsBoundaryArn *string `json:"permissionsBoundaryArn,omitempty" tf:"permissions_boundary_arn,omitempty"`
 
+	// Specifies a list of AWS managed policy ARNs. The
+	// behavior depends on the credential type. With iam_user, the policies will be
+	// attached to IAM users when they are requested. With assumed_role and
+	// federation_token, the policy ARNs will act as a filter on what the credentials
+	// can do, similar to policy_document. When credential_type is iam_user or
+	// federation_token, at least one of policy_document or policy_arns must
+	// be specified.
 	// ARN for an existing IAM policy the role should use.
 	// +kubebuilder:validation:Optional
 	PolicyArns []*string `json:"policyArns,omitempty" tf:"policy_arns,omitempty"`
 
+	// The IAM policy document for the role. The
+	// behavior depends on the credential type. With iam_user, the policy document
+	// will be attached to the IAM user generated and augment the permissions the IAM
+	// user has. With assumed_role and federation_token, the policy document will
+	// act as a filter on what the credentials can do, similar to policy_arns.
 	// IAM policy the role should use in JSON format.
 	// +kubebuilder:validation:Optional
 	PolicyDocument *string `json:"policyDocument,omitempty" tf:"policy_document,omitempty"`
 
+	// Specifies the ARNs of the AWS roles this Vault role
+	// is allowed to assume. Required when credential_type is assumed_role and
+	// prohibited otherwise.
 	// ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'
 	// +kubebuilder:validation:Optional
 	RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"`
 
+	// The path for the user name. Valid only when
+	// credential_type is iam_user. Default is /.
 	// The path for the user name. Valid only when credential_type is iam_user. Default is /
 	// +kubebuilder:validation:Optional
 	UserPath *string `json:"userPath,omitempty" tf:"user_path,omitempty"`
@@ -109,6 +286,18 @@ type SecretBackendRoleParameters struct {
 type SecretBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRoleStatus defines the observed state of SecretBackendRole.
@@ -119,7 +308,7 @@ type SecretBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRole is the Schema for the SecretBackendRoles API. <no value>
+// SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role on an AWS Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -129,9 +318,9 @@ type SecretBackendRoleStatus struct {
 type SecretBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.credentialType)",message="credentialType is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.credentialType) || has(self.initProvider.credentialType)",message="credentialType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendRoleSpec   `json:"spec"`
 	Status SecretBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/azure/v1alpha1/zz_authbackendconfig_types.go b/apis/azure/v1alpha1/zz_authbackendconfig_types.go
index fc462f9c..a842f6b6 100755
--- a/apis/azure/v1alpha1/zz_authbackendconfig_types.go
+++ b/apis/azure/v1alpha1/zz_authbackendconfig_types.go
@@ -13,49 +13,103 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendConfigInitParameters struct {
+
+	// The path the Azure auth backend being configured was
+	// mounted at.  Defaults to azure.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The Azure cloud environment. Valid values:
+	// AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
+	// AzureGermanCloud.  Defaults to AzurePublicCloud.
+	// The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
+	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The configured URL for the application registered in
+	// Azure Active Directory.
+	// The configured URL for the application registered in Azure Active Directory.
+	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
+}
+
 type AuthBackendConfigObservation struct {
 
+	// The path the Azure auth backend being configured was
+	// mounted at.  Defaults to azure.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The Azure cloud environment. Valid values:
+	// AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
+	// AzureGermanCloud.  Defaults to AzurePublicCloud.
 	// The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
 	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The configured URL for the application registered in
+	// Azure Active Directory.
 	// The configured URL for the application registered in Azure Active Directory.
 	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
 }
 
 type AuthBackendConfigParameters struct {
 
+	// The path the Azure auth backend being configured was
+	// mounted at.  Defaults to azure.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The client id for credentials to query the Azure APIs.
+	// Currently read permissions to query compute resources are required.
 	// The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.
 	// +kubebuilder:validation:Optional
 	ClientIDSecretRef *v1.SecretKeySelector `json:"clientIdSecretRef,omitempty" tf:"-"`
 
+	// The client secret for credentials to query the
+	// Azure APIs.
 	// The client secret for credentials to query the Azure APIs
 	// +kubebuilder:validation:Optional
 	ClientSecretSecretRef *v1.SecretKeySelector `json:"clientSecretSecretRef,omitempty" tf:"-"`
 
+	// The Azure cloud environment. Valid values:
+	// AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
+	// AzureGermanCloud.  Defaults to AzurePublicCloud.
 	// The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
 	// +kubebuilder:validation:Optional
 	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The configured URL for the application registered in
+	// Azure Active Directory.
 	// The configured URL for the application registered in Azure Active Directory.
 	// +kubebuilder:validation:Optional
 	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
 
+	// The tenant id for the Azure Active Directory
+	// organization.
 	// The tenant id for the Azure Active Directory organization.
 	// +kubebuilder:validation:Optional
 	TenantIDSecretRef v1.SecretKeySelector `json:"tenantIdSecretRef" tf:"-"`
@@ -65,6 +119,18 @@ type AuthBackendConfigParameters struct {
 type AuthBackendConfigSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendConfigParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendConfigInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendConfigStatus defines the observed state of AuthBackendConfig.
@@ -75,7 +141,7 @@ type AuthBackendConfigStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendConfig is the Schema for the AuthBackendConfigs API. <no value>
+// AuthBackendConfig is the Schema for the AuthBackendConfigs API. Configures the Azure Auth Backend in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -85,8 +151,8 @@ type AuthBackendConfigStatus struct {
 type AuthBackendConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resource)",message="resource is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tenantIdSecretRef)",message="tenantIdSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.resource) || has(self.initProvider.resource)",message="resource is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)",message="tenantIdSecretRef is a required parameter"
 	Spec   AuthBackendConfigSpec   `json:"spec"`
 	Status AuthBackendConfigStatus `json:"status,omitempty"`
 }
diff --git a/apis/azure/v1alpha1/zz_authbackendrole_types.go b/apis/azure/v1alpha1/zz_authbackendrole_types.go
index bd5f9877..a61a34e0 100755
--- a/apis/azure/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/azure/v1alpha1/zz_authbackendrole_types.go
@@ -13,61 +13,216 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// If set, defines a constraint on the groups
+	// that can perform the login operation that they should be using the group
+	// ID specified by this field.
+	// The list of group ids that login is restricted to.
+	BoundGroupIds []*string `json:"boundGroupIds,omitempty" tf:"bound_group_ids,omitempty"`
+
+	// If set, defines a constraint on the virtual machines
+	// that can perform the login operation that the location in their identity
+	// document must match the one specified by this field.
+	// The list of locations that login is restricted to.
+	BoundLocations []*string `json:"boundLocations,omitempty" tf:"bound_locations,omitempty"`
+
+	// If set, defines a constraint on the virtual
+	// machines that can perform the login operation that they be associated with
+	// the resource group that matches the value specified by this field.
+	// The list of resource groups that login is restricted to.
+	BoundResourceGroups []*string `json:"boundResourceGroups,omitempty" tf:"bound_resource_groups,omitempty"`
+
+	// If set, defines a constraint on the virtual
+	// machines that can perform the login operation that they must match the scale set
+	// specified by this field.
+	// The list of scale set names that the login is restricted to.
+	BoundScaleSets []*string `json:"boundScaleSets,omitempty" tf:"bound_scale_sets,omitempty"`
+
+	// If set, defines a constraint on the
+	// service principals that can perform the login operation that they should be possess
+	// the ids specified by this field.
+	// The list of Service Principal IDs that login is restricted to.
+	BoundServicePrincipalIds []*string `json:"boundServicePrincipalIds,omitempty" tf:"bound_service_principal_ids,omitempty"`
+
+	// If set, defines a constraint on the subscriptions
+	// that can perform the login operation to ones which  matches the value specified by this
+	// field.
+	// The list of subscription IDs that login is restricted to.
+	BoundSubscriptionIds []*string `json:"boundSubscriptionIds,omitempty" tf:"bound_subscription_ids,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The name of the role.
+	// Name of the role.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set, defines a constraint on the groups
+	// that can perform the login operation that they should be using the group
+	// ID specified by this field.
 	// The list of group ids that login is restricted to.
 	BoundGroupIds []*string `json:"boundGroupIds,omitempty" tf:"bound_group_ids,omitempty"`
 
+	// If set, defines a constraint on the virtual machines
+	// that can perform the login operation that the location in their identity
+	// document must match the one specified by this field.
 	// The list of locations that login is restricted to.
 	BoundLocations []*string `json:"boundLocations,omitempty" tf:"bound_locations,omitempty"`
 
+	// If set, defines a constraint on the virtual
+	// machines that can perform the login operation that they be associated with
+	// the resource group that matches the value specified by this field.
 	// The list of resource groups that login is restricted to.
 	BoundResourceGroups []*string `json:"boundResourceGroups,omitempty" tf:"bound_resource_groups,omitempty"`
 
+	// If set, defines a constraint on the virtual
+	// machines that can perform the login operation that they must match the scale set
+	// specified by this field.
 	// The list of scale set names that the login is restricted to.
 	BoundScaleSets []*string `json:"boundScaleSets,omitempty" tf:"bound_scale_sets,omitempty"`
 
+	// If set, defines a constraint on the
+	// service principals that can perform the login operation that they should be possess
+	// the ids specified by this field.
 	// The list of Service Principal IDs that login is restricted to.
 	BoundServicePrincipalIds []*string `json:"boundServicePrincipalIds,omitempty" tf:"bound_service_principal_ids,omitempty"`
 
+	// If set, defines a constraint on the subscriptions
+	// that can perform the login operation to ones which  matches the value specified by this
+	// field.
 	// The list of subscription IDs that login is restricted to.
 	BoundSubscriptionIds []*string `json:"boundSubscriptionIds,omitempty" tf:"bound_subscription_ids,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
@@ -78,70 +233,119 @@ type AuthBackendRoleParameters struct {
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// If set, defines a constraint on the groups
+	// that can perform the login operation that they should be using the group
+	// ID specified by this field.
 	// The list of group ids that login is restricted to.
 	// +kubebuilder:validation:Optional
 	BoundGroupIds []*string `json:"boundGroupIds,omitempty" tf:"bound_group_ids,omitempty"`
 
+	// If set, defines a constraint on the virtual machines
+	// that can perform the login operation that the location in their identity
+	// document must match the one specified by this field.
 	// The list of locations that login is restricted to.
 	// +kubebuilder:validation:Optional
 	BoundLocations []*string `json:"boundLocations,omitempty" tf:"bound_locations,omitempty"`
 
+	// If set, defines a constraint on the virtual
+	// machines that can perform the login operation that they be associated with
+	// the resource group that matches the value specified by this field.
 	// The list of resource groups that login is restricted to.
 	// +kubebuilder:validation:Optional
 	BoundResourceGroups []*string `json:"boundResourceGroups,omitempty" tf:"bound_resource_groups,omitempty"`
 
+	// If set, defines a constraint on the virtual
+	// machines that can perform the login operation that they must match the scale set
+	// specified by this field.
 	// The list of scale set names that the login is restricted to.
 	// +kubebuilder:validation:Optional
 	BoundScaleSets []*string `json:"boundScaleSets,omitempty" tf:"bound_scale_sets,omitempty"`
 
+	// If set, defines a constraint on the
+	// service principals that can perform the login operation that they should be possess
+	// the ids specified by this field.
 	// The list of Service Principal IDs that login is restricted to.
 	// +kubebuilder:validation:Optional
 	BoundServicePrincipalIds []*string `json:"boundServicePrincipalIds,omitempty" tf:"bound_service_principal_ids,omitempty"`
 
+	// If set, defines a constraint on the subscriptions
+	// that can perform the login operation to ones which  matches the value specified by this
+	// field.
 	// The list of subscription IDs that login is restricted to.
 	// +kubebuilder:validation:Optional
 	BoundSubscriptionIds []*string `json:"boundSubscriptionIds,omitempty" tf:"bound_subscription_ids,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
@@ -151,6 +355,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -161,7 +377,7 @@ type AuthBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRole is the Schema for the AuthBackendRoles API. <no value>
+// AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Azure auth backend roles in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -171,7 +387,7 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/azure/v1alpha1/zz_generated.deepcopy.go b/apis/azure/v1alpha1/zz_generated.deepcopy.go
index ce136471..88b39966 100644
--- a/apis/azure/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/azure/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,41 @@ func (in *AuthBackendConfig) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendConfigInitParameters) DeepCopyInto(out *AuthBackendConfigInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Environment != nil {
+		in, out := &in.Environment, &out.Environment
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigInitParameters.
+func (in *AuthBackendConfigInitParameters) DeepCopy() *AuthBackendConfigInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendConfigInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendConfigList) DeepCopyInto(out *AuthBackendConfigList) {
 	*out = *in
@@ -164,6 +199,7 @@ func (in *AuthBackendConfigSpec) DeepCopyInto(out *AuthBackendConfigSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigSpec.
@@ -220,6 +256,159 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.BoundGroupIds != nil {
+		in, out := &in.BoundGroupIds, &out.BoundGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundLocations != nil {
+		in, out := &in.BoundLocations, &out.BoundLocations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundResourceGroups != nil {
+		in, out := &in.BoundResourceGroups, &out.BoundResourceGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundScaleSets != nil {
+		in, out := &in.BoundScaleSets, &out.BoundScaleSets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundServicePrincipalIds != nil {
+		in, out := &in.BoundServicePrincipalIds, &out.BoundServicePrincipalIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundSubscriptionIds != nil {
+		in, out := &in.BoundSubscriptionIds, &out.BoundSubscriptionIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
 	*out = *in
@@ -568,6 +757,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
@@ -597,6 +787,26 @@ func (in *AuthBackendRoleStatus) DeepCopy() *AuthBackendRoleStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureGroupsInitParameters) DeepCopyInto(out *AzureGroupsInitParameters) {
+	*out = *in
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureGroupsInitParameters.
+func (in *AzureGroupsInitParameters) DeepCopy() *AzureGroupsInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureGroupsInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AzureGroupsObservation) DeepCopyInto(out *AzureGroupsObservation) {
 	*out = *in
@@ -642,6 +852,36 @@ func (in *AzureGroupsParameters) DeepCopy() *AzureGroupsParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureRolesInitParameters) DeepCopyInto(out *AzureRolesInitParameters) {
+	*out = *in
+	if in.RoleID != nil {
+		in, out := &in.RoleID, &out.RoleID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureRolesInitParameters.
+func (in *AzureRolesInitParameters) DeepCopy() *AzureRolesInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureRolesInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AzureRolesObservation) DeepCopyInto(out *AzureRolesObservation) {
 	*out = *in
@@ -729,6 +969,51 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Environment != nil {
+		in, out := &in.Environment, &out.Environment
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseMicrosoftGraphAPI != nil {
+		in, out := &in.UseMicrosoftGraphAPI, &out.UseMicrosoftGraphAPI
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -895,6 +1180,70 @@ func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) {
+	*out = *in
+	if in.ApplicationObjectID != nil {
+		in, out := &in.ApplicationObjectID, &out.ApplicationObjectID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AzureGroups != nil {
+		in, out := &in.AzureGroups, &out.AzureGroups
+		*out = make([]AzureGroupsInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AzureRoles != nil {
+		in, out := &in.AzureRoles, &out.AzureRoles
+		*out = make([]AzureRolesInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters.
+func (in *SecretBackendRoleInitParameters) DeepCopy() *SecretBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
 	*out = *in
@@ -1065,6 +1414,7 @@ func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
@@ -1099,6 +1449,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
diff --git a/apis/azure/v1alpha1/zz_generated.managed.go b/apis/azure/v1alpha1/zz_generated.managed.go
index 35d7b9e6..84919699 100644
--- a/apis/azure/v1alpha1/zz_generated.managed.go
+++ b/apis/azure/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackendConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendConfig.
-func (mg *AuthBackendConfig) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendConfig.
+func (mg *AuthBackendConfig) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendConfig.
@@ -55,9 +55,9 @@ func (mg *AuthBackendConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendConfig.
-func (mg *AuthBackendConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendConfig.
+func (mg *AuthBackendConfig) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendConfig.
@@ -93,9 +93,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -131,9 +131,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
@@ -169,9 +169,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -207,9 +207,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -245,9 +245,9 @@ func (mg *SecretBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRole.
@@ -283,9 +283,9 @@ func (mg *SecretBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRole.
diff --git a/apis/azure/v1alpha1/zz_generated_terraformed.go b/apis/azure/v1alpha1/zz_generated_terraformed.go
index 4fe0461a..4fab660b 100755
--- a/apis/azure/v1alpha1/zz_generated_terraformed.go
+++ b/apis/azure/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackendConfig) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendConfig
+func (tr *AuthBackendConfig) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendConfig using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendConfig) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *SecretBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRole
+func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/azure/v1alpha1/zz_secretbackend_types.go b/apis/azure/v1alpha1/zz_secretbackend_types.go
index c5c43e25..b5a3ed19 100755
--- a/apis/azure/v1alpha1/zz_secretbackend_types.go
+++ b/apis/azure/v1alpha1/zz_secretbackend_types.go
@@ -13,35 +13,80 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// The Azure environment.
+	// The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
+	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The unique path this backend should be mounted at. Defaults to azure.
+	// Path to mount the backend at.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Indicates whether the secrets engine should use
+	// the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+.
+	// For more information, please refer to the Vault docs
+	// Use the Microsoft Graph API. Should be set to true on vault-1.10+
+	UseMicrosoftGraphAPI *bool `json:"useMicrosoftGraphApi,omitempty" tf:"use_microsoft_graph_api,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
 	// Human-friendly description of the mount for the backend.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// The Azure environment.
 	// The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
 	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Defaults to azure.
 	// Path to mount the backend at.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Indicates whether the secrets engine should use
+	// the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+.
+	// For more information, please refer to the Vault docs
 	// Use the Microsoft Graph API. Should be set to true on vault-1.10+
 	UseMicrosoftGraphAPI *bool `json:"useMicrosoftGraphApi,omitempty" tf:"use_microsoft_graph_api,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// The OAuth2 client id to connect to Azure.
 	// The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.
 	// +kubebuilder:validation:Optional
 	ClientIDSecretRef *v1.SecretKeySelector `json:"clientIdSecretRef,omitempty" tf:"-"`
 
+	// The OAuth2 client secret to connect to Azure.
 	// The client secret for credentials to query the Azure APIs
 	// +kubebuilder:validation:Optional
 	ClientSecretSecretRef *v1.SecretKeySelector `json:"clientSecretSecretRef,omitempty" tf:"-"`
@@ -50,30 +95,43 @@ type SecretBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// The Azure environment.
 	// The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
 	// +kubebuilder:validation:Optional
 	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Defaults to azure.
 	// Path to mount the backend at.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The subscription id for the Azure Active Directory.
 	// The subscription id for the Azure Active Directory.
 	// +kubebuilder:validation:Optional
 	SubscriptionIDSecretRef v1.SecretKeySelector `json:"subscriptionIdSecretRef" tf:"-"`
 
+	// The tenant id for the Azure Active Directory.
 	// The tenant id for the Azure Active Directory organization.
 	// +kubebuilder:validation:Optional
 	TenantIDSecretRef v1.SecretKeySelector `json:"tenantIdSecretRef" tf:"-"`
 
+	// Indicates whether the secrets engine should use
+	// the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+.
+	// For more information, please refer to the Vault docs
 	// Use the Microsoft Graph API. Should be set to true on vault-1.10+
 	// +kubebuilder:validation:Optional
 	UseMicrosoftGraphAPI *bool `json:"useMicrosoftGraphApi,omitempty" tf:"use_microsoft_graph_api,omitempty"`
@@ -83,6 +141,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -93,7 +163,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates an azure secret backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -103,8 +173,8 @@ type SecretBackendStatus struct {
 type SecretBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.subscriptionIdSecretRef)",message="subscriptionIdSecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tenantIdSecretRef)",message="tenantIdSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.subscriptionIdSecretRef)",message="subscriptionIdSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)",message="tenantIdSecretRef is a required parameter"
 	Spec   SecretBackendSpec   `json:"spec"`
 	Status SecretBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/azure/v1alpha1/zz_secretbackendrole_types.go b/apis/azure/v1alpha1/zz_secretbackendrole_types.go
index 2b484c2c..060a9d31 100755
--- a/apis/azure/v1alpha1/zz_secretbackendrole_types.go
+++ b/apis/azure/v1alpha1/zz_secretbackendrole_types.go
@@ -13,6 +13,10 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AzureGroupsInitParameters struct {
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
+}
+
 type AzureGroupsObservation struct {
 	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
 
@@ -21,8 +25,16 @@ type AzureGroupsObservation struct {
 
 type AzureGroupsParameters struct {
 
-	// +kubebuilder:validation:Required
-	GroupName *string `json:"groupName" tf:"group_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
+}
+
+type AzureRolesInitParameters struct {
+	RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"`
+
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
 }
 
 type AzureRolesObservation struct {
@@ -41,19 +53,66 @@ type AzureRolesParameters struct {
 	// +kubebuilder:validation:Optional
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
-	// +kubebuilder:validation:Required
-	Scope *string `json:"scope" tf:"scope,omitempty"`
+	// +kubebuilder:validation:Optional
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+}
+
+type SecretBackendRoleInitParameters struct {
+
+	// Application Object ID for an existing service principal that will
+	// be used instead of creating dynamic service principals. If present, azure_roles will be ignored.
+	// Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.
+	ApplicationObjectID *string `json:"applicationObjectId,omitempty" tf:"application_object_id,omitempty"`
+
+	// List of Azure groups to be assigned to the generated service principal.
+	AzureGroups []AzureGroupsInitParameters `json:"azureGroups,omitempty" tf:"azure_groups,omitempty"`
+
+	// List of Azure roles to be assigned to the generated service principal.
+	AzureRoles []AzureRolesInitParameters `json:"azureRoles,omitempty" tf:"azure_roles,omitempty"`
+
+	// Path to the mounted Azure auth backend
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// –  Specifies the maximum TTL for service principals generated using this role. Accepts time
+	// suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+	// Human-friendly description of the mount for the backend.
+	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Name of the Azure role
+	// Name of the role to create
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// –  Specifies the default TTL for service principals generated using this role.
+	// Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+	// Human-friendly description of the mount for the backend.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
 
 type SecretBackendRoleObservation struct {
 
+	// Application Object ID for an existing service principal that will
+	// be used instead of creating dynamic service principals. If present, azure_roles will be ignored.
 	// Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.
 	ApplicationObjectID *string `json:"applicationObjectId,omitempty" tf:"application_object_id,omitempty"`
 
+	// List of Azure groups to be assigned to the generated service principal.
 	AzureGroups []AzureGroupsObservation `json:"azureGroups,omitempty" tf:"azure_groups,omitempty"`
 
+	// List of Azure roles to be assigned to the generated service principal.
 	AzureRoles []AzureRolesObservation `json:"azureRoles,omitempty" tf:"azure_roles,omitempty"`
 
+	// Path to the mounted Azure auth backend
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
@@ -62,31 +121,45 @@ type SecretBackendRoleObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  Specifies the maximum TTL for service principals generated using this role. Accepts time
+	// suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
 	// Human-friendly description of the mount for the backend.
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the Azure role
 	// Name of the role to create
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// –  Specifies the default TTL for service principals generated using this role.
+	// Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
 	// Human-friendly description of the mount for the backend.
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
 
 type SecretBackendRoleParameters struct {
 
+	// Application Object ID for an existing service principal that will
+	// be used instead of creating dynamic service principals. If present, azure_roles will be ignored.
 	// Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.
 	// +kubebuilder:validation:Optional
 	ApplicationObjectID *string `json:"applicationObjectId,omitempty" tf:"application_object_id,omitempty"`
 
+	// List of Azure groups to be assigned to the generated service principal.
 	// +kubebuilder:validation:Optional
 	AzureGroups []AzureGroupsParameters `json:"azureGroups,omitempty" tf:"azure_groups,omitempty"`
 
+	// List of Azure roles to be assigned to the generated service principal.
 	// +kubebuilder:validation:Optional
 	AzureRoles []AzureRolesParameters `json:"azureRoles,omitempty" tf:"azure_roles,omitempty"`
 
+	// Path to the mounted Azure auth backend
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
@@ -95,18 +168,27 @@ type SecretBackendRoleParameters struct {
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// –  Specifies the maximum TTL for service principals generated using this role. Accepts time
+	// suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the Azure role
 	// Name of the role to create
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// –  Specifies the default TTL for service principals generated using this role.
+	// Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
@@ -116,6 +198,18 @@ type SecretBackendRoleParameters struct {
 type SecretBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRoleStatus defines the observed state of SecretBackendRole.
@@ -126,7 +220,7 @@ type SecretBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRole is the Schema for the SecretBackendRoles API. <no value>
+// SecretBackendRole is the Schema for the SecretBackendRoles API. Creates an azure secret backend role for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -136,7 +230,7 @@ type SecretBackendRoleStatus struct {
 type SecretBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
 	Spec   SecretBackendRoleSpec   `json:"spec"`
 	Status SecretBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/cert/v1alpha1/zz_authbackendrole_types.go b/apis/cert/v1alpha1/zz_authbackendrole_types.go
index 5210ccda..694ae54c 100755
--- a/apis/cert/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/cert/v1alpha1/zz_authbackendrole_types.go
@@ -13,6 +13,62 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+	AllowedCommonNames []*string `json:"allowedCommonNames,omitempty" tf:"allowed_common_names,omitempty"`
+
+	AllowedDNSSans []*string `json:"allowedDnsSans,omitempty" tf:"allowed_dns_sans,omitempty"`
+
+	AllowedEmailSans []*string `json:"allowedEmailSans,omitempty" tf:"allowed_email_sans,omitempty"`
+
+	AllowedNames []*string `json:"allowedNames,omitempty" tf:"allowed_names,omitempty"`
+
+	AllowedOrganizationUnits []*string `json:"allowedOrganizationUnits,omitempty" tf:"allowed_organization_units,omitempty"`
+
+	AllowedOrganizationalUnits []*string `json:"allowedOrganizationalUnits,omitempty" tf:"allowed_organizational_units,omitempty"`
+
+	AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"`
+
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	RequiredExtensions []*string `json:"requiredExtensions,omitempty" tf:"required_extensions,omitempty"`
+
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 	AllowedCommonNames []*string `json:"allowedCommonNames,omitempty" tf:"allowed_common_names,omitempty"`
 
@@ -154,6 +210,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -174,8 +242,8 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificate)",message="certificate is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.certificate) || has(self.initProvider.certificate)",message="certificate is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/cert/v1alpha1/zz_generated.deepcopy.go b/apis/cert/v1alpha1/zz_generated.deepcopy.go
index 792fdc73..106e31c9 100644
--- a/apis/cert/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/cert/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,191 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
+	*out = *in
+	if in.AllowedCommonNames != nil {
+		in, out := &in.AllowedCommonNames, &out.AllowedCommonNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedDNSSans != nil {
+		in, out := &in.AllowedDNSSans, &out.AllowedDNSSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedEmailSans != nil {
+		in, out := &in.AllowedEmailSans, &out.AllowedEmailSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedNames != nil {
+		in, out := &in.AllowedNames, &out.AllowedNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedOrganizationUnits != nil {
+		in, out := &in.AllowedOrganizationUnits, &out.AllowedOrganizationUnits
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedOrganizationalUnits != nil {
+		in, out := &in.AllowedOrganizationalUnits, &out.AllowedOrganizationalUnits
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedURISans != nil {
+		in, out := &in.AllowedURISans, &out.AllowedURISans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequiredExtensions != nil {
+		in, out := &in.RequiredExtensions, &out.RequiredExtensions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
 	*out = *in
@@ -452,6 +637,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
diff --git a/apis/cert/v1alpha1/zz_generated.managed.go b/apis/cert/v1alpha1/zz_generated.managed.go
index b79200d3..836c358b 100644
--- a/apis/cert/v1alpha1/zz_generated.managed.go
+++ b/apis/cert/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -55,9 +55,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
diff --git a/apis/cert/v1alpha1/zz_generated_terraformed.go b/apis/cert/v1alpha1/zz_generated_terraformed.go
index c4bb5dc6..ed335fd8 100755
--- a/apis/cert/v1alpha1/zz_generated_terraformed.go
+++ b/apis/cert/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/consul/v1alpha1/zz_generated.deepcopy.go b/apis/consul/v1alpha1/zz_generated.deepcopy.go
index 09a021ab..0bb69d13 100644
--- a/apis/consul/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/consul/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,76 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.Address != nil {
+		in, out := &in.Address, &out.Address
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bootstrap != nil {
+		in, out := &in.Bootstrap, &out.Bootstrap
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scheme != nil {
+		in, out := &in.Scheme, &out.Scheme
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -260,6 +330,121 @@ func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConsulNamespace != nil {
+		in, out := &in.ConsulNamespace, &out.ConsulNamespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConsulPolicies != nil {
+		in, out := &in.ConsulPolicies, &out.ConsulPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConsulRoles != nil {
+		in, out := &in.ConsulRoles, &out.ConsulRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.NodeIdentities != nil {
+		in, out := &in.NodeIdentities, &out.NodeIdentities
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Partition != nil {
+		in, out := &in.Partition, &out.Partition
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ServiceIdentities != nil {
+		in, out := &in.ServiceIdentities, &out.ServiceIdentities
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters.
+func (in *SecretBackendRoleInitParameters) DeepCopy() *SecretBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
 	*out = *in
@@ -532,6 +717,7 @@ func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
@@ -566,6 +752,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
diff --git a/apis/consul/v1alpha1/zz_generated.managed.go b/apis/consul/v1alpha1/zz_generated.managed.go
index 5b479260..d73589a2 100644
--- a/apis/consul/v1alpha1/zz_generated.managed.go
+++ b/apis/consul/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -55,9 +55,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -93,9 +93,9 @@ func (mg *SecretBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRole.
@@ -131,9 +131,9 @@ func (mg *SecretBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRole.
diff --git a/apis/consul/v1alpha1/zz_generated_terraformed.go b/apis/consul/v1alpha1/zz_generated_terraformed.go
index bef70c46..1072eeb6 100755
--- a/apis/consul/v1alpha1/zz_generated_terraformed.go
+++ b/apis/consul/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRole
+func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/consul/v1alpha1/zz_secretbackend_types.go b/apis/consul/v1alpha1/zz_secretbackend_types.go
index 1eb59339..236faa34 100755
--- a/apis/consul/v1alpha1/zz_secretbackend_types.go
+++ b/apis/consul/v1alpha1/zz_secretbackend_types.go
@@ -13,98 +13,191 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
+	// Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
+	Address *string `json:"address,omitempty" tf:"address,omitempty"`
+
+	// Denotes that the resource is used to bootstrap the Consul ACL system.
+	// Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.
+	Bootstrap *bool `json:"bootstrap,omitempty" tf:"bootstrap,omitempty"`
+
+	// CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.
+	// CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.
+	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
+
+	// The default TTL for credentials issued by this backend.
+	// Default lease duration for secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// A human-friendly description for this backend.
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// Specifies if the secret backend is local only.
+	// Specifies if the secret backend is local only
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
+	// Maximum possible lease duration for secrets in seconds
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The unique location this backend should be mounted at. Must not begin or end with a /. Defaults
+	// to consul.
+	// Unique name of the Vault Consul mount to configure
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Specifies the URL scheme to use. Defaults to http.
+	// Specifies the URL scheme to use. Defaults to "http".
+	Scheme *string `json:"scheme,omitempty" tf:"scheme,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
+	// Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
 	// Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
 	Address *string `json:"address,omitempty" tf:"address,omitempty"`
 
+	// Denotes that the resource is used to bootstrap the Consul ACL system.
 	// Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.
 	Bootstrap *bool `json:"bootstrap,omitempty" tf:"bootstrap,omitempty"`
 
+	// CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.
 	// CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// The default TTL for credentials issued by this backend.
 	// Default lease duration for secrets in seconds
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies if the secret backend is local only.
 	// Specifies if the secret backend is local only
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
 	// Maximum possible lease duration for secrets in seconds
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique location this backend should be mounted at. Must not begin or end with a /. Defaults
+	// to consul.
 	// Unique name of the Vault Consul mount to configure
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Specifies the URL scheme to use. Defaults to http.
 	// Specifies the URL scheme to use. Defaults to "http".
 	Scheme *string `json:"scheme,omitempty" tf:"scheme,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
 	// Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
 	// +kubebuilder:validation:Optional
 	Address *string `json:"address,omitempty" tf:"address,omitempty"`
 
+	// Denotes that the resource is used to bootstrap the Consul ACL system.
 	// Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.
 	// +kubebuilder:validation:Optional
 	Bootstrap *bool `json:"bootstrap,omitempty" tf:"bootstrap,omitempty"`
 
+	// CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.
 	// CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.
 	// +kubebuilder:validation:Optional
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if
+	// this is set you need to also set client_key.
 	// Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.
 	// +kubebuilder:validation:Optional
 	ClientCertSecretRef *v1.SecretKeySelector `json:"clientCertSecretRef,omitempty" tf:"-"`
 
+	// Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set
+	// you need to also set client_cert.
 	// Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.
 	// +kubebuilder:validation:Optional
 	ClientKeySecretRef *v1.SecretKeySelector `json:"clientKeySecretRef,omitempty" tf:"-"`
 
+	// The default TTL for credentials issued by this backend.
 	// Default lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// Specifies if the secret backend is local only.
 	// Specifies if the secret backend is local only
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
 	// Maximum possible lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique location this backend should be mounted at. Must not begin or end with a /. Defaults
+	// to consul.
 	// Unique name of the Vault Consul mount to configure
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Specifies the URL scheme to use. Defaults to http.
 	// Specifies the URL scheme to use. Defaults to "http".
 	// +kubebuilder:validation:Optional
 	Scheme *string `json:"scheme,omitempty" tf:"scheme,omitempty"`
 
+	// The Consul management token this backend should use to issue new tokens. This field is required
+	// when bootstrap is false.
 	// Specifies the Consul token to use when managing or issuing new tokens.
 	// +kubebuilder:validation:Optional
 	TokenSecretRef *v1.SecretKeySelector `json:"tokenSecretRef,omitempty" tf:"-"`
@@ -114,6 +207,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -124,7 +229,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates a Consul secret backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -134,7 +239,7 @@ type SecretBackendStatus struct {
 type SecretBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.address)",message="address is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.address) || has(self.initProvider.address)",message="address is a required parameter"
 	Spec   SecretBackendSpec   `json:"spec"`
 	Status SecretBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/consul/v1alpha1/zz_secretbackendrole_types.go b/apis/consul/v1alpha1/zz_secretbackendrole_types.go
index 2152751d..13791ebe 100755
--- a/apis/consul/v1alpha1/zz_secretbackendrole_types.go
+++ b/apis/consul/v1alpha1/zz_secretbackendrole_types.go
@@ -13,111 +13,233 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendRoleInitParameters struct {
+
+	// The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required.
+	// The path of the Consul Secret Backend the role belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The Consul namespace that the token will be created in.
+	// Applicable for Vault 1.10+ and Consul 1.7+".
+	// The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+
+	ConsulNamespace *string `json:"consulNamespace,omitempty" tf:"consul_namespace,omitempty"`
+
+	// SEE NOTE The list of Consul ACL policies to associate with these roles.
+	// List of Consul policies to associate with this role
+	ConsulPolicies []*string `json:"consulPolicies,omitempty" tf:"consul_policies,omitempty"`
+
+	// SEE NOTE Set of Consul roles to attach to the token.
+	// Applicable for Vault 1.10+ with Consul 1.5+.
+	// Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+
+	ConsulRoles []*string `json:"consulRoles,omitempty" tf:"consul_roles,omitempty"`
+
+	// Indicates that the token should not be replicated globally and instead be local to the current datacenter.
+	// Indicates that the token should not be replicated globally and instead be local to the current datacenter.
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// Maximum TTL for leases associated with this role, in seconds.
+	// Maximum TTL for leases associated with this role, in seconds.
+	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// The name of the Consul secrets engine role to create.
+	// The name of an existing role against which to create this Consul credential
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// SEE NOTE Set of Consul node
+	// identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+.
+	// Set of Consul node identities to attach to
+	// the token. Applicable for Vault 1.11+ with Consul 1.8+
+	NodeIdentities []*string `json:"nodeIdentities,omitempty" tf:"node_identities,omitempty"`
+
+	// The admin partition that the token will be created in.
+	// Applicable for Vault 1.10+ and Consul 1.11+".
+	// The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+
+	Partition *string `json:"partition,omitempty" tf:"partition,omitempty"`
+
+	// The list of Consul ACL policies to associate with these roles.
+	// NOTE: The new parameter consul_policies should be used in favor of this. This parameter,
+	// policies, remains supported for legacy users, but Vault has deprecated this field.
+	// List of Consul policies to associate with this role
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	// SEE NOTE Set of Consul
+	// service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+.
+	// Set of Consul service identities to attach to
+	// the token. Applicable for Vault 1.11+ with Consul 1.5+
+	ServiceIdentities []*string `json:"serviceIdentities,omitempty" tf:"service_identities,omitempty"`
+
+	// Specifies the TTL for this role.
+	// Specifies the TTL for this role.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
+	// Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field.
+	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+}
+
 type SecretBackendRoleObservation struct {
 
+	// The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required.
 	// The path of the Consul Secret Backend the role belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The Consul namespace that the token will be created in.
+	// Applicable for Vault 1.10+ and Consul 1.7+".
 	// The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+
 	ConsulNamespace *string `json:"consulNamespace,omitempty" tf:"consul_namespace,omitempty"`
 
+	// SEE NOTE The list of Consul ACL policies to associate with these roles.
 	// List of Consul policies to associate with this role
 	ConsulPolicies []*string `json:"consulPolicies,omitempty" tf:"consul_policies,omitempty"`
 
+	// SEE NOTE Set of Consul roles to attach to the token.
+	// Applicable for Vault 1.10+ with Consul 1.5+.
 	// Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+
 	ConsulRoles []*string `json:"consulRoles,omitempty" tf:"consul_roles,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Indicates that the token should not be replicated globally and instead be local to the current datacenter.
 	// Indicates that the token should not be replicated globally and instead be local to the current datacenter.
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// Maximum TTL for leases associated with this role, in seconds.
 	// Maximum TTL for leases associated with this role, in seconds.
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The name of the Consul secrets engine role to create.
 	// The name of an existing role against which to create this Consul credential
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// SEE NOTE Set of Consul node
+	// identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+.
 	// Set of Consul node identities to attach to
 	// the token. Applicable for Vault 1.11+ with Consul 1.8+
 	NodeIdentities []*string `json:"nodeIdentities,omitempty" tf:"node_identities,omitempty"`
 
+	// The admin partition that the token will be created in.
+	// Applicable for Vault 1.10+ and Consul 1.11+".
 	// The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+
 	Partition *string `json:"partition,omitempty" tf:"partition,omitempty"`
 
+	// The list of Consul ACL policies to associate with these roles.
+	// NOTE: The new parameter consul_policies should be used in favor of this. This parameter,
+	// policies, remains supported for legacy users, but Vault has deprecated this field.
 	// List of Consul policies to associate with this role
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// SEE NOTE Set of Consul
+	// service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+.
 	// Set of Consul service identities to attach to
 	// the token. Applicable for Vault 1.11+ with Consul 1.5+
 	ServiceIdentities []*string `json:"serviceIdentities,omitempty" tf:"service_identities,omitempty"`
 
+	// Specifies the TTL for this role.
 	// Specifies the TTL for this role.
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
+	// Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field.
 	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
 type SecretBackendRoleParameters struct {
 
+	// The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required.
 	// The path of the Consul Secret Backend the role belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The Consul namespace that the token will be created in.
+	// Applicable for Vault 1.10+ and Consul 1.7+".
 	// The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+
 	// +kubebuilder:validation:Optional
 	ConsulNamespace *string `json:"consulNamespace,omitempty" tf:"consul_namespace,omitempty"`
 
+	// SEE NOTE The list of Consul ACL policies to associate with these roles.
 	// List of Consul policies to associate with this role
 	// +kubebuilder:validation:Optional
 	ConsulPolicies []*string `json:"consulPolicies,omitempty" tf:"consul_policies,omitempty"`
 
+	// SEE NOTE Set of Consul roles to attach to the token.
+	// Applicable for Vault 1.10+ with Consul 1.5+.
 	// Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+
 	// +kubebuilder:validation:Optional
 	ConsulRoles []*string `json:"consulRoles,omitempty" tf:"consul_roles,omitempty"`
 
+	// Indicates that the token should not be replicated globally and instead be local to the current datacenter.
 	// Indicates that the token should not be replicated globally and instead be local to the current datacenter.
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// Maximum TTL for leases associated with this role, in seconds.
 	// Maximum TTL for leases associated with this role, in seconds.
 	// +kubebuilder:validation:Optional
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The name of the Consul secrets engine role to create.
 	// The name of an existing role against which to create this Consul credential
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// SEE NOTE Set of Consul node
+	// identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+.
 	// Set of Consul node identities to attach to
 	// the token. Applicable for Vault 1.11+ with Consul 1.8+
 	// +kubebuilder:validation:Optional
 	NodeIdentities []*string `json:"nodeIdentities,omitempty" tf:"node_identities,omitempty"`
 
+	// The admin partition that the token will be created in.
+	// Applicable for Vault 1.10+ and Consul 1.11+".
 	// The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+
 	// +kubebuilder:validation:Optional
 	Partition *string `json:"partition,omitempty" tf:"partition,omitempty"`
 
+	// The list of Consul ACL policies to associate with these roles.
+	// NOTE: The new parameter consul_policies should be used in favor of this. This parameter,
+	// policies, remains supported for legacy users, but Vault has deprecated this field.
 	// List of Consul policies to associate with this role
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// SEE NOTE Set of Consul
+	// service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+.
 	// Set of Consul service identities to attach to
 	// the token. Applicable for Vault 1.11+ with Consul 1.5+
 	// +kubebuilder:validation:Optional
 	ServiceIdentities []*string `json:"serviceIdentities,omitempty" tf:"service_identities,omitempty"`
 
+	// Specifies the TTL for this role.
 	// Specifies the TTL for this role.
 	// +kubebuilder:validation:Optional
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
+	// Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field.
 	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
@@ -127,6 +249,18 @@ type SecretBackendRoleParameters struct {
 type SecretBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRoleStatus defines the observed state of SecretBackendRole.
@@ -137,7 +271,7 @@ type SecretBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRole is the Schema for the SecretBackendRoles API. <no value>
+// SecretBackendRole is the Schema for the SecretBackendRoles API. Manages a Consul secrets role for a Consul secrets engine in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -147,7 +281,7 @@ type SecretBackendRoleStatus struct {
 type SecretBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendRoleSpec   `json:"spec"`
 	Status SecretBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/database/v1alpha1/zz_generated.deepcopy.go b/apis/database/v1alpha1/zz_generated.deepcopy.go
index 2bd013e1..97a9324f 100644
--- a/apis/database/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/database/v1alpha1/zz_generated.deepcopy.go
@@ -14,6 +14,62 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CassandraInitParameters) DeepCopyInto(out *CassandraInitParameters) {
+	*out = *in
+	if in.ConnectTimeout != nil {
+		in, out := &in.ConnectTimeout, &out.ConnectTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ProtocolVersion != nil {
+		in, out := &in.ProtocolVersion, &out.ProtocolVersion
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CassandraInitParameters.
+func (in *CassandraInitParameters) DeepCopy() *CassandraInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(CassandraInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CassandraObservation) DeepCopyInto(out *CassandraObservation) {
 	*out = *in
@@ -141,6 +197,57 @@ func (in *CassandraParameters) DeepCopy() *CassandraParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CouchbaseInitParameters) DeepCopyInto(out *CouchbaseInitParameters) {
+	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CouchbaseInitParameters.
+func (in *CouchbaseInitParameters) DeepCopy() *CouchbaseInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(CouchbaseInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CouchbaseObservation) DeepCopyInto(out *CouchbaseObservation) {
 	*out = *in
@@ -249,6 +356,66 @@ func (in *CouchbaseParameters) DeepCopy() *CouchbaseParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ElasticsearchInitParameters) DeepCopyInto(out *ElasticsearchInitParameters) {
+	*out = *in
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.CAPath != nil {
+		in, out := &in.CAPath, &out.CAPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientCert != nil {
+		in, out := &in.ClientCert, &out.ClientCert
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientKey != nil {
+		in, out := &in.ClientKey, &out.ClientKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.Insecure != nil {
+		in, out := &in.Insecure, &out.Insecure
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TLSServerName != nil {
+		in, out := &in.TLSServerName, &out.TLSServerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticsearchInitParameters.
+func (in *ElasticsearchInitParameters) DeepCopy() *ElasticsearchInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(ElasticsearchInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ElasticsearchObservation) DeepCopyInto(out *ElasticsearchObservation) {
 	*out = *in
@@ -370,6 +537,51 @@ func (in *ElasticsearchParameters) DeepCopy() *ElasticsearchParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HanaInitParameters) DeepCopyInto(out *HanaInitParameters) {
+	*out = *in
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HanaInitParameters.
+func (in *HanaInitParameters) DeepCopy() *HanaInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(HanaInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HanaObservation) DeepCopyInto(out *HanaObservation) {
 	*out = *in
@@ -465,6 +677,56 @@ func (in *HanaParameters) DeepCopy() *HanaParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfluxdbInitParameters) DeepCopyInto(out *InfluxdbInitParameters) {
+	*out = *in
+	if in.ConnectTimeout != nil {
+		in, out := &in.ConnectTimeout, &out.ConnectTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfluxdbInitParameters.
+func (in *InfluxdbInitParameters) DeepCopy() *InfluxdbInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(InfluxdbInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InfluxdbObservation) DeepCopyInto(out *InfluxdbObservation) {
 	*out = *in
@@ -577,7 +839,7 @@ func (in *InfluxdbParameters) DeepCopy() *InfluxdbParameters {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MongodbObservation) DeepCopyInto(out *MongodbObservation) {
+func (in *MongodbInitParameters) DeepCopyInto(out *MongodbInitParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -611,18 +873,18 @@ func (in *MongodbObservation) DeepCopyInto(out *MongodbObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongodbObservation.
-func (in *MongodbObservation) DeepCopy() *MongodbObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongodbInitParameters.
+func (in *MongodbInitParameters) DeepCopy() *MongodbInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MongodbObservation)
+	out := new(MongodbInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MongodbParameters) DeepCopyInto(out *MongodbParameters) {
+func (in *MongodbObservation) DeepCopyInto(out *MongodbObservation) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -644,11 +906,6 @@ func (in *MongodbParameters) DeepCopyInto(out *MongodbParameters) {
 		*out = new(float64)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -661,9 +918,59 @@ func (in *MongodbParameters) DeepCopyInto(out *MongodbParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongodbParameters.
-func (in *MongodbParameters) DeepCopy() *MongodbParameters {
-	if in == nil {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongodbObservation.
+func (in *MongodbObservation) DeepCopy() *MongodbObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(MongodbObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MongodbParameters) DeepCopyInto(out *MongodbParameters) {
+	*out = *in
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongodbParameters.
+func (in *MongodbParameters) DeepCopy() *MongodbParameters {
+	if in == nil {
 		return nil
 	}
 	out := new(MongodbParameters)
@@ -671,6 +978,31 @@ func (in *MongodbParameters) DeepCopy() *MongodbParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MongodbatlasInitParameters) DeepCopyInto(out *MongodbatlasInitParameters) {
+	*out = *in
+	if in.ProjectID != nil {
+		in, out := &in.ProjectID, &out.ProjectID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongodbatlasInitParameters.
+func (in *MongodbatlasInitParameters) DeepCopy() *MongodbatlasInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MongodbatlasInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MongodbatlasObservation) DeepCopyInto(out *MongodbatlasObservation) {
 	*out = *in
@@ -723,7 +1055,7 @@ func (in *MongodbatlasParameters) DeepCopy() *MongodbatlasParameters {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MssqlObservation) DeepCopyInto(out *MssqlObservation) {
+func (in *MssqlInitParameters) DeepCopyInto(out *MssqlInitParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -767,18 +1099,18 @@ func (in *MssqlObservation) DeepCopyInto(out *MssqlObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MssqlObservation.
-func (in *MssqlObservation) DeepCopy() *MssqlObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MssqlInitParameters.
+func (in *MssqlInitParameters) DeepCopy() *MssqlInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MssqlObservation)
+	out := new(MssqlInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MssqlParameters) DeepCopyInto(out *MssqlParameters) {
+func (in *MssqlObservation) DeepCopyInto(out *MssqlObservation) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -810,11 +1142,6 @@ func (in *MssqlParameters) DeepCopyInto(out *MssqlParameters) {
 		*out = new(float64)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -827,24 +1154,34 @@ func (in *MssqlParameters) DeepCopyInto(out *MssqlParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MssqlParameters.
-func (in *MssqlParameters) DeepCopy() *MssqlParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MssqlObservation.
+func (in *MssqlObservation) DeepCopy() *MssqlObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(MssqlParameters)
+	out := new(MssqlObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLAuroraObservation) DeepCopyInto(out *MySQLAuroraObservation) {
+func (in *MssqlParameters) DeepCopyInto(out *MssqlParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
+	if in.ContainedDB != nil {
+		in, out := &in.ContainedDB, &out.ContainedDB
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -860,6 +1197,11 @@ func (in *MySQLAuroraObservation) DeepCopyInto(out *MySQLAuroraObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -872,18 +1214,18 @@ func (in *MySQLAuroraObservation) DeepCopyInto(out *MySQLAuroraObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLAuroraObservation.
-func (in *MySQLAuroraObservation) DeepCopy() *MySQLAuroraObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MssqlParameters.
+func (in *MssqlParameters) DeepCopy() *MssqlParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MySQLAuroraObservation)
+	out := new(MssqlParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLAuroraParameters) DeepCopyInto(out *MySQLAuroraParameters) {
+func (in *MySQLAuroraInitParameters) DeepCopyInto(out *MySQLAuroraInitParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -905,11 +1247,6 @@ func (in *MySQLAuroraParameters) DeepCopyInto(out *MySQLAuroraParameters) {
 		*out = new(float64)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -922,18 +1259,18 @@ func (in *MySQLAuroraParameters) DeepCopyInto(out *MySQLAuroraParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLAuroraParameters.
-func (in *MySQLAuroraParameters) DeepCopy() *MySQLAuroraParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLAuroraInitParameters.
+func (in *MySQLAuroraInitParameters) DeepCopy() *MySQLAuroraInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MySQLAuroraParameters)
+	out := new(MySQLAuroraInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLLegacyObservation) DeepCopyInto(out *MySQLLegacyObservation) {
+func (in *MySQLAuroraObservation) DeepCopyInto(out *MySQLAuroraObservation) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -967,18 +1304,18 @@ func (in *MySQLLegacyObservation) DeepCopyInto(out *MySQLLegacyObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLegacyObservation.
-func (in *MySQLLegacyObservation) DeepCopy() *MySQLLegacyObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLAuroraObservation.
+func (in *MySQLAuroraObservation) DeepCopy() *MySQLAuroraObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(MySQLLegacyObservation)
+	out := new(MySQLAuroraObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLLegacyParameters) DeepCopyInto(out *MySQLLegacyParameters) {
+func (in *MySQLAuroraParameters) DeepCopyInto(out *MySQLAuroraParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1017,18 +1354,18 @@ func (in *MySQLLegacyParameters) DeepCopyInto(out *MySQLLegacyParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLegacyParameters.
-func (in *MySQLLegacyParameters) DeepCopy() *MySQLLegacyParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLAuroraParameters.
+func (in *MySQLAuroraParameters) DeepCopy() *MySQLAuroraParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MySQLLegacyParameters)
+	out := new(MySQLAuroraParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLObservation) DeepCopyInto(out *MySQLObservation) {
+func (in *MySQLInitParameters) DeepCopyInto(out *MySQLInitParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1067,18 +1404,18 @@ func (in *MySQLObservation) DeepCopyInto(out *MySQLObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLObservation.
-func (in *MySQLObservation) DeepCopy() *MySQLObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLInitParameters.
+func (in *MySQLInitParameters) DeepCopy() *MySQLInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MySQLObservation)
+	out := new(MySQLInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLParameters) DeepCopyInto(out *MySQLParameters) {
+func (in *MySQLLegacyInitParameters) DeepCopyInto(out *MySQLLegacyInitParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1100,21 +1437,6 @@ func (in *MySQLParameters) DeepCopyInto(out *MySQLParameters) {
 		*out = new(float64)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
-	if in.TLSCA != nil {
-		in, out := &in.TLSCA, &out.TLSCA
-		*out = new(string)
-		**out = **in
-	}
-	if in.TLSCertificateKeySecretRef != nil {
-		in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -1127,18 +1449,18 @@ func (in *MySQLParameters) DeepCopyInto(out *MySQLParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLParameters.
-func (in *MySQLParameters) DeepCopy() *MySQLParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLegacyInitParameters.
+func (in *MySQLLegacyInitParameters) DeepCopy() *MySQLLegacyInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MySQLParameters)
+	out := new(MySQLLegacyInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLRDSObservation) DeepCopyInto(out *MySQLRDSObservation) {
+func (in *MySQLLegacyObservation) DeepCopyInto(out *MySQLLegacyObservation) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1172,18 +1494,18 @@ func (in *MySQLRDSObservation) DeepCopyInto(out *MySQLRDSObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLRDSObservation.
-func (in *MySQLRDSObservation) DeepCopy() *MySQLRDSObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLegacyObservation.
+func (in *MySQLLegacyObservation) DeepCopy() *MySQLLegacyObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(MySQLRDSObservation)
+	out := new(MySQLLegacyObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLRDSParameters) DeepCopyInto(out *MySQLRDSParameters) {
+func (in *MySQLLegacyParameters) DeepCopyInto(out *MySQLLegacyParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1222,18 +1544,18 @@ func (in *MySQLRDSParameters) DeepCopyInto(out *MySQLRDSParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLRDSParameters.
-func (in *MySQLRDSParameters) DeepCopy() *MySQLRDSParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLegacyParameters.
+func (in *MySQLLegacyParameters) DeepCopy() *MySQLLegacyParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MySQLRDSParameters)
+	out := new(MySQLLegacyParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OracleObservation) DeepCopyInto(out *OracleObservation) {
+func (in *MySQLObservation) DeepCopyInto(out *MySQLObservation) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1255,6 +1577,11 @@ func (in *OracleObservation) DeepCopyInto(out *OracleObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.TLSCA != nil {
+		in, out := &in.TLSCA, &out.TLSCA
+		*out = new(string)
+		**out = **in
+	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -1267,18 +1594,18 @@ func (in *OracleObservation) DeepCopyInto(out *OracleObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleObservation.
-func (in *OracleObservation) DeepCopy() *OracleObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLObservation.
+func (in *MySQLObservation) DeepCopy() *MySQLObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(OracleObservation)
+	out := new(MySQLObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OracleParameters) DeepCopyInto(out *OracleParameters) {
+func (in *MySQLParameters) DeepCopyInto(out *MySQLParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1305,6 +1632,16 @@ func (in *OracleParameters) DeepCopyInto(out *OracleParameters) {
 		*out = new(v1.SecretKeySelector)
 		**out = **in
 	}
+	if in.TLSCA != nil {
+		in, out := &in.TLSCA, &out.TLSCA
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSCertificateKeySecretRef != nil {
+		in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -1317,29 +1654,24 @@ func (in *OracleParameters) DeepCopyInto(out *OracleParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleParameters.
-func (in *OracleParameters) DeepCopy() *OracleParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLParameters.
+func (in *MySQLParameters) DeepCopy() *MySQLParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(OracleParameters)
+	out := new(MySQLParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PostgresqlObservation) DeepCopyInto(out *PostgresqlObservation) {
+func (in *MySQLRDSInitParameters) DeepCopyInto(out *MySQLRDSInitParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.DisableEscaping != nil {
-		in, out := &in.DisableEscaping, &out.DisableEscaping
-		*out = new(bool)
-		**out = **in
-	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -1367,29 +1699,24 @@ func (in *PostgresqlObservation) DeepCopyInto(out *PostgresqlObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresqlObservation.
-func (in *PostgresqlObservation) DeepCopy() *PostgresqlObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLRDSInitParameters.
+func (in *MySQLRDSInitParameters) DeepCopy() *MySQLRDSInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(PostgresqlObservation)
+	out := new(MySQLRDSInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PostgresqlParameters) DeepCopyInto(out *PostgresqlParameters) {
+func (in *MySQLRDSObservation) DeepCopyInto(out *MySQLRDSObservation) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.DisableEscaping != nil {
-		in, out := &in.DisableEscaping, &out.DisableEscaping
-		*out = new(bool)
-		**out = **in
-	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -1405,11 +1732,6 @@ func (in *PostgresqlParameters) DeepCopyInto(out *PostgresqlParameters) {
 		*out = new(float64)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -1422,102 +1744,182 @@ func (in *PostgresqlParameters) DeepCopyInto(out *PostgresqlParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresqlParameters.
-func (in *PostgresqlParameters) DeepCopy() *PostgresqlParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLRDSObservation.
+func (in *MySQLRDSObservation) DeepCopy() *MySQLRDSObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(PostgresqlParameters)
+	out := new(MySQLRDSObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RedisElasticacheObservation) DeepCopyInto(out *RedisElasticacheObservation) {
+func (in *MySQLRDSParameters) DeepCopyInto(out *MySQLRDSParameters) {
 	*out = *in
-	if in.Region != nil {
-		in, out := &in.Region, &out.Region
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.URL != nil {
-		in, out := &in.URL, &out.URL
-		*out = new(string)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisElasticacheObservation.
-func (in *RedisElasticacheObservation) DeepCopy() *RedisElasticacheObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(RedisElasticacheObservation)
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLRDSParameters.
+func (in *MySQLRDSParameters) DeepCopy() *MySQLRDSParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MySQLRDSParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RedisElasticacheParameters) DeepCopyInto(out *RedisElasticacheParameters) {
+func (in *OracleInitParameters) DeepCopyInto(out *OracleInitParameters) {
 	*out = *in
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
 		**out = **in
 	}
-	if in.Region != nil {
-		in, out := &in.Region, &out.Region
-		*out = new(string)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
 		**out = **in
 	}
-	if in.URL != nil {
-		in, out := &in.URL, &out.URL
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
 		*out = new(string)
 		**out = **in
 	}
-	if in.UsernameSecretRef != nil {
-		in, out := &in.UsernameSecretRef, &out.UsernameSecretRef
-		*out = new(v1.SecretKeySelector)
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisElasticacheParameters.
-func (in *RedisElasticacheParameters) DeepCopy() *RedisElasticacheParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleInitParameters.
+func (in *OracleInitParameters) DeepCopy() *OracleInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(RedisElasticacheParameters)
+	out := new(OracleInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RedisObservation) DeepCopyInto(out *RedisObservation) {
+func (in *OracleObservation) DeepCopyInto(out *OracleObservation) {
 	*out = *in
-	if in.CACert != nil {
-		in, out := &in.CACert, &out.CACert
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.Host != nil {
-		in, out := &in.Host, &out.Host
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
 		*out = new(string)
 		**out = **in
 	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
 		**out = **in
 	}
-	if in.Port != nil {
-		in, out := &in.Port, &out.Port
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleObservation.
+func (in *OracleObservation) DeepCopy() *OracleObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleParameters) DeepCopyInto(out *OracleParameters) {
+	*out = *in
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
 		**out = **in
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
 		**out = **in
 	}
 	if in.Username != nil {
@@ -1525,45 +1927,49 @@ func (in *RedisObservation) DeepCopyInto(out *RedisObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisObservation.
-func (in *RedisObservation) DeepCopy() *RedisObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleParameters.
+func (in *OracleParameters) DeepCopy() *OracleParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(RedisObservation)
+	out := new(OracleParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RedisParameters) DeepCopyInto(out *RedisParameters) {
+func (in *PostgresqlInitParameters) DeepCopyInto(out *PostgresqlInitParameters) {
 	*out = *in
-	if in.CACert != nil {
-		in, out := &in.CACert, &out.CACert
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.Host != nil {
-		in, out := &in.Host, &out.Host
-		*out = new(string)
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
 		**out = **in
 	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
 		**out = **in
 	}
-	out.PasswordSecretRef = in.PasswordSecretRef
-	if in.Port != nil {
-		in, out := &in.Port, &out.Port
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
 		*out = new(float64)
 		**out = **in
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
 		**out = **in
 	}
 	if in.Username != nil {
@@ -1571,20 +1977,25 @@ func (in *RedisParameters) DeepCopyInto(out *RedisParameters) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisParameters.
-func (in *RedisParameters) DeepCopy() *RedisParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresqlInitParameters.
+func (in *PostgresqlInitParameters) DeepCopy() *PostgresqlInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(RedisParameters)
+	out := new(PostgresqlInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RedshiftObservation) DeepCopyInto(out *RedshiftObservation) {
+func (in *PostgresqlObservation) DeepCopyInto(out *PostgresqlObservation) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1623,18 +2034,18 @@ func (in *RedshiftObservation) DeepCopyInto(out *RedshiftObservation) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftObservation.
-func (in *RedshiftObservation) DeepCopy() *RedshiftObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresqlObservation.
+func (in *PostgresqlObservation) DeepCopy() *PostgresqlObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(RedshiftObservation)
+	out := new(PostgresqlObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RedshiftParameters) DeepCopyInto(out *RedshiftParameters) {
+func (in *PostgresqlParameters) DeepCopyInto(out *PostgresqlParameters) {
 	*out = *in
 	if in.ConnectionURL != nil {
 		in, out := &in.ConnectionURL, &out.ConnectionURL
@@ -1678,77 +2089,2850 @@ func (in *RedshiftParameters) DeepCopyInto(out *RedshiftParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftParameters.
-func (in *RedshiftParameters) DeepCopy() *RedshiftParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresqlParameters.
+func (in *PostgresqlParameters) DeepCopy() *PostgresqlParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(RedshiftParameters)
+	out := new(PostgresqlParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendConnection) DeepCopyInto(out *SecretBackendConnection) {
+func (in *RedisElasticacheInitParameters) DeepCopyInto(out *RedisElasticacheInitParameters) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnection.
-func (in *SecretBackendConnection) DeepCopy() *SecretBackendConnection {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisElasticacheInitParameters.
+func (in *RedisElasticacheInitParameters) DeepCopy() *RedisElasticacheInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendConnection)
+	out := new(RedisElasticacheInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendConnection) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendConnectionList) DeepCopyInto(out *SecretBackendConnectionList) {
+func (in *RedisElasticacheObservation) DeepCopyInto(out *RedisElasticacheObservation) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]SecretBackendConnection, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionList.
-func (in *SecretBackendConnectionList) DeepCopy() *SecretBackendConnectionList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisElasticacheObservation.
+func (in *RedisElasticacheObservation) DeepCopy() *RedisElasticacheObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendConnectionList)
+	out := new(RedisElasticacheObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendConnectionList) DeepCopyObject() runtime.Object {
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RedisElasticacheParameters) DeepCopyInto(out *RedisElasticacheParameters) {
+	*out = *in
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameSecretRef != nil {
+		in, out := &in.UsernameSecretRef, &out.UsernameSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisElasticacheParameters.
+func (in *RedisElasticacheParameters) DeepCopy() *RedisElasticacheParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RedisElasticacheParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RedisInitParameters) DeepCopyInto(out *RedisInitParameters) {
+	*out = *in
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisInitParameters.
+func (in *RedisInitParameters) DeepCopy() *RedisInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RedisInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RedisObservation) DeepCopyInto(out *RedisObservation) {
+	*out = *in
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisObservation.
+func (in *RedisObservation) DeepCopy() *RedisObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(RedisObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RedisParameters) DeepCopyInto(out *RedisParameters) {
+	*out = *in
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	out.PasswordSecretRef = in.PasswordSecretRef
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisParameters.
+func (in *RedisParameters) DeepCopy() *RedisParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RedisParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RedshiftInitParameters) DeepCopyInto(out *RedshiftInitParameters) {
+	*out = *in
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftInitParameters.
+func (in *RedshiftInitParameters) DeepCopy() *RedshiftInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RedshiftInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RedshiftObservation) DeepCopyInto(out *RedshiftObservation) {
+	*out = *in
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftObservation.
+func (in *RedshiftObservation) DeepCopy() *RedshiftObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(RedshiftObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RedshiftParameters) DeepCopyInto(out *RedshiftParameters) {
+	*out = *in
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftParameters.
+func (in *RedshiftParameters) DeepCopy() *RedshiftParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RedshiftParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConnection) DeepCopyInto(out *SecretBackendConnection) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnection.
+func (in *SecretBackendConnection) DeepCopy() *SecretBackendConnection {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConnection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendConnection) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConnectionInitParameters) DeepCopyInto(out *SecretBackendConnectionInitParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Cassandra != nil {
+		in, out := &in.Cassandra, &out.Cassandra
+		*out = make([]CassandraInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Couchbase != nil {
+		in, out := &in.Couchbase, &out.Couchbase
+		*out = make([]CouchbaseInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Elasticsearch != nil {
+		in, out := &in.Elasticsearch, &out.Elasticsearch
+		*out = make([]ElasticsearchInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Hana != nil {
+		in, out := &in.Hana, &out.Hana
+		*out = make([]HanaInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Influxdb != nil {
+		in, out := &in.Influxdb, &out.Influxdb
+		*out = make([]InfluxdbInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mongodb != nil {
+		in, out := &in.Mongodb, &out.Mongodb
+		*out = make([]MongodbInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mongodbatlas != nil {
+		in, out := &in.Mongodbatlas, &out.Mongodbatlas
+		*out = make([]MongodbatlasInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mssql != nil {
+		in, out := &in.Mssql, &out.Mssql
+		*out = make([]MssqlInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQL != nil {
+		in, out := &in.MySQL, &out.MySQL
+		*out = make([]MySQLInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLAurora != nil {
+		in, out := &in.MySQLAurora, &out.MySQLAurora
+		*out = make([]MySQLAuroraInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLLegacy != nil {
+		in, out := &in.MySQLLegacy, &out.MySQLLegacy
+		*out = make([]MySQLLegacyInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLRDS != nil {
+		in, out := &in.MySQLRDS, &out.MySQLRDS
+		*out = make([]MySQLRDSInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Oracle != nil {
+		in, out := &in.Oracle, &out.Oracle
+		*out = make([]OracleInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Postgresql != nil {
+		in, out := &in.Postgresql, &out.Postgresql
+		*out = make([]PostgresqlInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Redis != nil {
+		in, out := &in.Redis, &out.Redis
+		*out = make([]RedisInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RedisElasticache != nil {
+		in, out := &in.RedisElasticache, &out.RedisElasticache
+		*out = make([]RedisElasticacheInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Redshift != nil {
+		in, out := &in.Redshift, &out.Redshift
+		*out = make([]RedshiftInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Snowflake != nil {
+		in, out := &in.Snowflake, &out.Snowflake
+		*out = make([]SnowflakeInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionInitParameters.
+func (in *SecretBackendConnectionInitParameters) DeepCopy() *SecretBackendConnectionInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConnectionInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConnectionList) DeepCopyInto(out *SecretBackendConnectionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecretBackendConnection, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionList.
+func (in *SecretBackendConnectionList) DeepCopy() *SecretBackendConnectionList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConnectionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendConnectionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConnectionObservation) DeepCopyInto(out *SecretBackendConnectionObservation) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Cassandra != nil {
+		in, out := &in.Cassandra, &out.Cassandra
+		*out = make([]CassandraObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Couchbase != nil {
+		in, out := &in.Couchbase, &out.Couchbase
+		*out = make([]CouchbaseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Elasticsearch != nil {
+		in, out := &in.Elasticsearch, &out.Elasticsearch
+		*out = make([]ElasticsearchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Hana != nil {
+		in, out := &in.Hana, &out.Hana
+		*out = make([]HanaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Influxdb != nil {
+		in, out := &in.Influxdb, &out.Influxdb
+		*out = make([]InfluxdbObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mongodb != nil {
+		in, out := &in.Mongodb, &out.Mongodb
+		*out = make([]MongodbObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mongodbatlas != nil {
+		in, out := &in.Mongodbatlas, &out.Mongodbatlas
+		*out = make([]MongodbatlasObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mssql != nil {
+		in, out := &in.Mssql, &out.Mssql
+		*out = make([]MssqlObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQL != nil {
+		in, out := &in.MySQL, &out.MySQL
+		*out = make([]MySQLObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLAurora != nil {
+		in, out := &in.MySQLAurora, &out.MySQLAurora
+		*out = make([]MySQLAuroraObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLLegacy != nil {
+		in, out := &in.MySQLLegacy, &out.MySQLLegacy
+		*out = make([]MySQLLegacyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLRDS != nil {
+		in, out := &in.MySQLRDS, &out.MySQLRDS
+		*out = make([]MySQLRDSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Oracle != nil {
+		in, out := &in.Oracle, &out.Oracle
+		*out = make([]OracleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Postgresql != nil {
+		in, out := &in.Postgresql, &out.Postgresql
+		*out = make([]PostgresqlObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Redis != nil {
+		in, out := &in.Redis, &out.Redis
+		*out = make([]RedisObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RedisElasticache != nil {
+		in, out := &in.RedisElasticache, &out.RedisElasticache
+		*out = make([]RedisElasticacheObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Redshift != nil {
+		in, out := &in.Redshift, &out.Redshift
+		*out = make([]RedshiftObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Snowflake != nil {
+		in, out := &in.Snowflake, &out.Snowflake
+		*out = make([]SnowflakeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionObservation.
+func (in *SecretBackendConnectionObservation) DeepCopy() *SecretBackendConnectionObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConnectionObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConnectionParameters) DeepCopyInto(out *SecretBackendConnectionParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Cassandra != nil {
+		in, out := &in.Cassandra, &out.Cassandra
+		*out = make([]CassandraParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Couchbase != nil {
+		in, out := &in.Couchbase, &out.Couchbase
+		*out = make([]CouchbaseParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Elasticsearch != nil {
+		in, out := &in.Elasticsearch, &out.Elasticsearch
+		*out = make([]ElasticsearchParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Hana != nil {
+		in, out := &in.Hana, &out.Hana
+		*out = make([]HanaParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Influxdb != nil {
+		in, out := &in.Influxdb, &out.Influxdb
+		*out = make([]InfluxdbParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mongodb != nil {
+		in, out := &in.Mongodb, &out.Mongodb
+		*out = make([]MongodbParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mongodbatlas != nil {
+		in, out := &in.Mongodbatlas, &out.Mongodbatlas
+		*out = make([]MongodbatlasParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mssql != nil {
+		in, out := &in.Mssql, &out.Mssql
+		*out = make([]MssqlParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQL != nil {
+		in, out := &in.MySQL, &out.MySQL
+		*out = make([]MySQLParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLAurora != nil {
+		in, out := &in.MySQLAurora, &out.MySQLAurora
+		*out = make([]MySQLAuroraParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLLegacy != nil {
+		in, out := &in.MySQLLegacy, &out.MySQLLegacy
+		*out = make([]MySQLLegacyParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLRDS != nil {
+		in, out := &in.MySQLRDS, &out.MySQLRDS
+		*out = make([]MySQLRDSParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Oracle != nil {
+		in, out := &in.Oracle, &out.Oracle
+		*out = make([]OracleParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Postgresql != nil {
+		in, out := &in.Postgresql, &out.Postgresql
+		*out = make([]PostgresqlParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Redis != nil {
+		in, out := &in.Redis, &out.Redis
+		*out = make([]RedisParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RedisElasticache != nil {
+		in, out := &in.RedisElasticache, &out.RedisElasticache
+		*out = make([]RedisElasticacheParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Redshift != nil {
+		in, out := &in.Redshift, &out.Redshift
+		*out = make([]RedshiftParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Snowflake != nil {
+		in, out := &in.Snowflake, &out.Snowflake
+		*out = make([]SnowflakeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionParameters.
+func (in *SecretBackendConnectionParameters) DeepCopy() *SecretBackendConnectionParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConnectionParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConnectionSpec) DeepCopyInto(out *SecretBackendConnectionSpec) {
+	*out = *in
+	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
+	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionSpec.
+func (in *SecretBackendConnectionSpec) DeepCopy() *SecretBackendConnectionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConnectionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConnectionStatus) DeepCopyInto(out *SecretBackendConnectionStatus) {
+	*out = *in
+	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
+	in.AtProvider.DeepCopyInto(&out.AtProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionStatus.
+func (in *SecretBackendConnectionStatus) DeepCopy() *SecretBackendConnectionStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConnectionStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRole) DeepCopyInto(out *SecretBackendRole) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRole.
+func (in *SecretBackendRole) DeepCopy() *SecretBackendRole {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CreationStatements != nil {
+		in, out := &in.CreationStatements, &out.CreationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DBName != nil {
+		in, out := &in.DBName, &out.DBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultTTL != nil {
+		in, out := &in.DefaultTTL, &out.DefaultTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RenewStatements != nil {
+		in, out := &in.RenewStatements, &out.RenewStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RevocationStatements != nil {
+		in, out := &in.RevocationStatements, &out.RevocationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RollbackStatements != nil {
+		in, out := &in.RollbackStatements, &out.RollbackStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters.
+func (in *SecretBackendRoleInitParameters) DeepCopy() *SecretBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecretBackendRole, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleList.
+func (in *SecretBackendRoleList) DeepCopy() *SecretBackendRoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendRoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObservation) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CreationStatements != nil {
+		in, out := &in.CreationStatements, &out.CreationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DBName != nil {
+		in, out := &in.DBName, &out.DBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultTTL != nil {
+		in, out := &in.DefaultTTL, &out.DefaultTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RenewStatements != nil {
+		in, out := &in.RenewStatements, &out.RenewStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RevocationStatements != nil {
+		in, out := &in.RevocationStatements, &out.RevocationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RollbackStatements != nil {
+		in, out := &in.RollbackStatements, &out.RollbackStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleObservation.
+func (in *SecretBackendRoleObservation) DeepCopy() *SecretBackendRoleObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CreationStatements != nil {
+		in, out := &in.CreationStatements, &out.CreationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DBName != nil {
+		in, out := &in.DBName, &out.DBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultTTL != nil {
+		in, out := &in.DefaultTTL, &out.DefaultTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RenewStatements != nil {
+		in, out := &in.RenewStatements, &out.RenewStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RevocationStatements != nil {
+		in, out := &in.RevocationStatements, &out.RevocationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RollbackStatements != nil {
+		in, out := &in.RollbackStatements, &out.RollbackStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleParameters.
+func (in *SecretBackendRoleParameters) DeepCopy() *SecretBackendRoleParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
+	*out = *in
+	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
+	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
+func (in *SecretBackendRoleSpec) DeepCopy() *SecretBackendRoleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleStatus) DeepCopyInto(out *SecretBackendRoleStatus) {
+	*out = *in
+	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
+	in.AtProvider.DeepCopyInto(&out.AtProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleStatus.
+func (in *SecretBackendRoleStatus) DeepCopy() *SecretBackendRoleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendStaticRole) DeepCopyInto(out *SecretBackendStaticRole) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRole.
+func (in *SecretBackendStaticRole) DeepCopy() *SecretBackendStaticRole {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendStaticRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendStaticRole) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendStaticRoleInitParameters) DeepCopyInto(out *SecretBackendStaticRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBName != nil {
+		in, out := &in.DBName, &out.DBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RotationPeriod != nil {
+		in, out := &in.RotationPeriod, &out.RotationPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RotationStatements != nil {
+		in, out := &in.RotationStatements, &out.RotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleInitParameters.
+func (in *SecretBackendStaticRoleInitParameters) DeepCopy() *SecretBackendStaticRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendStaticRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendStaticRoleList) DeepCopyInto(out *SecretBackendStaticRoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecretBackendStaticRole, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleList.
+func (in *SecretBackendStaticRoleList) DeepCopy() *SecretBackendStaticRoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendStaticRoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendStaticRoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendStaticRoleObservation) DeepCopyInto(out *SecretBackendStaticRoleObservation) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBName != nil {
+		in, out := &in.DBName, &out.DBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RotationPeriod != nil {
+		in, out := &in.RotationPeriod, &out.RotationPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RotationStatements != nil {
+		in, out := &in.RotationStatements, &out.RotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleObservation.
+func (in *SecretBackendStaticRoleObservation) DeepCopy() *SecretBackendStaticRoleObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendStaticRoleObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendStaticRoleParameters) DeepCopyInto(out *SecretBackendStaticRoleParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBName != nil {
+		in, out := &in.DBName, &out.DBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RotationPeriod != nil {
+		in, out := &in.RotationPeriod, &out.RotationPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RotationStatements != nil {
+		in, out := &in.RotationStatements, &out.RotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleParameters.
+func (in *SecretBackendStaticRoleParameters) DeepCopy() *SecretBackendStaticRoleParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendStaticRoleParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendStaticRoleSpec) DeepCopyInto(out *SecretBackendStaticRoleSpec) {
+	*out = *in
+	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
+	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleSpec.
+func (in *SecretBackendStaticRoleSpec) DeepCopy() *SecretBackendStaticRoleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendStaticRoleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendStaticRoleStatus) DeepCopyInto(out *SecretBackendStaticRoleStatus) {
+	*out = *in
+	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
+	in.AtProvider.DeepCopyInto(&out.AtProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleStatus.
+func (in *SecretBackendStaticRoleStatus) DeepCopy() *SecretBackendStaticRoleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendStaticRoleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMount) DeepCopyInto(out *SecretsMount) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMount.
+func (in *SecretsMount) DeepCopy() *SecretsMount {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMount)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretsMount) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
-	return nil
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountCassandraInitParameters) DeepCopyInto(out *SecretsMountCassandraInitParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectTimeout != nil {
+		in, out := &in.ConnectTimeout, &out.ConnectTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ProtocolVersion != nil {
+		in, out := &in.ProtocolVersion, &out.ProtocolVersion
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCassandraInitParameters.
+func (in *SecretsMountCassandraInitParameters) DeepCopy() *SecretsMountCassandraInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountCassandraInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountCassandraObservation) DeepCopyInto(out *SecretsMountCassandraObservation) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectTimeout != nil {
+		in, out := &in.ConnectTimeout, &out.ConnectTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ProtocolVersion != nil {
+		in, out := &in.ProtocolVersion, &out.ProtocolVersion
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCassandraObservation.
+func (in *SecretsMountCassandraObservation) DeepCopy() *SecretsMountCassandraObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountCassandraObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountCassandraParameters) DeepCopyInto(out *SecretsMountCassandraParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectTimeout != nil {
+		in, out := &in.ConnectTimeout, &out.ConnectTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.PemBundleSecretRef != nil {
+		in, out := &in.PemBundleSecretRef, &out.PemBundleSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.PemJSONSecretRef != nil {
+		in, out := &in.PemJSONSecretRef, &out.PemJSONSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ProtocolVersion != nil {
+		in, out := &in.ProtocolVersion, &out.ProtocolVersion
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCassandraParameters.
+func (in *SecretsMountCassandraParameters) DeepCopy() *SecretsMountCassandraParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountCassandraParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountCouchbaseInitParameters) DeepCopyInto(out *SecretsMountCouchbaseInitParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCouchbaseInitParameters.
+func (in *SecretsMountCouchbaseInitParameters) DeepCopy() *SecretsMountCouchbaseInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountCouchbaseInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountCouchbaseObservation) DeepCopyInto(out *SecretsMountCouchbaseObservation) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCouchbaseObservation.
+func (in *SecretsMountCouchbaseObservation) DeepCopy() *SecretsMountCouchbaseObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountCouchbaseObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountCouchbaseParameters) DeepCopyInto(out *SecretsMountCouchbaseParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Base64PemSecretRef != nil {
+		in, out := &in.Base64PemSecretRef, &out.Base64PemSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	out.PasswordSecretRef = in.PasswordSecretRef
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCouchbaseParameters.
+func (in *SecretsMountCouchbaseParameters) DeepCopy() *SecretsMountCouchbaseParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountCouchbaseParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountElasticsearchInitParameters) DeepCopyInto(out *SecretsMountElasticsearchInitParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.CAPath != nil {
+		in, out := &in.CAPath, &out.CAPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientCert != nil {
+		in, out := &in.ClientCert, &out.ClientCert
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientKey != nil {
+		in, out := &in.ClientKey, &out.ClientKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Insecure != nil {
+		in, out := &in.Insecure, &out.Insecure
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLSServerName != nil {
+		in, out := &in.TLSServerName, &out.TLSServerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountElasticsearchInitParameters.
+func (in *SecretsMountElasticsearchInitParameters) DeepCopy() *SecretsMountElasticsearchInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountElasticsearchInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountElasticsearchObservation) DeepCopyInto(out *SecretsMountElasticsearchObservation) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.CAPath != nil {
+		in, out := &in.CAPath, &out.CAPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientCert != nil {
+		in, out := &in.ClientCert, &out.ClientCert
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientKey != nil {
+		in, out := &in.ClientKey, &out.ClientKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Insecure != nil {
+		in, out := &in.Insecure, &out.Insecure
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLSServerName != nil {
+		in, out := &in.TLSServerName, &out.TLSServerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountElasticsearchObservation.
+func (in *SecretsMountElasticsearchObservation) DeepCopy() *SecretsMountElasticsearchObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountElasticsearchObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountElasticsearchParameters) DeepCopyInto(out *SecretsMountElasticsearchParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.CAPath != nil {
+		in, out := &in.CAPath, &out.CAPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientCert != nil {
+		in, out := &in.ClientCert, &out.ClientCert
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientKey != nil {
+		in, out := &in.ClientKey, &out.ClientKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Insecure != nil {
+		in, out := &in.Insecure, &out.Insecure
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	out.PasswordSecretRef = in.PasswordSecretRef
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLSServerName != nil {
+		in, out := &in.TLSServerName, &out.TLSServerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountElasticsearchParameters.
+func (in *SecretsMountElasticsearchParameters) DeepCopy() *SecretsMountElasticsearchParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountElasticsearchParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountHanaInitParameters) DeepCopyInto(out *SecretsMountHanaInitParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountHanaInitParameters.
+func (in *SecretsMountHanaInitParameters) DeepCopy() *SecretsMountHanaInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountHanaInitParameters)
+	in.DeepCopyInto(out)
+	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendConnectionObservation) DeepCopyInto(out *SecretBackendConnectionObservation) {
+func (in *SecretsMountHanaObservation) DeepCopyInto(out *SecretsMountHanaObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -1761,24 +4945,209 @@ func (in *SecretBackendConnectionObservation) DeepCopyInto(out *SecretBackendCon
 			}
 		}
 	}
-	if in.Backend != nil {
-		in, out := &in.Backend, &out.Backend
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.Cassandra != nil {
-		in, out := &in.Cassandra, &out.Cassandra
-		*out = make([]CassandraObservation, len(*in))
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountHanaObservation.
+func (in *SecretsMountHanaObservation) DeepCopy() *SecretsMountHanaObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountHanaObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountHanaParameters) DeepCopyInto(out *SecretsMountHanaParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountHanaParameters.
+func (in *SecretsMountHanaParameters) DeepCopy() *SecretsMountHanaParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountHanaParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountInfluxdbInitParameters) DeepCopyInto(out *SecretsMountInfluxdbInitParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
 		}
 	}
-	if in.Couchbase != nil {
-		in, out := &in.Couchbase, &out.Couchbase
-		*out = make([]CouchbaseObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.ConnectTimeout != nil {
+		in, out := &in.ConnectTimeout, &out.ConnectTimeout
+		*out = new(float64)
+		**out = **in
 	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
@@ -1795,130 +5164,30 @@ func (in *SecretBackendConnectionObservation) DeepCopyInto(out *SecretBackendCon
 			(*out)[key] = outVal
 		}
 	}
-	if in.Elasticsearch != nil {
-		in, out := &in.Elasticsearch, &out.Elasticsearch
-		*out = make([]ElasticsearchObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Hana != nil {
-		in, out := &in.Hana, &out.Hana
-		*out = make([]HanaObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
 		*out = new(string)
 		**out = **in
 	}
-	if in.Influxdb != nil {
-		in, out := &in.Influxdb, &out.Influxdb
-		*out = make([]InfluxdbObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Mongodb != nil {
-		in, out := &in.Mongodb, &out.Mongodb
-		*out = make([]MongodbObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Mongodbatlas != nil {
-		in, out := &in.Mongodbatlas, &out.Mongodbatlas
-		*out = make([]MongodbatlasObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Mssql != nil {
-		in, out := &in.Mssql, &out.Mssql
-		*out = make([]MssqlObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.MySQL != nil {
-		in, out := &in.MySQL, &out.MySQL
-		*out = make([]MySQLObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.MySQLAurora != nil {
-		in, out := &in.MySQLAurora, &out.MySQLAurora
-		*out = make([]MySQLAuroraObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.MySQLLegacy != nil {
-		in, out := &in.MySQLLegacy, &out.MySQLLegacy
-		*out = make([]MySQLLegacyObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.MySQLRDS != nil {
-		in, out := &in.MySQLRDS, &out.MySQLRDS
-		*out = make([]MySQLRDSObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
 	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-	if in.Oracle != nil {
-		in, out := &in.Oracle, &out.Oracle
-		*out = make([]OracleObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.Postgresql != nil {
-		in, out := &in.Postgresql, &out.Postgresql
-		*out = make([]PostgresqlObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Redis != nil {
-		in, out := &in.Redis, &out.Redis
-		*out = make([]RedisObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.RedisElasticache != nil {
-		in, out := &in.RedisElasticache, &out.RedisElasticache
-		*out = make([]RedisElasticacheObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Redshift != nil {
-		in, out := &in.Redshift, &out.Redshift
-		*out = make([]RedshiftObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
 	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
@@ -1931,12 +5200,20 @@ func (in *SecretBackendConnectionObservation) DeepCopyInto(out *SecretBackendCon
 			}
 		}
 	}
-	if in.Snowflake != nil {
-		in, out := &in.Snowflake, &out.Snowflake
-		*out = make([]SnowflakeObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
 	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
@@ -1945,18 +5222,18 @@ func (in *SecretBackendConnectionObservation) DeepCopyInto(out *SecretBackendCon
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionObservation.
-func (in *SecretBackendConnectionObservation) DeepCopy() *SecretBackendConnectionObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountInfluxdbInitParameters.
+func (in *SecretsMountInfluxdbInitParameters) DeepCopy() *SecretsMountInfluxdbInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendConnectionObservation)
+	out := new(SecretsMountInfluxdbInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendConnectionParameters) DeepCopyInto(out *SecretBackendConnectionParameters) {
+func (in *SecretsMountInfluxdbObservation) DeepCopyInto(out *SecretsMountInfluxdbObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -1969,25 +5246,11 @@ func (in *SecretBackendConnectionParameters) DeepCopyInto(out *SecretBackendConn
 			}
 		}
 	}
-	if in.Backend != nil {
-		in, out := &in.Backend, &out.Backend
-		*out = new(string)
+	if in.ConnectTimeout != nil {
+		in, out := &in.ConnectTimeout, &out.ConnectTimeout
+		*out = new(float64)
 		**out = **in
 	}
-	if in.Cassandra != nil {
-		in, out := &in.Cassandra, &out.Cassandra
-		*out = make([]CassandraParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Couchbase != nil {
-		in, out := &in.Couchbase, &out.Couchbase
-		*out = make([]CouchbaseParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -2003,125 +5266,30 @@ func (in *SecretBackendConnectionParameters) DeepCopyInto(out *SecretBackendConn
 			(*out)[key] = outVal
 		}
 	}
-	if in.Elasticsearch != nil {
-		in, out := &in.Elasticsearch, &out.Elasticsearch
-		*out = make([]ElasticsearchParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Hana != nil {
-		in, out := &in.Hana, &out.Hana
-		*out = make([]HanaParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Influxdb != nil {
-		in, out := &in.Influxdb, &out.Influxdb
-		*out = make([]InfluxdbParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Mongodb != nil {
-		in, out := &in.Mongodb, &out.Mongodb
-		*out = make([]MongodbParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Mongodbatlas != nil {
-		in, out := &in.Mongodbatlas, &out.Mongodbatlas
-		*out = make([]MongodbatlasParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Mssql != nil {
-		in, out := &in.Mssql, &out.Mssql
-		*out = make([]MssqlParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.MySQL != nil {
-		in, out := &in.MySQL, &out.MySQL
-		*out = make([]MySQLParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.MySQLAurora != nil {
-		in, out := &in.MySQLAurora, &out.MySQLAurora
-		*out = make([]MySQLAuroraParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.MySQLLegacy != nil {
-		in, out := &in.MySQLLegacy, &out.MySQLLegacy
-		*out = make([]MySQLLegacyParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.MySQLRDS != nil {
-		in, out := &in.MySQLRDS, &out.MySQLRDS
-		*out = make([]MySQLRDSParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
 		*out = new(string)
 		**out = **in
 	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.Oracle != nil {
-		in, out := &in.Oracle, &out.Oracle
-		*out = make([]OracleParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.Postgresql != nil {
-		in, out := &in.Postgresql, &out.Postgresql
-		*out = make([]PostgresqlParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Redis != nil {
-		in, out := &in.Redis, &out.Redis
-		*out = make([]RedisParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.RedisElasticache != nil {
-		in, out := &in.RedisElasticache, &out.RedisElasticache
-		*out = make([]RedisElasticacheParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Redshift != nil {
-		in, out := &in.Redshift, &out.Redshift
-		*out = make([]RedshiftParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
 	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
@@ -2134,12 +5302,20 @@ func (in *SecretBackendConnectionParameters) DeepCopyInto(out *SecretBackendConn
 			}
 		}
 	}
-	if in.Snowflake != nil {
-		in, out := &in.Snowflake, &out.Snowflake
-		*out = make([]SnowflakeParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
 	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
@@ -2148,119 +5324,88 @@ func (in *SecretBackendConnectionParameters) DeepCopyInto(out *SecretBackendConn
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionParameters.
-func (in *SecretBackendConnectionParameters) DeepCopy() *SecretBackendConnectionParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountInfluxdbObservation.
+func (in *SecretsMountInfluxdbObservation) DeepCopy() *SecretsMountInfluxdbObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendConnectionParameters)
+	out := new(SecretsMountInfluxdbObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendConnectionSpec) DeepCopyInto(out *SecretBackendConnectionSpec) {
+func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdbParameters) {
 	*out = *in
-	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
-	in.ForProvider.DeepCopyInto(&out.ForProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionSpec.
-func (in *SecretBackendConnectionSpec) DeepCopy() *SecretBackendConnectionSpec {
-	if in == nil {
-		return nil
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	out := new(SecretBackendConnectionSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendConnectionStatus) DeepCopyInto(out *SecretBackendConnectionStatus) {
-	*out = *in
-	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
-	in.AtProvider.DeepCopyInto(&out.AtProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConnectionStatus.
-func (in *SecretBackendConnectionStatus) DeepCopy() *SecretBackendConnectionStatus {
-	if in == nil {
-		return nil
+	if in.ConnectTimeout != nil {
+		in, out := &in.ConnectTimeout, &out.ConnectTimeout
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(SecretBackendConnectionStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendRole) DeepCopyInto(out *SecretBackendRole) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRole.
-func (in *SecretBackendRole) DeepCopy() *SecretBackendRole {
-	if in == nil {
-		return nil
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
 	}
-	out := new(SecretBackendRole)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]SecretBackendRole, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleList.
-func (in *SecretBackendRoleList) DeepCopy() *SecretBackendRoleList {
-	if in == nil {
-		return nil
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
 	}
-	out := new(SecretBackendRoleList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendRoleList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+	out.PasswordSecretRef = in.PasswordSecretRef
+	if in.PemBundleSecretRef != nil {
+		in, out := &in.PemBundleSecretRef, &out.PemBundleSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObservation) {
-	*out = *in
-	if in.Backend != nil {
-		in, out := &in.Backend, &out.Backend
+	if in.PemJSONSecretRef != nil {
+		in, out := &in.PemJSONSecretRef, &out.PemJSONSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.CreationStatements != nil {
-		in, out := &in.CreationStatements, &out.CreationStatements
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -2270,38 +5415,43 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser
 			}
 		}
 	}
-	if in.DBName != nil {
-		in, out := &in.DBName, &out.DBName
-		*out = new(string)
-		**out = **in
-	}
-	if in.DefaultTTL != nil {
-		in, out := &in.DefaultTTL, &out.DefaultTTL
-		*out = new(float64)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
 		*out = new(string)
 		**out = **in
 	}
-	if in.MaxTTL != nil {
-		in, out := &in.MaxTTL, &out.MaxTTL
-		*out = new(float64)
-		**out = **in
-	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
 		*out = new(string)
 		**out = **in
 	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
 		**out = **in
 	}
-	if in.RenewStatements != nil {
-		in, out := &in.RenewStatements, &out.RenewStatements
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountInfluxdbParameters.
+func (in *SecretsMountInfluxdbParameters) DeepCopy() *SecretsMountInfluxdbParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsMountInfluxdbParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParameters) {
+	*out = *in
+	if in.AllowedManagedKeys != nil {
+		in, out := &in.AllowedManagedKeys, &out.AllowedManagedKeys
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -2311,8 +5461,8 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser
 			}
 		}
 	}
-	if in.RevocationStatements != nil {
-		in, out := &in.RevocationStatements, &out.RevocationStatements
+	if in.AuditNonHMACRequestKeys != nil {
+		in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -2322,8 +5472,8 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser
 			}
 		}
 	}
-	if in.RollbackStatements != nil {
-		in, out := &in.RollbackStatements, &out.RollbackStatements
+	if in.AuditNonHMACResponseKeys != nil {
+		in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -2333,194 +5483,225 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser
 			}
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleObservation.
-func (in *SecretBackendRoleObservation) DeepCopy() *SecretBackendRoleObservation {
-	if in == nil {
-		return nil
+	if in.Cassandra != nil {
+		in, out := &in.Cassandra, &out.Cassandra
+		*out = make([]SecretsMountCassandraInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(SecretBackendRoleObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParameters) {
-	*out = *in
-	if in.Backend != nil {
-		in, out := &in.Backend, &out.Backend
+	if in.Couchbase != nil {
+		in, out := &in.Couchbase, &out.Couchbase
+		*out = make([]SecretsMountCouchbaseInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
 		*out = new(string)
 		**out = **in
 	}
-	if in.CreationStatements != nil {
-		in, out := &in.CreationStatements, &out.CreationStatements
-		*out = make([]*string, len(*in))
+	if in.Elasticsearch != nil {
+		in, out := &in.Elasticsearch, &out.Elasticsearch
+		*out = make([]SecretsMountElasticsearchInitParameters, len(*in))
 		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.DBName != nil {
-		in, out := &in.DBName, &out.DBName
-		*out = new(string)
+	if in.ExternalEntropyAccess != nil {
+		in, out := &in.ExternalEntropyAccess, &out.ExternalEntropyAccess
+		*out = new(bool)
 		**out = **in
 	}
-	if in.DefaultTTL != nil {
-		in, out := &in.DefaultTTL, &out.DefaultTTL
-		*out = new(float64)
+	if in.Hana != nil {
+		in, out := &in.Hana, &out.Hana
+		*out = make([]SecretsMountHanaInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Influxdb != nil {
+		in, out := &in.Influxdb, &out.Influxdb
+		*out = make([]SecretsMountInfluxdbInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
 		**out = **in
 	}
-	if in.MaxTTL != nil {
-		in, out := &in.MaxTTL, &out.MaxTTL
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
 		*out = new(float64)
 		**out = **in
 	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
-		*out = new(string)
-		**out = **in
+	if in.Mongodb != nil {
+		in, out := &in.Mongodb, &out.Mongodb
+		*out = make([]SecretsMountMongodbInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mongodbatlas != nil {
+		in, out := &in.Mongodbatlas, &out.Mongodbatlas
+		*out = make([]SecretsMountMongodbatlasInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mssql != nil {
+		in, out := &in.Mssql, &out.Mssql
+		*out = make([]SecretsMountMssqlInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQL != nil {
+		in, out := &in.MySQL, &out.MySQL
+		*out = make([]SecretsMountMySQLInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLAurora != nil {
+		in, out := &in.MySQLAurora, &out.MySQLAurora
+		*out = make([]SecretsMountMySQLAuroraInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLLegacy != nil {
+		in, out := &in.MySQLLegacy, &out.MySQLLegacy
+		*out = make([]SecretsMountMySQLLegacyInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLRDS != nil {
+		in, out := &in.MySQLRDS, &out.MySQLRDS
+		*out = make([]SecretsMountMySQLRDSInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	if in.Namespace != nil {
 		in, out := &in.Namespace, &out.Namespace
 		*out = new(string)
 		**out = **in
 	}
-	if in.RenewStatements != nil {
-		in, out := &in.RenewStatements, &out.RenewStatements
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
 				*out = new(string)
 				**out = **in
 			}
+			(*out)[key] = outVal
 		}
 	}
-	if in.RevocationStatements != nil {
-		in, out := &in.RevocationStatements, &out.RevocationStatements
-		*out = make([]*string, len(*in))
+	if in.Oracle != nil {
+		in, out := &in.Oracle, &out.Oracle
+		*out = make([]SecretsMountOracleInitParameters, len(*in))
 		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.RollbackStatements != nil {
-		in, out := &in.RollbackStatements, &out.RollbackStatements
-		*out = make([]*string, len(*in))
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Postgresql != nil {
+		in, out := &in.Postgresql, &out.Postgresql
+		*out = make([]SecretsMountPostgresqlInitParameters, len(*in))
 		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleParameters.
-func (in *SecretBackendRoleParameters) DeepCopy() *SecretBackendRoleParameters {
-	if in == nil {
-		return nil
+	if in.Redis != nil {
+		in, out := &in.Redis, &out.Redis
+		*out = make([]SecretsMountRedisInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(SecretBackendRoleParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
-	*out = *in
-	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
-	in.ForProvider.DeepCopyInto(&out.ForProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
-func (in *SecretBackendRoleSpec) DeepCopy() *SecretBackendRoleSpec {
-	if in == nil {
-		return nil
+	if in.RedisElasticache != nil {
+		in, out := &in.RedisElasticache, &out.RedisElasticache
+		*out = make([]SecretsMountRedisElasticacheInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(SecretBackendRoleSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendRoleStatus) DeepCopyInto(out *SecretBackendRoleStatus) {
-	*out = *in
-	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
-	in.AtProvider.DeepCopyInto(&out.AtProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleStatus.
-func (in *SecretBackendRoleStatus) DeepCopy() *SecretBackendRoleStatus {
-	if in == nil {
-		return nil
+	if in.Redshift != nil {
+		in, out := &in.Redshift, &out.Redshift
+		*out = make([]SecretsMountRedshiftInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SealWrap != nil {
+		in, out := &in.SealWrap, &out.SealWrap
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Snowflake != nil {
+		in, out := &in.Snowflake, &out.Snowflake
+		*out = make([]SecretsMountSnowflakeInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(SecretBackendRoleStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendStaticRole) DeepCopyInto(out *SecretBackendStaticRole) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRole.
-func (in *SecretBackendStaticRole) DeepCopy() *SecretBackendStaticRole {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountInitParameters.
+func (in *SecretsMountInitParameters) DeepCopy() *SecretsMountInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendStaticRole)
+	out := new(SecretsMountInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendStaticRole) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendStaticRoleList) DeepCopyInto(out *SecretBackendStaticRoleList) {
+func (in *SecretsMountList) DeepCopyInto(out *SecretsMountList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]SecretBackendStaticRole, len(*in))
+		*out = make([]SecretsMount, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleList.
-func (in *SecretBackendStaticRoleList) DeepCopy() *SecretBackendStaticRoleList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountList.
+func (in *SecretsMountList) DeepCopy() *SecretsMountList {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendStaticRoleList)
+	out := new(SecretsMountList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendStaticRoleList) DeepCopyObject() runtime.Object {
+func (in *SecretsMountList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -2528,21 +5709,52 @@ func (in *SecretBackendStaticRoleList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendStaticRoleObservation) DeepCopyInto(out *SecretBackendStaticRoleObservation) {
+func (in *SecretsMountMongodbInitParameters) DeepCopyInto(out *SecretsMountMongodbInitParameters) {
 	*out = *in
-	if in.Backend != nil {
-		in, out := &in.Backend, &out.Backend
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.DBName != nil {
-		in, out := &in.DBName, &out.DBName
-		*out = new(string)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
 		**out = **in
 	}
 	if in.Name != nil {
@@ -2550,18 +5762,13 @@ func (in *SecretBackendStaticRoleObservation) DeepCopyInto(out *SecretBackendSta
 		*out = new(string)
 		**out = **in
 	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.RotationPeriod != nil {
-		in, out := &in.RotationPeriod, &out.RotationPeriod
-		*out = new(float64)
-		**out = **in
-	}
-	if in.RotationStatements != nil {
-		in, out := &in.RotationStatements, &out.RotationStatements
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -2576,29 +5783,75 @@ func (in *SecretBackendStaticRoleObservation) DeepCopyInto(out *SecretBackendSta
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleObservation.
-func (in *SecretBackendStaticRoleObservation) DeepCopy() *SecretBackendStaticRoleObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbInitParameters.
+func (in *SecretsMountMongodbInitParameters) DeepCopy() *SecretsMountMongodbInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendStaticRoleObservation)
+	out := new(SecretsMountMongodbInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendStaticRoleParameters) DeepCopyInto(out *SecretBackendStaticRoleParameters) {
+func (in *SecretsMountMongodbObservation) DeepCopyInto(out *SecretsMountMongodbObservation) {
 	*out = *in
-	if in.Backend != nil {
-		in, out := &in.Backend, &out.Backend
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.DBName != nil {
-		in, out := &in.DBName, &out.DBName
-		*out = new(string)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
 		**out = **in
 	}
 	if in.Name != nil {
@@ -2606,18 +5859,13 @@ func (in *SecretBackendStaticRoleParameters) DeepCopyInto(out *SecretBackendStat
 		*out = new(string)
 		**out = **in
 	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.RotationPeriod != nil {
-		in, out := &in.RotationPeriod, &out.RotationPeriod
-		*out = new(float64)
-		**out = **in
-	}
-	if in.RotationStatements != nil {
-		in, out := &in.RotationStatements, &out.RotationStatements
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -2632,81 +5880,30 @@ func (in *SecretBackendStaticRoleParameters) DeepCopyInto(out *SecretBackendStat
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleParameters.
-func (in *SecretBackendStaticRoleParameters) DeepCopy() *SecretBackendStaticRoleParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretBackendStaticRoleParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendStaticRoleSpec) DeepCopyInto(out *SecretBackendStaticRoleSpec) {
-	*out = *in
-	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
-	in.ForProvider.DeepCopyInto(&out.ForProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleSpec.
-func (in *SecretBackendStaticRoleSpec) DeepCopy() *SecretBackendStaticRoleSpec {
-	if in == nil {
-		return nil
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
 	}
-	out := new(SecretBackendStaticRoleSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendStaticRoleStatus) DeepCopyInto(out *SecretBackendStaticRoleStatus) {
-	*out = *in
-	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
-	in.AtProvider.DeepCopyInto(&out.AtProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendStaticRoleStatus.
-func (in *SecretBackendStaticRoleStatus) DeepCopy() *SecretBackendStaticRoleStatus {
-	if in == nil {
-		return nil
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
 	}
-	out := new(SecretBackendStaticRoleStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMount) DeepCopyInto(out *SecretsMount) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMount.
-func (in *SecretsMount) DeepCopy() *SecretsMount {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbObservation.
+func (in *SecretsMountMongodbObservation) DeepCopy() *SecretsMountMongodbObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMount)
+	out := new(SecretsMountMongodbObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretsMount) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountCassandraObservation) DeepCopyInto(out *SecretsMountCassandraObservation) {
+func (in *SecretsMountMongodbParameters) DeepCopyInto(out *SecretsMountMongodbParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -2719,40 +5916,39 @@ func (in *SecretsMountCassandraObservation) DeepCopyInto(out *SecretsMountCassan
 			}
 		}
 	}
-	if in.ConnectTimeout != nil {
-		in, out := &in.ConnectTimeout, &out.ConnectTimeout
-		*out = new(float64)
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
 		**out = **in
 	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-	if in.Hosts != nil {
-		in, out := &in.Hosts, &out.Hosts
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
 				*out = new(string)
 				**out = **in
 			}
+			(*out)[key] = outVal
 		}
 	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
 		**out = **in
 	}
 	if in.Name != nil {
@@ -2760,21 +5956,16 @@ func (in *SecretsMountCassandraObservation) DeepCopyInto(out *SecretsMountCassan
 		*out = new(string)
 		**out = **in
 	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.Port != nil {
-		in, out := &in.Port, &out.Port
-		*out = new(float64)
-		**out = **in
-	}
-	if in.ProtocolVersion != nil {
-		in, out := &in.ProtocolVersion, &out.ProtocolVersion
-		*out = new(float64)
-		**out = **in
-	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -2786,16 +5977,16 @@ func (in *SecretsMountCassandraObservation) DeepCopyInto(out *SecretsMountCassan
 			}
 		}
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -2803,18 +5994,18 @@ func (in *SecretsMountCassandraObservation) DeepCopyInto(out *SecretsMountCassan
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCassandraObservation.
-func (in *SecretsMountCassandraObservation) DeepCopy() *SecretsMountCassandraObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbParameters.
+func (in *SecretsMountMongodbParameters) DeepCopy() *SecretsMountMongodbParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountCassandraObservation)
+	out := new(SecretsMountMongodbParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountCassandraParameters) DeepCopyInto(out *SecretsMountCassandraParameters) {
+func (in *SecretsMountMongodbatlasInitParameters) DeepCopyInto(out *SecretsMountMongodbatlasInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -2827,11 +6018,6 @@ func (in *SecretsMountCassandraParameters) DeepCopyInto(out *SecretsMountCassand
 			}
 		}
 	}
-	if in.ConnectTimeout != nil {
-		in, out := &in.ConnectTimeout, &out.ConnectTimeout
-		*out = new(float64)
-		**out = **in
-	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -2847,55 +6033,24 @@ func (in *SecretsMountCassandraParameters) DeepCopyInto(out *SecretsMountCassand
 			(*out)[key] = outVal
 		}
 	}
-	if in.Hosts != nil {
-		in, out := &in.Hosts, &out.Hosts
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
-	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
-	if in.PemBundleSecretRef != nil {
-		in, out := &in.PemBundleSecretRef, &out.PemBundleSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
-	if in.PemJSONSecretRef != nil {
-		in, out := &in.PemJSONSecretRef, &out.PemJSONSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.Port != nil {
-		in, out := &in.Port, &out.Port
-		*out = new(float64)
+	if in.ProjectID != nil {
+		in, out := &in.ProjectID, &out.ProjectID
+		*out = new(string)
 		**out = **in
 	}
-	if in.ProtocolVersion != nil {
-		in, out := &in.ProtocolVersion, &out.ProtocolVersion
-		*out = new(float64)
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
 		**out = **in
 	}
 	if in.RootRotationStatements != nil {
@@ -2909,16 +6064,6 @@ func (in *SecretsMountCassandraParameters) DeepCopyInto(out *SecretsMountCassand
 			}
 		}
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
-		**out = **in
-	}
-	if in.Username != nil {
-		in, out := &in.Username, &out.Username
-		*out = new(string)
-		**out = **in
-	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -2926,18 +6071,18 @@ func (in *SecretsMountCassandraParameters) DeepCopyInto(out *SecretsMountCassand
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCassandraParameters.
-func (in *SecretsMountCassandraParameters) DeepCopy() *SecretsMountCassandraParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbatlasInitParameters.
+func (in *SecretsMountMongodbatlasInitParameters) DeepCopy() *SecretsMountMongodbatlasInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountCassandraParameters)
+	out := new(SecretsMountMongodbatlasInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountCouchbaseObservation) DeepCopyInto(out *SecretsMountCouchbaseObservation) {
+func (in *SecretsMountMongodbatlasObservation) DeepCopyInto(out *SecretsMountMongodbatlasObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -2950,11 +6095,6 @@ func (in *SecretsMountCouchbaseObservation) DeepCopyInto(out *SecretsMountCouchb
 			}
 		}
 	}
-	if in.BucketName != nil {
-		in, out := &in.BucketName, &out.BucketName
-		*out = new(string)
-		**out = **in
-	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -2970,22 +6110,6 @@ func (in *SecretsMountCouchbaseObservation) DeepCopyInto(out *SecretsMountCouchb
 			(*out)[key] = outVal
 		}
 	}
-	if in.Hosts != nil {
-		in, out := &in.Hosts, &out.Hosts
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
-	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
@@ -2996,6 +6120,16 @@ func (in *SecretsMountCouchbaseObservation) DeepCopyInto(out *SecretsMountCouchb
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProjectID != nil {
+		in, out := &in.ProjectID, &out.ProjectID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
+		**out = **in
+	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -3007,21 +6141,6 @@ func (in *SecretsMountCouchbaseObservation) DeepCopyInto(out *SecretsMountCouchb
 			}
 		}
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
-		**out = **in
-	}
-	if in.Username != nil {
-		in, out := &in.Username, &out.Username
-		*out = new(string)
-		**out = **in
-	}
-	if in.UsernameTemplate != nil {
-		in, out := &in.UsernameTemplate, &out.UsernameTemplate
-		*out = new(string)
-		**out = **in
-	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -3029,18 +6148,18 @@ func (in *SecretsMountCouchbaseObservation) DeepCopyInto(out *SecretsMountCouchb
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCouchbaseObservation.
-func (in *SecretsMountCouchbaseObservation) DeepCopy() *SecretsMountCouchbaseObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbatlasObservation.
+func (in *SecretsMountMongodbatlasObservation) DeepCopy() *SecretsMountMongodbatlasObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountCouchbaseObservation)
+	out := new(SecretsMountMongodbatlasObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountCouchbaseParameters) DeepCopyInto(out *SecretsMountCouchbaseParameters) {
+func (in *SecretsMountMongodbatlasParameters) DeepCopyInto(out *SecretsMountMongodbatlasParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3053,16 +6172,6 @@ func (in *SecretsMountCouchbaseParameters) DeepCopyInto(out *SecretsMountCouchba
 			}
 		}
 	}
-	if in.Base64PemSecretRef != nil {
-		in, out := &in.Base64PemSecretRef, &out.Base64PemSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
-	if in.BucketName != nil {
-		in, out := &in.BucketName, &out.BucketName
-		*out = new(string)
-		**out = **in
-	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -3078,33 +6187,27 @@ func (in *SecretsMountCouchbaseParameters) DeepCopyInto(out *SecretsMountCouchba
 			(*out)[key] = outVal
 		}
 	}
-	if in.Hosts != nil {
-		in, out := &in.Hosts, &out.Hosts
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
-	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	out.PasswordSecretRef = in.PasswordSecretRef
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
+	out.PrivateKeySecretRef = in.PrivateKeySecretRef
+	if in.ProjectID != nil {
+		in, out := &in.ProjectID, &out.ProjectID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
+		**out = **in
+	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -3116,21 +6219,6 @@ func (in *SecretsMountCouchbaseParameters) DeepCopyInto(out *SecretsMountCouchba
 			}
 		}
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
-		**out = **in
-	}
-	if in.Username != nil {
-		in, out := &in.Username, &out.Username
-		*out = new(string)
-		**out = **in
-	}
-	if in.UsernameTemplate != nil {
-		in, out := &in.UsernameTemplate, &out.UsernameTemplate
-		*out = new(string)
-		**out = **in
-	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -3138,18 +6226,18 @@ func (in *SecretsMountCouchbaseParameters) DeepCopyInto(out *SecretsMountCouchba
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountCouchbaseParameters.
-func (in *SecretsMountCouchbaseParameters) DeepCopy() *SecretsMountCouchbaseParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbatlasParameters.
+func (in *SecretsMountMongodbatlasParameters) DeepCopy() *SecretsMountMongodbatlasParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountCouchbaseParameters)
+	out := new(SecretsMountMongodbatlasParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountElasticsearchObservation) DeepCopyInto(out *SecretsMountElasticsearchObservation) {
+func (in *SecretsMountMssqlInitParameters) DeepCopyInto(out *SecretsMountMssqlInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3162,24 +6250,14 @@ func (in *SecretsMountElasticsearchObservation) DeepCopyInto(out *SecretsMountEl
 			}
 		}
 	}
-	if in.CACert != nil {
-		in, out := &in.CACert, &out.CACert
-		*out = new(string)
-		**out = **in
-	}
-	if in.CAPath != nil {
-		in, out := &in.CAPath, &out.CAPath
-		*out = new(string)
-		**out = **in
-	}
-	if in.ClientCert != nil {
-		in, out := &in.ClientCert, &out.ClientCert
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.ClientKey != nil {
-		in, out := &in.ClientKey, &out.ClientKey
-		*out = new(string)
+	if in.ContainedDB != nil {
+		in, out := &in.ContainedDB, &out.ContainedDB
+		*out = new(bool)
 		**out = **in
 	}
 	if in.Data != nil {
@@ -3196,12 +6274,27 @@ func (in *SecretsMountElasticsearchObservation) DeepCopyInto(out *SecretsMountEl
 			}
 			(*out)[key] = outVal
 		}
-	}
-	if in.Insecure != nil {
-		in, out := &in.Insecure, &out.Insecure
+	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
 		*out = new(bool)
 		**out = **in
 	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
@@ -3223,16 +6316,6 @@ func (in *SecretsMountElasticsearchObservation) DeepCopyInto(out *SecretsMountEl
 			}
 		}
 	}
-	if in.TLSServerName != nil {
-		in, out := &in.TLSServerName, &out.TLSServerName
-		*out = new(string)
-		**out = **in
-	}
-	if in.URL != nil {
-		in, out := &in.URL, &out.URL
-		*out = new(string)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -3250,18 +6333,18 @@ func (in *SecretsMountElasticsearchObservation) DeepCopyInto(out *SecretsMountEl
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountElasticsearchObservation.
-func (in *SecretsMountElasticsearchObservation) DeepCopy() *SecretsMountElasticsearchObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMssqlInitParameters.
+func (in *SecretsMountMssqlInitParameters) DeepCopy() *SecretsMountMssqlInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountElasticsearchObservation)
+	out := new(SecretsMountMssqlInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountElasticsearchParameters) DeepCopyInto(out *SecretsMountElasticsearchParameters) {
+func (in *SecretsMountMssqlObservation) DeepCopyInto(out *SecretsMountMssqlObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3274,24 +6357,14 @@ func (in *SecretsMountElasticsearchParameters) DeepCopyInto(out *SecretsMountEla
 			}
 		}
 	}
-	if in.CACert != nil {
-		in, out := &in.CACert, &out.CACert
-		*out = new(string)
-		**out = **in
-	}
-	if in.CAPath != nil {
-		in, out := &in.CAPath, &out.CAPath
-		*out = new(string)
-		**out = **in
-	}
-	if in.ClientCert != nil {
-		in, out := &in.ClientCert, &out.ClientCert
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
-	if in.ClientKey != nil {
-		in, out := &in.ClientKey, &out.ClientKey
-		*out = new(string)
+	if in.ContainedDB != nil {
+		in, out := &in.ContainedDB, &out.ContainedDB
+		*out = new(bool)
 		**out = **in
 	}
 	if in.Data != nil {
@@ -3309,17 +6382,31 @@ func (in *SecretsMountElasticsearchParameters) DeepCopyInto(out *SecretsMountEla
 			(*out)[key] = outVal
 		}
 	}
-	if in.Insecure != nil {
-		in, out := &in.Insecure, &out.Insecure
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
 		*out = new(bool)
 		**out = **in
 	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	out.PasswordSecretRef = in.PasswordSecretRef
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -3336,16 +6423,6 @@ func (in *SecretsMountElasticsearchParameters) DeepCopyInto(out *SecretsMountEla
 			}
 		}
 	}
-	if in.TLSServerName != nil {
-		in, out := &in.TLSServerName, &out.TLSServerName
-		*out = new(string)
-		**out = **in
-	}
-	if in.URL != nil {
-		in, out := &in.URL, &out.URL
-		*out = new(string)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -3363,18 +6440,18 @@ func (in *SecretsMountElasticsearchParameters) DeepCopyInto(out *SecretsMountEla
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountElasticsearchParameters.
-func (in *SecretsMountElasticsearchParameters) DeepCopy() *SecretsMountElasticsearchParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMssqlObservation.
+func (in *SecretsMountMssqlObservation) DeepCopy() *SecretsMountMssqlObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountElasticsearchParameters)
+	out := new(SecretsMountMssqlObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountHanaObservation) DeepCopyInto(out *SecretsMountHanaObservation) {
+func (in *SecretsMountMssqlParameters) DeepCopyInto(out *SecretsMountMssqlParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3392,6 +6469,11 @@ func (in *SecretsMountHanaObservation) DeepCopyInto(out *SecretsMountHanaObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.ContainedDB != nil {
+		in, out := &in.ContainedDB, &out.ContainedDB
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -3432,6 +6514,11 @@ func (in *SecretsMountHanaObservation) DeepCopyInto(out *SecretsMountHanaObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -3453,6 +6540,11 @@ func (in *SecretsMountHanaObservation) DeepCopyInto(out *SecretsMountHanaObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -3460,18 +6552,18 @@ func (in *SecretsMountHanaObservation) DeepCopyInto(out *SecretsMountHanaObserva
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountHanaObservation.
-func (in *SecretsMountHanaObservation) DeepCopy() *SecretsMountHanaObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMssqlParameters.
+func (in *SecretsMountMssqlParameters) DeepCopy() *SecretsMountMssqlParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountHanaObservation)
+	out := new(SecretsMountMssqlParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountHanaParameters) DeepCopyInto(out *SecretsMountHanaParameters) {
+func (in *SecretsMountMySQLAuroraInitParameters) DeepCopyInto(out *SecretsMountMySQLAuroraInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3504,11 +6596,6 @@ func (in *SecretsMountHanaParameters) DeepCopyInto(out *SecretsMountHanaParamete
 			(*out)[key] = outVal
 		}
 	}
-	if in.DisableEscaping != nil {
-		in, out := &in.DisableEscaping, &out.DisableEscaping
-		*out = new(bool)
-		**out = **in
-	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -3529,11 +6616,6 @@ func (in *SecretsMountHanaParameters) DeepCopyInto(out *SecretsMountHanaParamete
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -3555,6 +6637,11 @@ func (in *SecretsMountHanaParameters) DeepCopyInto(out *SecretsMountHanaParamete
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -3562,18 +6649,18 @@ func (in *SecretsMountHanaParameters) DeepCopyInto(out *SecretsMountHanaParamete
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountHanaParameters.
-func (in *SecretsMountHanaParameters) DeepCopy() *SecretsMountHanaParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLAuroraInitParameters.
+func (in *SecretsMountMySQLAuroraInitParameters) DeepCopy() *SecretsMountMySQLAuroraInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountHanaParameters)
+	out := new(SecretsMountMySQLAuroraInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountInfluxdbObservation) DeepCopyInto(out *SecretsMountInfluxdbObservation) {
+func (in *SecretsMountMySQLAuroraObservation) DeepCopyInto(out *SecretsMountMySQLAuroraObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3586,9 +6673,9 @@ func (in *SecretsMountInfluxdbObservation) DeepCopyInto(out *SecretsMountInfluxd
 			}
 		}
 	}
-	if in.ConnectTimeout != nil {
-		in, out := &in.ConnectTimeout, &out.ConnectTimeout
-		*out = new(float64)
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
 		**out = **in
 	}
 	if in.Data != nil {
@@ -3606,14 +6693,19 @@ func (in *SecretsMountInfluxdbObservation) DeepCopyInto(out *SecretsMountInfluxd
 			(*out)[key] = outVal
 		}
 	}
-	if in.Host != nil {
-		in, out := &in.Host, &out.Host
-		*out = new(string)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
 		**out = **in
 	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
 		**out = **in
 	}
 	if in.Name != nil {
@@ -3626,11 +6718,6 @@ func (in *SecretsMountInfluxdbObservation) DeepCopyInto(out *SecretsMountInfluxd
 		*out = new(string)
 		**out = **in
 	}
-	if in.Port != nil {
-		in, out := &in.Port, &out.Port
-		*out = new(float64)
-		**out = **in
-	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -3642,11 +6729,6 @@ func (in *SecretsMountInfluxdbObservation) DeepCopyInto(out *SecretsMountInfluxd
 			}
 		}
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -3664,18 +6746,18 @@ func (in *SecretsMountInfluxdbObservation) DeepCopyInto(out *SecretsMountInfluxd
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountInfluxdbObservation.
-func (in *SecretsMountInfluxdbObservation) DeepCopy() *SecretsMountInfluxdbObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLAuroraObservation.
+func (in *SecretsMountMySQLAuroraObservation) DeepCopy() *SecretsMountMySQLAuroraObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountInfluxdbObservation)
+	out := new(SecretsMountMySQLAuroraObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdbParameters) {
+func (in *SecretsMountMySQLAuroraParameters) DeepCopyInto(out *SecretsMountMySQLAuroraParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3688,9 +6770,9 @@ func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdb
 			}
 		}
 	}
-	if in.ConnectTimeout != nil {
-		in, out := &in.ConnectTimeout, &out.ConnectTimeout
-		*out = new(float64)
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
 		**out = **in
 	}
 	if in.Data != nil {
@@ -3708,14 +6790,19 @@ func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdb
 			(*out)[key] = outVal
 		}
 	}
-	if in.Host != nil {
-		in, out := &in.Host, &out.Host
-		*out = new(string)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
 		**out = **in
 	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
 		**out = **in
 	}
 	if in.Name != nil {
@@ -3723,14 +6810,8 @@ func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdb
 		*out = new(string)
 		**out = **in
 	}
-	out.PasswordSecretRef = in.PasswordSecretRef
-	if in.PemBundleSecretRef != nil {
-		in, out := &in.PemBundleSecretRef, &out.PemBundleSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
-	if in.PemJSONSecretRef != nil {
-		in, out := &in.PemJSONSecretRef, &out.PemJSONSecretRef
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
 		*out = new(v1.SecretKeySelector)
 		**out = **in
 	}
@@ -3739,11 +6820,6 @@ func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdb
 		*out = new(string)
 		**out = **in
 	}
-	if in.Port != nil {
-		in, out := &in.Port, &out.Port
-		*out = new(float64)
-		**out = **in
-	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -3755,11 +6831,6 @@ func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdb
 			}
 		}
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -3777,50 +6848,18 @@ func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdb
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountInfluxdbParameters.
-func (in *SecretsMountInfluxdbParameters) DeepCopy() *SecretsMountInfluxdbParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretsMountInfluxdbParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountList) DeepCopyInto(out *SecretsMountList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]SecretsMount, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountList.
-func (in *SecretsMountList) DeepCopy() *SecretsMountList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLAuroraParameters.
+func (in *SecretsMountMySQLAuroraParameters) DeepCopy() *SecretsMountMySQLAuroraParameters {
 	if in == nil {
-		return nil
-	}
-	out := new(SecretsMountList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretsMountList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+		return nil
 	}
-	return nil
+	out := new(SecretsMountMySQLAuroraParameters)
+	in.DeepCopyInto(out)
+	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMongodbObservation) DeepCopyInto(out *SecretsMountMongodbObservation) {
+func (in *SecretsMountMySQLInitParameters) DeepCopyInto(out *SecretsMountMySQLInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3889,6 +6928,11 @@ func (in *SecretsMountMongodbObservation) DeepCopyInto(out *SecretsMountMongodbO
 			}
 		}
 	}
+	if in.TLSCA != nil {
+		in, out := &in.TLSCA, &out.TLSCA
+		*out = new(string)
+		**out = **in
+	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -3906,18 +6950,18 @@ func (in *SecretsMountMongodbObservation) DeepCopyInto(out *SecretsMountMongodbO
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbObservation.
-func (in *SecretsMountMongodbObservation) DeepCopy() *SecretsMountMongodbObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLInitParameters.
+func (in *SecretsMountMySQLInitParameters) DeepCopy() *SecretsMountMySQLInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMongodbObservation)
+	out := new(SecretsMountMySQLInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMongodbParameters) DeepCopyInto(out *SecretsMountMongodbParameters) {
+func (in *SecretsMountMySQLLegacyInitParameters) DeepCopyInto(out *SecretsMountMySQLLegacyInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -3970,11 +7014,6 @@ func (in *SecretsMountMongodbParameters) DeepCopyInto(out *SecretsMountMongodbPa
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -4008,18 +7047,18 @@ func (in *SecretsMountMongodbParameters) DeepCopyInto(out *SecretsMountMongodbPa
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbParameters.
-func (in *SecretsMountMongodbParameters) DeepCopy() *SecretsMountMongodbParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLLegacyInitParameters.
+func (in *SecretsMountMySQLLegacyInitParameters) DeepCopy() *SecretsMountMySQLLegacyInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMongodbParameters)
+	out := new(SecretsMountMySQLLegacyInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMongodbatlasObservation) DeepCopyInto(out *SecretsMountMongodbatlasObservation) {
+func (in *SecretsMountMySQLLegacyObservation) DeepCopyInto(out *SecretsMountMySQLLegacyObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -4032,6 +7071,11 @@ func (in *SecretsMountMongodbatlasObservation) DeepCopyInto(out *SecretsMountMon
 			}
 		}
 	}
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -4047,23 +7091,28 @@ func (in *SecretsMountMongodbatlasObservation) DeepCopyInto(out *SecretsMountMon
 			(*out)[key] = outVal
 		}
 	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
-		*out = new(string)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
 		**out = **in
 	}
-	if in.PluginName != nil {
-		in, out := &in.PluginName, &out.PluginName
-		*out = new(string)
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
 		**out = **in
 	}
-	if in.ProjectID != nil {
-		in, out := &in.ProjectID, &out.ProjectID
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.PublicKey != nil {
-		in, out := &in.PublicKey, &out.PublicKey
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
@@ -4078,6 +7127,16 @@ func (in *SecretsMountMongodbatlasObservation) DeepCopyInto(out *SecretsMountMon
 			}
 		}
 	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -4085,18 +7144,18 @@ func (in *SecretsMountMongodbatlasObservation) DeepCopyInto(out *SecretsMountMon
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbatlasObservation.
-func (in *SecretsMountMongodbatlasObservation) DeepCopy() *SecretsMountMongodbatlasObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLLegacyObservation.
+func (in *SecretsMountMySQLLegacyObservation) DeepCopy() *SecretsMountMySQLLegacyObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMongodbatlasObservation)
+	out := new(SecretsMountMySQLLegacyObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMongodbatlasParameters) DeepCopyInto(out *SecretsMountMongodbatlasParameters) {
+func (in *SecretsMountMySQLLegacyParameters) DeepCopyInto(out *SecretsMountMySQLLegacyParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -4109,6 +7168,11 @@ func (in *SecretsMountMongodbatlasParameters) DeepCopyInto(out *SecretsMountMong
 			}
 		}
 	}
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -4124,24 +7188,33 @@ func (in *SecretsMountMongodbatlasParameters) DeepCopyInto(out *SecretsMountMong
 			(*out)[key] = outVal
 		}
 	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
-		*out = new(string)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
 		**out = **in
 	}
-	if in.PluginName != nil {
-		in, out := &in.PluginName, &out.PluginName
-		*out = new(string)
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
 		**out = **in
 	}
-	out.PrivateKeySecretRef = in.PrivateKeySecretRef
-	if in.ProjectID != nil {
-		in, out := &in.ProjectID, &out.ProjectID
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.PublicKey != nil {
-		in, out := &in.PublicKey, &out.PublicKey
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
@@ -4156,6 +7229,16 @@ func (in *SecretsMountMongodbatlasParameters) DeepCopyInto(out *SecretsMountMong
 			}
 		}
 	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -4163,18 +7246,18 @@ func (in *SecretsMountMongodbatlasParameters) DeepCopyInto(out *SecretsMountMong
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMongodbatlasParameters.
-func (in *SecretsMountMongodbatlasParameters) DeepCopy() *SecretsMountMongodbatlasParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLLegacyParameters.
+func (in *SecretsMountMySQLLegacyParameters) DeepCopy() *SecretsMountMySQLLegacyParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMongodbatlasParameters)
+	out := new(SecretsMountMySQLLegacyParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMssqlObservation) DeepCopyInto(out *SecretsMountMssqlObservation) {
+func (in *SecretsMountMySQLObservation) DeepCopyInto(out *SecretsMountMySQLObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -4192,11 +7275,6 @@ func (in *SecretsMountMssqlObservation) DeepCopyInto(out *SecretsMountMssqlObser
 		*out = new(string)
 		**out = **in
 	}
-	if in.ContainedDB != nil {
-		in, out := &in.ContainedDB, &out.ContainedDB
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -4212,11 +7290,6 @@ func (in *SecretsMountMssqlObservation) DeepCopyInto(out *SecretsMountMssqlObser
 			(*out)[key] = outVal
 		}
 	}
-	if in.DisableEscaping != nil {
-		in, out := &in.DisableEscaping, &out.DisableEscaping
-		*out = new(bool)
-		**out = **in
-	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -4253,6 +7326,11 @@ func (in *SecretsMountMssqlObservation) DeepCopyInto(out *SecretsMountMssqlObser
 			}
 		}
 	}
+	if in.TLSCA != nil {
+		in, out := &in.TLSCA, &out.TLSCA
+		*out = new(string)
+		**out = **in
+	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -4270,18 +7348,18 @@ func (in *SecretsMountMssqlObservation) DeepCopyInto(out *SecretsMountMssqlObser
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMssqlObservation.
-func (in *SecretsMountMssqlObservation) DeepCopy() *SecretsMountMssqlObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLObservation.
+func (in *SecretsMountMySQLObservation) DeepCopy() *SecretsMountMySQLObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMssqlObservation)
+	out := new(SecretsMountMySQLObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMssqlParameters) DeepCopyInto(out *SecretsMountMssqlParameters) {
+func (in *SecretsMountMySQLParameters) DeepCopyInto(out *SecretsMountMySQLParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -4299,11 +7377,6 @@ func (in *SecretsMountMssqlParameters) DeepCopyInto(out *SecretsMountMssqlParame
 		*out = new(string)
 		**out = **in
 	}
-	if in.ContainedDB != nil {
-		in, out := &in.ContainedDB, &out.ContainedDB
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -4319,11 +7392,6 @@ func (in *SecretsMountMssqlParameters) DeepCopyInto(out *SecretsMountMssqlParame
 			(*out)[key] = outVal
 		}
 	}
-	if in.DisableEscaping != nil {
-		in, out := &in.DisableEscaping, &out.DisableEscaping
-		*out = new(bool)
-		**out = **in
-	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -4365,6 +7433,16 @@ func (in *SecretsMountMssqlParameters) DeepCopyInto(out *SecretsMountMssqlParame
 			}
 		}
 	}
+	if in.TLSCA != nil {
+		in, out := &in.TLSCA, &out.TLSCA
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSCertificateKeySecretRef != nil {
+		in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -4382,18 +7460,18 @@ func (in *SecretsMountMssqlParameters) DeepCopyInto(out *SecretsMountMssqlParame
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMssqlParameters.
-func (in *SecretsMountMssqlParameters) DeepCopy() *SecretsMountMssqlParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLParameters.
+func (in *SecretsMountMySQLParameters) DeepCopy() *SecretsMountMySQLParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMssqlParameters)
+	out := new(SecretsMountMySQLParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMySQLAuroraObservation) DeepCopyInto(out *SecretsMountMySQLAuroraObservation) {
+func (in *SecretsMountMySQLRDSInitParameters) DeepCopyInto(out *SecretsMountMySQLRDSInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -4479,18 +7557,18 @@ func (in *SecretsMountMySQLAuroraObservation) DeepCopyInto(out *SecretsMountMySQ
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLAuroraObservation.
-func (in *SecretsMountMySQLAuroraObservation) DeepCopy() *SecretsMountMySQLAuroraObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLRDSInitParameters.
+func (in *SecretsMountMySQLRDSInitParameters) DeepCopy() *SecretsMountMySQLRDSInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMySQLAuroraObservation)
+	out := new(SecretsMountMySQLRDSInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMySQLAuroraParameters) DeepCopyInto(out *SecretsMountMySQLAuroraParameters) {
+func (in *SecretsMountMySQLRDSObservation) DeepCopyInto(out *SecretsMountMySQLRDSObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -4543,11 +7621,6 @@ func (in *SecretsMountMySQLAuroraParameters) DeepCopyInto(out *SecretsMountMySQL
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -4581,18 +7654,18 @@ func (in *SecretsMountMySQLAuroraParameters) DeepCopyInto(out *SecretsMountMySQL
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLAuroraParameters.
-func (in *SecretsMountMySQLAuroraParameters) DeepCopy() *SecretsMountMySQLAuroraParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLRDSObservation.
+func (in *SecretsMountMySQLRDSObservation) DeepCopy() *SecretsMountMySQLRDSObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMySQLAuroraParameters)
+	out := new(SecretsMountMySQLRDSObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMySQLLegacyObservation) DeepCopyInto(out *SecretsMountMySQLLegacyObservation) {
+func (in *SecretsMountMySQLRDSParameters) DeepCopyInto(out *SecretsMountMySQLRDSParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -4645,6 +7718,11 @@ func (in *SecretsMountMySQLLegacyObservation) DeepCopyInto(out *SecretsMountMySQ
 		*out = new(string)
 		**out = **in
 	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -4678,21 +7756,26 @@ func (in *SecretsMountMySQLLegacyObservation) DeepCopyInto(out *SecretsMountMySQ
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLLegacyObservation.
-func (in *SecretsMountMySQLLegacyObservation) DeepCopy() *SecretsMountMySQLLegacyObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLRDSParameters.
+func (in *SecretsMountMySQLRDSParameters) DeepCopy() *SecretsMountMySQLRDSParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMySQLLegacyObservation)
+	out := new(SecretsMountMySQLRDSParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMySQLLegacyParameters) DeepCopyInto(out *SecretsMountMySQLLegacyParameters) {
+func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
 	*out = *in
-	if in.AllowedRoles != nil {
-		in, out := &in.AllowedRoles, &out.AllowedRoles
+	if in.Accessor != nil {
+		in, out := &in.Accessor, &out.Accessor
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowedManagedKeys != nil {
+		in, out := &in.AllowedManagedKeys, &out.AllowedManagedKeys
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -4702,115 +7785,154 @@ func (in *SecretsMountMySQLLegacyParameters) DeepCopyInto(out *SecretsMountMySQL
 			}
 		}
 	}
-	if in.ConnectionURL != nil {
-		in, out := &in.ConnectionURL, &out.ConnectionURL
-		*out = new(string)
-		**out = **in
+	if in.AuditNonHMACRequestKeys != nil {
+		in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
+	if in.AuditNonHMACResponseKeys != nil {
+		in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
 				*out = new(string)
 				**out = **in
 			}
-			(*out)[key] = outVal
 		}
 	}
-	if in.MaxConnectionLifetime != nil {
-		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+	if in.Cassandra != nil {
+		in, out := &in.Cassandra, &out.Cassandra
+		*out = make([]SecretsMountCassandraObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Couchbase != nil {
+		in, out := &in.Couchbase, &out.Couchbase
+		*out = make([]SecretsMountCouchbaseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
 		*out = new(float64)
 		**out = **in
 	}
-	if in.MaxIdleConnections != nil {
-		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
-		*out = new(float64)
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
 		**out = **in
 	}
-	if in.MaxOpenConnections != nil {
-		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+	if in.Elasticsearch != nil {
+		in, out := &in.Elasticsearch, &out.Elasticsearch
+		*out = make([]SecretsMountElasticsearchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EngineCount != nil {
+		in, out := &in.EngineCount, &out.EngineCount
 		*out = new(float64)
 		**out = **in
 	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
-		*out = new(string)
+	if in.ExternalEntropyAccess != nil {
+		in, out := &in.ExternalEntropyAccess, &out.ExternalEntropyAccess
+		*out = new(bool)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
+	if in.Hana != nil {
+		in, out := &in.Hana, &out.Hana
+		*out = make([]SecretsMountHanaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.PluginName != nil {
-		in, out := &in.PluginName, &out.PluginName
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
-	if in.RootRotationStatements != nil {
-		in, out := &in.RootRotationStatements, &out.RootRotationStatements
-		*out = make([]*string, len(*in))
+	if in.Influxdb != nil {
+		in, out := &in.Influxdb, &out.Influxdb
+		*out = make([]SecretsMountInfluxdbObservation, len(*in))
 		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.Username != nil {
-		in, out := &in.Username, &out.Username
-		*out = new(string)
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
 		**out = **in
 	}
-	if in.UsernameTemplate != nil {
-		in, out := &in.UsernameTemplate, &out.UsernameTemplate
-		*out = new(string)
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
 		**out = **in
 	}
-	if in.VerifyConnection != nil {
-		in, out := &in.VerifyConnection, &out.VerifyConnection
-		*out = new(bool)
-		**out = **in
+	if in.Mongodb != nil {
+		in, out := &in.Mongodb, &out.Mongodb
+		*out = make([]SecretsMountMongodbObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLLegacyParameters.
-func (in *SecretsMountMySQLLegacyParameters) DeepCopy() *SecretsMountMySQLLegacyParameters {
-	if in == nil {
-		return nil
+	if in.Mongodbatlas != nil {
+		in, out := &in.Mongodbatlas, &out.Mongodbatlas
+		*out = make([]SecretsMountMongodbatlasObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(SecretsMountMySQLLegacyParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMySQLObservation) DeepCopyInto(out *SecretsMountMySQLObservation) {
-	*out = *in
-	if in.AllowedRoles != nil {
-		in, out := &in.AllowedRoles, &out.AllowedRoles
-		*out = make([]*string, len(*in))
+	if in.Mssql != nil {
+		in, out := &in.Mssql, &out.Mssql
+		*out = make([]SecretsMountMssqlObservation, len(*in))
 		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.ConnectionURL != nil {
-		in, out := &in.ConnectionURL, &out.ConnectionURL
+	if in.MySQL != nil {
+		in, out := &in.MySQL, &out.MySQL
+		*out = make([]SecretsMountMySQLObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLAurora != nil {
+		in, out := &in.MySQLAurora, &out.MySQLAurora
+		*out = make([]SecretsMountMySQLAuroraObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLLegacy != nil {
+		in, out := &in.MySQLLegacy, &out.MySQLLegacy
+		*out = make([]SecretsMountMySQLLegacyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MySQLRDS != nil {
+		in, out := &in.MySQLRDS, &out.MySQLRDS
+		*out = make([]SecretsMountMySQLRDSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
 		*out = new(string)
 		**out = **in
 	}
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
 		*out = make(map[string]*string, len(*in))
 		for key, val := range *in {
 			var outVal *string
@@ -4824,76 +7946,72 @@ func (in *SecretsMountMySQLObservation) DeepCopyInto(out *SecretsMountMySQLObser
 			(*out)[key] = outVal
 		}
 	}
-	if in.MaxConnectionLifetime != nil {
-		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
-		*out = new(float64)
-		**out = **in
-	}
-	if in.MaxIdleConnections != nil {
-		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
-		*out = new(float64)
-		**out = **in
-	}
-	if in.MaxOpenConnections != nil {
-		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
-		*out = new(float64)
-		**out = **in
-	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
-		*out = new(string)
-		**out = **in
+	if in.Oracle != nil {
+		in, out := &in.Oracle, &out.Oracle
+		*out = make([]SecretsMountOracleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.PluginName != nil {
-		in, out := &in.PluginName, &out.PluginName
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
 		*out = new(string)
 		**out = **in
 	}
-	if in.RootRotationStatements != nil {
-		in, out := &in.RootRotationStatements, &out.RootRotationStatements
-		*out = make([]*string, len(*in))
+	if in.Postgresql != nil {
+		in, out := &in.Postgresql, &out.Postgresql
+		*out = make([]SecretsMountPostgresqlObservation, len(*in))
 		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.TLSCA != nil {
-		in, out := &in.TLSCA, &out.TLSCA
-		*out = new(string)
-		**out = **in
+	if in.Redis != nil {
+		in, out := &in.Redis, &out.Redis
+		*out = make([]SecretsMountRedisObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.Username != nil {
-		in, out := &in.Username, &out.Username
-		*out = new(string)
-		**out = **in
+	if in.RedisElasticache != nil {
+		in, out := &in.RedisElasticache, &out.RedisElasticache
+		*out = make([]SecretsMountRedisElasticacheObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.UsernameTemplate != nil {
-		in, out := &in.UsernameTemplate, &out.UsernameTemplate
-		*out = new(string)
-		**out = **in
+	if in.Redshift != nil {
+		in, out := &in.Redshift, &out.Redshift
+		*out = make([]SecretsMountRedshiftObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.VerifyConnection != nil {
-		in, out := &in.VerifyConnection, &out.VerifyConnection
+	if in.SealWrap != nil {
+		in, out := &in.SealWrap, &out.SealWrap
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Snowflake != nil {
+		in, out := &in.Snowflake, &out.Snowflake
+		*out = make([]SecretsMountSnowflakeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLObservation.
-func (in *SecretsMountMySQLObservation) DeepCopy() *SecretsMountMySQLObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountObservation.
+func (in *SecretsMountObservation) DeepCopy() *SecretsMountObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMySQLObservation)
+	out := new(SecretsMountObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMySQLParameters) DeepCopyInto(out *SecretsMountMySQLParameters) {
+func (in *SecretsMountOracleInitParameters) DeepCopyInto(out *SecretsMountOracleInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -4946,11 +8064,6 @@ func (in *SecretsMountMySQLParameters) DeepCopyInto(out *SecretsMountMySQLParame
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -4967,16 +8080,6 @@ func (in *SecretsMountMySQLParameters) DeepCopyInto(out *SecretsMountMySQLParame
 			}
 		}
 	}
-	if in.TLSCA != nil {
-		in, out := &in.TLSCA, &out.TLSCA
-		*out = new(string)
-		**out = **in
-	}
-	if in.TLSCertificateKeySecretRef != nil {
-		in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -4994,18 +8097,18 @@ func (in *SecretsMountMySQLParameters) DeepCopyInto(out *SecretsMountMySQLParame
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLParameters.
-func (in *SecretsMountMySQLParameters) DeepCopy() *SecretsMountMySQLParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountOracleInitParameters.
+func (in *SecretsMountOracleInitParameters) DeepCopy() *SecretsMountOracleInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMySQLParameters)
+	out := new(SecretsMountOracleInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMySQLRDSObservation) DeepCopyInto(out *SecretsMountMySQLRDSObservation) {
+func (in *SecretsMountOracleObservation) DeepCopyInto(out *SecretsMountOracleObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -5091,18 +8194,18 @@ func (in *SecretsMountMySQLRDSObservation) DeepCopyInto(out *SecretsMountMySQLRD
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLRDSObservation.
-func (in *SecretsMountMySQLRDSObservation) DeepCopy() *SecretsMountMySQLRDSObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountOracleObservation.
+func (in *SecretsMountOracleObservation) DeepCopy() *SecretsMountOracleObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMySQLRDSObservation)
+	out := new(SecretsMountOracleObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountMySQLRDSParameters) DeepCopyInto(out *SecretsMountMySQLRDSParameters) {
+func (in *SecretsMountOracleParameters) DeepCopyInto(out *SecretsMountOracleParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -5193,24 +8296,19 @@ func (in *SecretsMountMySQLRDSParameters) DeepCopyInto(out *SecretsMountMySQLRDS
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountMySQLRDSParameters.
-func (in *SecretsMountMySQLRDSParameters) DeepCopy() *SecretsMountMySQLRDSParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountOracleParameters.
+func (in *SecretsMountOracleParameters) DeepCopy() *SecretsMountOracleParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountMySQLRDSParameters)
+	out := new(SecretsMountOracleParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
+func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) {
 	*out = *in
-	if in.Accessor != nil {
-		in, out := &in.Accessor, &out.Accessor
-		*out = new(string)
-		**out = **in
-	}
 	if in.AllowedManagedKeys != nil {
 		in, out := &in.AllowedManagedKeys, &out.AllowedManagedKeys
 		*out = make([]*string, len(*in))
@@ -5246,14 +8344,14 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
 	}
 	if in.Cassandra != nil {
 		in, out := &in.Cassandra, &out.Cassandra
-		*out = make([]SecretsMountCassandraObservation, len(*in))
+		*out = make([]SecretsMountCassandraParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Couchbase != nil {
 		in, out := &in.Couchbase, &out.Couchbase
-		*out = make([]SecretsMountCouchbaseObservation, len(*in))
+		*out = make([]SecretsMountCouchbaseParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -5270,16 +8368,11 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
 	}
 	if in.Elasticsearch != nil {
 		in, out := &in.Elasticsearch, &out.Elasticsearch
-		*out = make([]SecretsMountElasticsearchObservation, len(*in))
+		*out = make([]SecretsMountElasticsearchParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.EngineCount != nil {
-		in, out := &in.EngineCount, &out.EngineCount
-		*out = new(float64)
-		**out = **in
-	}
 	if in.ExternalEntropyAccess != nil {
 		in, out := &in.ExternalEntropyAccess, &out.ExternalEntropyAccess
 		*out = new(bool)
@@ -5287,19 +8380,14 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
 	}
 	if in.Hana != nil {
 		in, out := &in.Hana, &out.Hana
-		*out = make([]SecretsMountHanaObservation, len(*in))
+		*out = make([]SecretsMountHanaParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
 	if in.Influxdb != nil {
 		in, out := &in.Influxdb, &out.Influxdb
-		*out = make([]SecretsMountInfluxdbObservation, len(*in))
+		*out = make([]SecretsMountInfluxdbParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -5316,49 +8404,49 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
 	}
 	if in.Mongodb != nil {
 		in, out := &in.Mongodb, &out.Mongodb
-		*out = make([]SecretsMountMongodbObservation, len(*in))
+		*out = make([]SecretsMountMongodbParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Mongodbatlas != nil {
 		in, out := &in.Mongodbatlas, &out.Mongodbatlas
-		*out = make([]SecretsMountMongodbatlasObservation, len(*in))
+		*out = make([]SecretsMountMongodbatlasParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Mssql != nil {
 		in, out := &in.Mssql, &out.Mssql
-		*out = make([]SecretsMountMssqlObservation, len(*in))
+		*out = make([]SecretsMountMssqlParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.MySQL != nil {
 		in, out := &in.MySQL, &out.MySQL
-		*out = make([]SecretsMountMySQLObservation, len(*in))
+		*out = make([]SecretsMountMySQLParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.MySQLAurora != nil {
 		in, out := &in.MySQLAurora, &out.MySQLAurora
-		*out = make([]SecretsMountMySQLAuroraObservation, len(*in))
+		*out = make([]SecretsMountMySQLAuroraParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.MySQLLegacy != nil {
 		in, out := &in.MySQLLegacy, &out.MySQLLegacy
-		*out = make([]SecretsMountMySQLLegacyObservation, len(*in))
+		*out = make([]SecretsMountMySQLLegacyParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.MySQLRDS != nil {
 		in, out := &in.MySQLRDS, &out.MySQLRDS
-		*out = make([]SecretsMountMySQLRDSObservation, len(*in))
+		*out = make([]SecretsMountMySQLRDSParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -5385,7 +8473,7 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
 	}
 	if in.Oracle != nil {
 		in, out := &in.Oracle, &out.Oracle
-		*out = make([]SecretsMountOracleObservation, len(*in))
+		*out = make([]SecretsMountOracleParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -5397,28 +8485,28 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
 	}
 	if in.Postgresql != nil {
 		in, out := &in.Postgresql, &out.Postgresql
-		*out = make([]SecretsMountPostgresqlObservation, len(*in))
+		*out = make([]SecretsMountPostgresqlParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Redis != nil {
 		in, out := &in.Redis, &out.Redis
-		*out = make([]SecretsMountRedisObservation, len(*in))
+		*out = make([]SecretsMountRedisParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.RedisElasticache != nil {
 		in, out := &in.RedisElasticache, &out.RedisElasticache
-		*out = make([]SecretsMountRedisElasticacheObservation, len(*in))
+		*out = make([]SecretsMountRedisElasticacheParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Redshift != nil {
 		in, out := &in.Redshift, &out.Redshift
-		*out = make([]SecretsMountRedshiftObservation, len(*in))
+		*out = make([]SecretsMountRedshiftParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -5430,25 +8518,25 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) {
 	}
 	if in.Snowflake != nil {
 		in, out := &in.Snowflake, &out.Snowflake
-		*out = make([]SecretsMountSnowflakeObservation, len(*in))
+		*out = make([]SecretsMountSnowflakeParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountObservation.
-func (in *SecretsMountObservation) DeepCopy() *SecretsMountObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountParameters.
+func (in *SecretsMountParameters) DeepCopy() *SecretsMountParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountObservation)
+	out := new(SecretsMountParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountOracleObservation) DeepCopyInto(out *SecretsMountOracleObservation) {
+func (in *SecretsMountPostgresqlInitParameters) DeepCopyInto(out *SecretsMountPostgresqlInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -5481,6 +8569,11 @@ func (in *SecretsMountOracleObservation) DeepCopyInto(out *SecretsMountOracleObs
 			(*out)[key] = outVal
 		}
 	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -5534,18 +8627,18 @@ func (in *SecretsMountOracleObservation) DeepCopyInto(out *SecretsMountOracleObs
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountOracleObservation.
-func (in *SecretsMountOracleObservation) DeepCopy() *SecretsMountOracleObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountPostgresqlInitParameters.
+func (in *SecretsMountPostgresqlInitParameters) DeepCopy() *SecretsMountPostgresqlInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountOracleObservation)
+	out := new(SecretsMountPostgresqlInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountOracleParameters) DeepCopyInto(out *SecretsMountOracleParameters) {
+func (in *SecretsMountPostgresqlObservation) DeepCopyInto(out *SecretsMountPostgresqlObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -5578,6 +8671,11 @@ func (in *SecretsMountOracleParameters) DeepCopyInto(out *SecretsMountOraclePara
 			(*out)[key] = outVal
 		}
 	}
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -5598,11 +8696,6 @@ func (in *SecretsMountOracleParameters) DeepCopyInto(out *SecretsMountOraclePara
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -5636,21 +8729,21 @@ func (in *SecretsMountOracleParameters) DeepCopyInto(out *SecretsMountOraclePara
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountOracleParameters.
-func (in *SecretsMountOracleParameters) DeepCopy() *SecretsMountOracleParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountPostgresqlObservation.
+func (in *SecretsMountPostgresqlObservation) DeepCopy() *SecretsMountPostgresqlObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountOracleParameters)
+	out := new(SecretsMountPostgresqlObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) {
+func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgresqlParameters) {
 	*out = *in
-	if in.AllowedManagedKeys != nil {
-		in, out := &in.AllowedManagedKeys, &out.AllowedManagedKeys
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -5660,19 +8753,63 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) {
 			}
 		}
 	}
-	if in.AuditNonHMACRequestKeys != nil {
-		in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
 				*out = new(string)
 				**out = **in
 			}
+			(*out)[key] = outVal
 		}
 	}
-	if in.AuditNonHMACResponseKeys != nil {
-		in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -5682,122 +8819,126 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) {
 			}
 		}
 	}
-	if in.Cassandra != nil {
-		in, out := &in.Cassandra, &out.Cassandra
-		*out = make([]SecretsMountCassandraParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Couchbase != nil {
-		in, out := &in.Couchbase, &out.Couchbase
-		*out = make([]SecretsMountCouchbaseParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.DefaultLeaseTTLSeconds != nil {
-		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
-		*out = new(float64)
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
 		**out = **in
 	}
-	if in.Description != nil {
-		in, out := &in.Description, &out.Description
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
 		*out = new(string)
 		**out = **in
 	}
-	if in.Elasticsearch != nil {
-		in, out := &in.Elasticsearch, &out.Elasticsearch
-		*out = make([]SecretsMountElasticsearchParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.ExternalEntropyAccess != nil {
-		in, out := &in.ExternalEntropyAccess, &out.ExternalEntropyAccess
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
 		**out = **in
 	}
-	if in.Hana != nil {
-		in, out := &in.Hana, &out.Hana
-		*out = make([]SecretsMountHanaParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountPostgresqlParameters.
+func (in *SecretsMountPostgresqlParameters) DeepCopy() *SecretsMountPostgresqlParameters {
+	if in == nil {
+		return nil
 	}
-	if in.Influxdb != nil {
-		in, out := &in.Influxdb, &out.Influxdb
-		*out = make([]SecretsMountInfluxdbParameters, len(*in))
+	out := new(SecretsMountPostgresqlParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountRedisElasticacheInitParameters) DeepCopyInto(out *SecretsMountRedisElasticacheInitParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
 		}
 	}
-	if in.Local != nil {
-		in, out := &in.Local, &out.Local
-		*out = new(bool)
-		**out = **in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
 	}
-	if in.MaxLeaseTTLSeconds != nil {
-		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
-		*out = new(float64)
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
 		**out = **in
 	}
-	if in.Mongodb != nil {
-		in, out := &in.Mongodb, &out.Mongodb
-		*out = make([]SecretsMountMongodbParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
 	}
-	if in.Mongodbatlas != nil {
-		in, out := &in.Mongodbatlas, &out.Mongodbatlas
-		*out = make([]SecretsMountMongodbatlasParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
 	}
-	if in.Mssql != nil {
-		in, out := &in.Mssql, &out.Mssql
-		*out = make([]SecretsMountMssqlParameters, len(*in))
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
 		}
 	}
-	if in.MySQL != nil {
-		in, out := &in.MySQL, &out.MySQL
-		*out = make([]SecretsMountMySQLParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
 	}
-	if in.MySQLAurora != nil {
-		in, out := &in.MySQLAurora, &out.MySQLAurora
-		*out = make([]SecretsMountMySQLAuroraParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
 	}
-	if in.MySQLLegacy != nil {
-		in, out := &in.MySQLLegacy, &out.MySQLLegacy
-		*out = make([]SecretsMountMySQLLegacyParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisElasticacheInitParameters.
+func (in *SecretsMountRedisElasticacheInitParameters) DeepCopy() *SecretsMountRedisElasticacheInitParameters {
+	if in == nil {
+		return nil
 	}
-	if in.MySQLRDS != nil {
-		in, out := &in.MySQLRDS, &out.MySQLRDS
-		*out = make([]SecretsMountMySQLRDSParameters, len(*in))
+	out := new(SecretsMountRedisElasticacheInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsMountRedisElasticacheObservation) DeepCopyInto(out *SecretsMountRedisElasticacheObservation) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
 		}
 	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-	if in.Options != nil {
-		in, out := &in.Options, &out.Options
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
 		for key, val := range *in {
 			var outVal *string
@@ -5811,72 +8952,56 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) {
 			(*out)[key] = outVal
 		}
 	}
-	if in.Oracle != nil {
-		in, out := &in.Oracle, &out.Oracle
-		*out = make([]SecretsMountOracleParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Path != nil {
-		in, out := &in.Path, &out.Path
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.Postgresql != nil {
-		in, out := &in.Postgresql, &out.Postgresql
-		*out = make([]SecretsMountPostgresqlParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.PluginName != nil {
+		in, out := &in.PluginName, &out.PluginName
+		*out = new(string)
+		**out = **in
 	}
-	if in.Redis != nil {
-		in, out := &in.Redis, &out.Redis
-		*out = make([]SecretsMountRedisParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
 	}
-	if in.RedisElasticache != nil {
-		in, out := &in.RedisElasticache, &out.RedisElasticache
-		*out = make([]SecretsMountRedisElasticacheParameters, len(*in))
+	if in.RootRotationStatements != nil {
+		in, out := &in.RootRotationStatements, &out.RootRotationStatements
+		*out = make([]*string, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
 		}
 	}
-	if in.Redshift != nil {
-		in, out := &in.Redshift, &out.Redshift
-		*out = make([]SecretsMountRedshiftParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
 	}
-	if in.SealWrap != nil {
-		in, out := &in.SealWrap, &out.SealWrap
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
 		**out = **in
 	}
-	if in.Snowflake != nil {
-		in, out := &in.Snowflake, &out.Snowflake
-		*out = make([]SecretsMountSnowflakeParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountParameters.
-func (in *SecretsMountParameters) DeepCopy() *SecretsMountParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisElasticacheObservation.
+func (in *SecretsMountRedisElasticacheObservation) DeepCopy() *SecretsMountRedisElasticacheObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountParameters)
+	out := new(SecretsMountRedisElasticacheObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountPostgresqlObservation) DeepCopyInto(out *SecretsMountPostgresqlObservation) {
+func (in *SecretsMountRedisElasticacheParameters) DeepCopyInto(out *SecretsMountRedisElasticacheParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -5889,11 +9014,6 @@ func (in *SecretsMountPostgresqlObservation) DeepCopyInto(out *SecretsMountPostg
 			}
 		}
 	}
-	if in.ConnectionURL != nil {
-		in, out := &in.ConnectionURL, &out.ConnectionURL
-		*out = new(string)
-		**out = **in
-	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -5909,36 +9029,26 @@ func (in *SecretsMountPostgresqlObservation) DeepCopyInto(out *SecretsMountPostg
 			(*out)[key] = outVal
 		}
 	}
-	if in.DisableEscaping != nil {
-		in, out := &in.DisableEscaping, &out.DisableEscaping
-		*out = new(bool)
-		**out = **in
-	}
-	if in.MaxConnectionLifetime != nil {
-		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
-		*out = new(float64)
-		**out = **in
-	}
-	if in.MaxIdleConnections != nil {
-		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
-		*out = new(float64)
-		**out = **in
-	}
-	if in.MaxOpenConnections != nil {
-		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
-		*out = new(float64)
-		**out = **in
-	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -5950,14 +9060,14 @@ func (in *SecretsMountPostgresqlObservation) DeepCopyInto(out *SecretsMountPostg
 			}
 		}
 	}
-	if in.Username != nil {
-		in, out := &in.Username, &out.Username
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
 		*out = new(string)
 		**out = **in
 	}
-	if in.UsernameTemplate != nil {
-		in, out := &in.UsernameTemplate, &out.UsernameTemplate
-		*out = new(string)
+	if in.UsernameSecretRef != nil {
+		in, out := &in.UsernameSecretRef, &out.UsernameSecretRef
+		*out = new(v1.SecretKeySelector)
 		**out = **in
 	}
 	if in.VerifyConnection != nil {
@@ -5967,18 +9077,18 @@ func (in *SecretsMountPostgresqlObservation) DeepCopyInto(out *SecretsMountPostg
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountPostgresqlObservation.
-func (in *SecretsMountPostgresqlObservation) DeepCopy() *SecretsMountPostgresqlObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisElasticacheParameters.
+func (in *SecretsMountRedisElasticacheParameters) DeepCopy() *SecretsMountRedisElasticacheParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountPostgresqlObservation)
+	out := new(SecretsMountRedisElasticacheParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgresqlParameters) {
+func (in *SecretsMountRedisInitParameters) DeepCopyInto(out *SecretsMountRedisInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -5991,8 +9101,8 @@ func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgr
 			}
 		}
 	}
-	if in.ConnectionURL != nil {
-		in, out := &in.ConnectionURL, &out.ConnectionURL
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
 		*out = new(string)
 		**out = **in
 	}
@@ -6011,24 +9121,14 @@ func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgr
 			(*out)[key] = outVal
 		}
 	}
-	if in.DisableEscaping != nil {
-		in, out := &in.DisableEscaping, &out.DisableEscaping
-		*out = new(bool)
-		**out = **in
-	}
-	if in.MaxConnectionLifetime != nil {
-		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
-		*out = new(float64)
-		**out = **in
-	}
-	if in.MaxIdleConnections != nil {
-		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
-		*out = new(float64)
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
 		**out = **in
 	}
-	if in.MaxOpenConnections != nil {
-		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
-		*out = new(float64)
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
 		**out = **in
 	}
 	if in.Name != nil {
@@ -6036,16 +9136,16 @@ func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgr
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -6057,16 +9157,16 @@ func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgr
 			}
 		}
 	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
 		**out = **in
 	}
-	if in.UsernameTemplate != nil {
-		in, out := &in.UsernameTemplate, &out.UsernameTemplate
-		*out = new(string)
-		**out = **in
-	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -6074,18 +9174,18 @@ func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgr
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountPostgresqlParameters.
-func (in *SecretsMountPostgresqlParameters) DeepCopy() *SecretsMountPostgresqlParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisInitParameters.
+func (in *SecretsMountRedisInitParameters) DeepCopy() *SecretsMountRedisInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountPostgresqlParameters)
+	out := new(SecretsMountRedisInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountRedisElasticacheObservation) DeepCopyInto(out *SecretsMountRedisElasticacheObservation) {
+func (in *SecretsMountRedisObservation) DeepCopyInto(out *SecretsMountRedisObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -6098,6 +9198,11 @@ func (in *SecretsMountRedisElasticacheObservation) DeepCopyInto(out *SecretsMoun
 			}
 		}
 	}
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -6113,6 +9218,16 @@ func (in *SecretsMountRedisElasticacheObservation) DeepCopyInto(out *SecretsMoun
 			(*out)[key] = outVal
 		}
 	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
@@ -6123,9 +9238,9 @@ func (in *SecretsMountRedisElasticacheObservation) DeepCopyInto(out *SecretsMoun
 		*out = new(string)
 		**out = **in
 	}
-	if in.Region != nil {
-		in, out := &in.Region, &out.Region
-		*out = new(string)
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
 		**out = **in
 	}
 	if in.RootRotationStatements != nil {
@@ -6139,8 +9254,13 @@ func (in *SecretsMountRedisElasticacheObservation) DeepCopyInto(out *SecretsMoun
 			}
 		}
 	}
-	if in.URL != nil {
-		in, out := &in.URL, &out.URL
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
 		*out = new(string)
 		**out = **in
 	}
@@ -6151,18 +9271,18 @@ func (in *SecretsMountRedisElasticacheObservation) DeepCopyInto(out *SecretsMoun
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisElasticacheObservation.
-func (in *SecretsMountRedisElasticacheObservation) DeepCopy() *SecretsMountRedisElasticacheObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisObservation.
+func (in *SecretsMountRedisObservation) DeepCopy() *SecretsMountRedisObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountRedisElasticacheObservation)
+	out := new(SecretsMountRedisObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountRedisElasticacheParameters) DeepCopyInto(out *SecretsMountRedisElasticacheParameters) {
+func (in *SecretsMountRedisParameters) DeepCopyInto(out *SecretsMountRedisParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -6175,6 +9295,11 @@ func (in *SecretsMountRedisElasticacheParameters) DeepCopyInto(out *SecretsMount
 			}
 		}
 	}
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make(map[string]*string, len(*in))
@@ -6190,24 +9315,30 @@ func (in *SecretsMountRedisElasticacheParameters) DeepCopyInto(out *SecretsMount
 			(*out)[key] = outVal
 		}
 	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
 		**out = **in
 	}
+	out.PasswordSecretRef = in.PasswordSecretRef
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.Region != nil {
-		in, out := &in.Region, &out.Region
-		*out = new(string)
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
 		**out = **in
 	}
 	if in.RootRotationStatements != nil {
@@ -6221,14 +9352,14 @@ func (in *SecretsMountRedisElasticacheParameters) DeepCopyInto(out *SecretsMount
 			}
 		}
 	}
-	if in.URL != nil {
-		in, out := &in.URL, &out.URL
-		*out = new(string)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(bool)
 		**out = **in
 	}
-	if in.UsernameSecretRef != nil {
-		in, out := &in.UsernameSecretRef, &out.UsernameSecretRef
-		*out = new(v1.SecretKeySelector)
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
 		**out = **in
 	}
 	if in.VerifyConnection != nil {
@@ -6238,18 +9369,18 @@ func (in *SecretsMountRedisElasticacheParameters) DeepCopyInto(out *SecretsMount
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisElasticacheParameters.
-func (in *SecretsMountRedisElasticacheParameters) DeepCopy() *SecretsMountRedisElasticacheParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisParameters.
+func (in *SecretsMountRedisParameters) DeepCopy() *SecretsMountRedisParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountRedisElasticacheParameters)
+	out := new(SecretsMountRedisParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountRedisObservation) DeepCopyInto(out *SecretsMountRedisObservation) {
+func (in *SecretsMountRedshiftInitParameters) DeepCopyInto(out *SecretsMountRedshiftInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -6262,8 +9393,8 @@ func (in *SecretsMountRedisObservation) DeepCopyInto(out *SecretsMountRedisObser
 			}
 		}
 	}
-	if in.CACert != nil {
-		in, out := &in.CACert, &out.CACert
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
@@ -6282,14 +9413,24 @@ func (in *SecretsMountRedisObservation) DeepCopyInto(out *SecretsMountRedisObser
 			(*out)[key] = outVal
 		}
 	}
-	if in.Host != nil {
-		in, out := &in.Host, &out.Host
-		*out = new(string)
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
 		**out = **in
 	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
 		**out = **in
 	}
 	if in.Name != nil {
@@ -6302,11 +9443,6 @@ func (in *SecretsMountRedisObservation) DeepCopyInto(out *SecretsMountRedisObser
 		*out = new(string)
 		**out = **in
 	}
-	if in.Port != nil {
-		in, out := &in.Port, &out.Port
-		*out = new(float64)
-		**out = **in
-	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -6318,16 +9454,16 @@ func (in *SecretsMountRedisObservation) DeepCopyInto(out *SecretsMountRedisObser
 			}
 		}
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -6335,18 +9471,18 @@ func (in *SecretsMountRedisObservation) DeepCopyInto(out *SecretsMountRedisObser
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisObservation.
-func (in *SecretsMountRedisObservation) DeepCopy() *SecretsMountRedisObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedshiftInitParameters.
+func (in *SecretsMountRedshiftInitParameters) DeepCopy() *SecretsMountRedshiftInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountRedisObservation)
+	out := new(SecretsMountRedshiftInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountRedisParameters) DeepCopyInto(out *SecretsMountRedisParameters) {
+func (in *SecretsMountRedshiftObservation) DeepCopyInto(out *SecretsMountRedshiftObservation) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -6359,8 +9495,8 @@ func (in *SecretsMountRedisParameters) DeepCopyInto(out *SecretsMountRedisParame
 			}
 		}
 	}
-	if in.CACert != nil {
-		in, out := &in.CACert, &out.CACert
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
 		*out = new(string)
 		**out = **in
 	}
@@ -6379,14 +9515,24 @@ func (in *SecretsMountRedisParameters) DeepCopyInto(out *SecretsMountRedisParame
 			(*out)[key] = outVal
 		}
 	}
-	if in.Host != nil {
-		in, out := &in.Host, &out.Host
-		*out = new(string)
+	if in.DisableEscaping != nil {
+		in, out := &in.DisableEscaping, &out.DisableEscaping
+		*out = new(bool)
 		**out = **in
 	}
-	if in.InsecureTLS != nil {
-		in, out := &in.InsecureTLS, &out.InsecureTLS
-		*out = new(bool)
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
 		**out = **in
 	}
 	if in.Name != nil {
@@ -6394,17 +9540,11 @@ func (in *SecretsMountRedisParameters) DeepCopyInto(out *SecretsMountRedisParame
 		*out = new(string)
 		**out = **in
 	}
-	out.PasswordSecretRef = in.PasswordSecretRef
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
 		**out = **in
 	}
-	if in.Port != nil {
-		in, out := &in.Port, &out.Port
-		*out = new(float64)
-		**out = **in
-	}
 	if in.RootRotationStatements != nil {
 		in, out := &in.RootRotationStatements, &out.RootRotationStatements
 		*out = make([]*string, len(*in))
@@ -6416,16 +9556,16 @@ func (in *SecretsMountRedisParameters) DeepCopyInto(out *SecretsMountRedisParame
 			}
 		}
 	}
-	if in.TLS != nil {
-		in, out := &in.TLS, &out.TLS
-		*out = new(bool)
-		**out = **in
-	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
 	if in.VerifyConnection != nil {
 		in, out := &in.VerifyConnection, &out.VerifyConnection
 		*out = new(bool)
@@ -6433,18 +9573,18 @@ func (in *SecretsMountRedisParameters) DeepCopyInto(out *SecretsMountRedisParame
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedisParameters.
-func (in *SecretsMountRedisParameters) DeepCopy() *SecretsMountRedisParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedshiftObservation.
+func (in *SecretsMountRedshiftObservation) DeepCopy() *SecretsMountRedshiftObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountRedisParameters)
+	out := new(SecretsMountRedshiftObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountRedshiftObservation) DeepCopyInto(out *SecretsMountRedshiftObservation) {
+func (in *SecretsMountRedshiftParameters) DeepCopyInto(out *SecretsMountRedshiftParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -6502,6 +9642,11 @@ func (in *SecretsMountRedshiftObservation) DeepCopyInto(out *SecretsMountRedshif
 		*out = new(string)
 		**out = **in
 	}
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -6535,18 +9680,18 @@ func (in *SecretsMountRedshiftObservation) DeepCopyInto(out *SecretsMountRedshif
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedshiftObservation.
-func (in *SecretsMountRedshiftObservation) DeepCopy() *SecretsMountRedshiftObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedshiftParameters.
+func (in *SecretsMountRedshiftParameters) DeepCopy() *SecretsMountRedshiftParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountRedshiftObservation)
+	out := new(SecretsMountRedshiftParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsMountRedshiftParameters) DeepCopyInto(out *SecretsMountRedshiftParameters) {
+func (in *SecretsMountSnowflakeInitParameters) DeepCopyInto(out *SecretsMountSnowflakeInitParameters) {
 	*out = *in
 	if in.AllowedRoles != nil {
 		in, out := &in.AllowedRoles, &out.AllowedRoles
@@ -6579,11 +9724,6 @@ func (in *SecretsMountRedshiftParameters) DeepCopyInto(out *SecretsMountRedshift
 			(*out)[key] = outVal
 		}
 	}
-	if in.DisableEscaping != nil {
-		in, out := &in.DisableEscaping, &out.DisableEscaping
-		*out = new(bool)
-		**out = **in
-	}
 	if in.MaxConnectionLifetime != nil {
 		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
 		*out = new(float64)
@@ -6604,11 +9744,6 @@ func (in *SecretsMountRedshiftParameters) DeepCopyInto(out *SecretsMountRedshift
 		*out = new(string)
 		**out = **in
 	}
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.PluginName != nil {
 		in, out := &in.PluginName, &out.PluginName
 		*out = new(string)
@@ -6642,12 +9777,12 @@ func (in *SecretsMountRedshiftParameters) DeepCopyInto(out *SecretsMountRedshift
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountRedshiftParameters.
-func (in *SecretsMountRedshiftParameters) DeepCopy() *SecretsMountRedshiftParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountSnowflakeInitParameters.
+func (in *SecretsMountSnowflakeInitParameters) DeepCopy() *SecretsMountSnowflakeInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretsMountRedshiftParameters)
+	out := new(SecretsMountSnowflakeInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -6856,6 +9991,7 @@ func (in *SecretsMountSpec) DeepCopyInto(out *SecretsMountSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsMountSpec.
@@ -6885,6 +10021,51 @@ func (in *SecretsMountStatus) DeepCopy() *SecretsMountStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SnowflakeInitParameters) DeepCopyInto(out *SnowflakeInitParameters) {
+	*out = *in
+	if in.ConnectionURL != nil {
+		in, out := &in.ConnectionURL, &out.ConnectionURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxConnectionLifetime != nil {
+		in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnections != nil {
+		in, out := &in.MaxIdleConnections, &out.MaxIdleConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxOpenConnections != nil {
+		in, out := &in.MaxOpenConnections, &out.MaxOpenConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnowflakeInitParameters.
+func (in *SnowflakeInitParameters) DeepCopy() *SnowflakeInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SnowflakeInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnowflakeObservation) DeepCopyInto(out *SnowflakeObservation) {
 	*out = *in
diff --git a/apis/database/v1alpha1/zz_generated.managed.go b/apis/database/v1alpha1/zz_generated.managed.go
index 8a2b2360..cc4d23c1 100644
--- a/apis/database/v1alpha1/zz_generated.managed.go
+++ b/apis/database/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackendConnection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendConnection.
-func (mg *SecretBackendConnection) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendConnection.
+func (mg *SecretBackendConnection) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendConnection.
@@ -55,9 +55,9 @@ func (mg *SecretBackendConnection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendConnection.
-func (mg *SecretBackendConnection) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendConnection.
+func (mg *SecretBackendConnection) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendConnection.
@@ -93,9 +93,9 @@ func (mg *SecretBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRole.
@@ -131,9 +131,9 @@ func (mg *SecretBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRole.
@@ -169,9 +169,9 @@ func (mg *SecretBackendStaticRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendStaticRole.
-func (mg *SecretBackendStaticRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendStaticRole.
+func (mg *SecretBackendStaticRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendStaticRole.
@@ -207,9 +207,9 @@ func (mg *SecretBackendStaticRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendStaticRole.
-func (mg *SecretBackendStaticRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendStaticRole.
+func (mg *SecretBackendStaticRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendStaticRole.
@@ -245,9 +245,9 @@ func (mg *SecretsMount) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretsMount.
-func (mg *SecretsMount) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretsMount.
+func (mg *SecretsMount) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretsMount.
@@ -283,9 +283,9 @@ func (mg *SecretsMount) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretsMount.
-func (mg *SecretsMount) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretsMount.
+func (mg *SecretsMount) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretsMount.
diff --git a/apis/database/v1alpha1/zz_generated_terraformed.go b/apis/database/v1alpha1/zz_generated_terraformed.go
index ed23e067..37b04557 100755
--- a/apis/database/v1alpha1/zz_generated_terraformed.go
+++ b/apis/database/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackendConnection) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendConnection
+func (tr *SecretBackendConnection) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendConnection using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendConnection) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRole
+func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *SecretBackendStaticRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendStaticRole
+func (tr *SecretBackendStaticRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendStaticRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendStaticRole) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *SecretsMount) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretsMount
+func (tr *SecretsMount) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretsMount using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretsMount) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/database/v1alpha1/zz_secretbackendconnection_types.go b/apis/database/v1alpha1/zz_secretbackendconnection_types.go
index 1beb985a..047e5f80 100755
--- a/apis/database/v1alpha1/zz_secretbackendconnection_types.go
+++ b/apis/database/v1alpha1/zz_secretbackendconnection_types.go
@@ -13,562 +13,1144 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type CassandraInitParameters struct {
+
+	// The number of seconds to use as a connection
+	// timeout.
+	// The number of seconds to use as a connection timeout.
+	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
+
+	// The hosts to connect to.
+	// Cassandra hosts to connect to.
+	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
+
+	// Whether to skip verification of the server
+	// certificate when using TLS.
+	// Whether to skip verification of the server certificate when using TLS.
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// The default port to connect to if no port is specified as
+	// part of the host.
+	// The transport port to use to connect to Cassandra.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The CQL protocol version to use.
+	// The CQL protocol version to use.
+	ProtocolVersion *float64 `json:"protocolVersion,omitempty" tf:"protocol_version,omitempty"`
+
+	// Whether to use TLS when connecting to Cassandra.
+	// Whether to use TLS when connecting to Cassandra.
+	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// The username to authenticate with.
+	// The username to use when authenticating with Cassandra.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+}
+
 type CassandraObservation struct {
 
+	// The number of seconds to use as a connection
+	// timeout.
 	// The number of seconds to use as a connection timeout.
 	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
 
+	// The hosts to connect to.
 	// Cassandra hosts to connect to.
 	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Whether to skip verification of the server certificate when using TLS.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Cassandra.
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// The CQL protocol version to use.
 	// The CQL protocol version to use.
 	ProtocolVersion *float64 `json:"protocolVersion,omitempty" tf:"protocol_version,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Whether to use TLS when connecting to Cassandra.
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// The username to use when authenticating with Cassandra.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type CassandraParameters struct {
 
+	// The number of seconds to use as a connection
+	// timeout.
 	// The number of seconds to use as a connection timeout.
 	// +kubebuilder:validation:Optional
 	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
 
+	// The hosts to connect to.
 	// Cassandra hosts to connect to.
 	// +kubebuilder:validation:Optional
 	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Whether to skip verification of the server certificate when using TLS.
 	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The password to authenticate with.
 	// The password to use when authenticating with Cassandra.
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Concatenated PEM blocks configuring the certificate
+	// chain.
 	// Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
 	// +kubebuilder:validation:Optional
 	PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"`
 
+	// A JSON structure configuring the certificate chain.
 	// Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
 	// +kubebuilder:validation:Optional
 	PemJSONSecretRef *v1.SecretKeySelector `json:"pemJsonSecretRef,omitempty" tf:"-"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Cassandra.
 	// +kubebuilder:validation:Optional
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// The CQL protocol version to use.
 	// The CQL protocol version to use.
 	// +kubebuilder:validation:Optional
 	ProtocolVersion *float64 `json:"protocolVersion,omitempty" tf:"protocol_version,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Whether to use TLS when connecting to Cassandra.
 	// +kubebuilder:validation:Optional
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// The username to use when authenticating with Cassandra.
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
+type CouchbaseInitParameters struct {
+
+	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
+	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// The hosts to connect to.
+	// A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.
+	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
+
+	// Whether to skip verification of the server
+	// certificate when using TLS.
+	// Specifies whether to skip verification of the server certificate when using TLS.
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// Whether to use TLS when connecting to Cassandra.
+	// Specifies whether to use TLS when connecting to Couchbase.
+	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// The username to authenticate with.
+	// Specifies the username for Vault to use.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Template describing how dynamic usernames are generated.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type CouchbaseObservation struct {
 
+	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
 	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
 	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
 
+	// The hosts to connect to.
 	// A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.
 	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Specifies whether to skip verification of the server certificate when using TLS.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Specifies whether to use TLS when connecting to Couchbase.
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username for Vault to use.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type CouchbaseParameters struct {
 
+	// Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.
 	// Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.
 	// +kubebuilder:validation:Optional
 	Base64PemSecretRef *v1.SecretKeySelector `json:"base64PemSecretRef,omitempty" tf:"-"`
 
+	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
 	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
 	// +kubebuilder:validation:Optional
 	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
 
+	// The hosts to connect to.
 	// A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.
-	// +kubebuilder:validation:Required
-	Hosts []*string `json:"hosts" tf:"hosts,omitempty"`
+	// +kubebuilder:validation:Optional
+	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Specifies whether to skip verification of the server certificate when using TLS.
 	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The password to authenticate with.
 	// Specifies the password corresponding to the given username.
 	// +kubebuilder:validation:Required
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Specifies whether to use TLS when connecting to Couchbase.
 	// +kubebuilder:validation:Optional
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username for Vault to use.
-	// +kubebuilder:validation:Required
-	Username *string `json:"username" tf:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type ElasticsearchInitParameters struct {
+
+	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
+	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity
+	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
+
+	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
+	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity
+	CAPath *string `json:"caPath,omitempty" tf:"ca_path,omitempty"`
+
+	// The path to the certificate for the Elasticsearch client to present for communication.
+	// The path to the certificate for the Elasticsearch client to present for communication
+	ClientCert *string `json:"clientCert,omitempty" tf:"client_cert,omitempty"`
+
+	// The path to the key for the Elasticsearch client to use for communication.
+	// The path to the key for the Elasticsearch client to use for communication
+	ClientKey *string `json:"clientKey,omitempty" tf:"client_key,omitempty"`
+
+	// Whether to disable certificate verification.
+	// Whether to disable certificate verification
+	Insecure *bool `json:"insecure,omitempty" tf:"insecure,omitempty"`
+
+	// This, if set, is used to set the SNI host when connecting via TLS.
+	// This, if set, is used to set the SNI host when connecting via TLS
+	TLSServerName *string `json:"tlsServerName,omitempty" tf:"tls_server_name,omitempty"`
+
+	// The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
+	// The URL for Elasticsearch's API
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// The username to authenticate with.
+	// The username to be used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Template describing how dynamic usernames are generated.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type ElasticsearchObservation struct {
 
+	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
 	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
 	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity
 	CAPath *string `json:"caPath,omitempty" tf:"ca_path,omitempty"`
 
+	// The path to the certificate for the Elasticsearch client to present for communication.
 	// The path to the certificate for the Elasticsearch client to present for communication
 	ClientCert *string `json:"clientCert,omitempty" tf:"client_cert,omitempty"`
 
+	// The path to the key for the Elasticsearch client to use for communication.
 	// The path to the key for the Elasticsearch client to use for communication
 	ClientKey *string `json:"clientKey,omitempty" tf:"client_key,omitempty"`
 
+	// Whether to disable certificate verification.
 	// Whether to disable certificate verification
 	Insecure *bool `json:"insecure,omitempty" tf:"insecure,omitempty"`
 
+	// This, if set, is used to set the SNI host when connecting via TLS.
 	// This, if set, is used to set the SNI host when connecting via TLS
 	TLSServerName *string `json:"tlsServerName,omitempty" tf:"tls_server_name,omitempty"`
 
+	// The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
 	// The URL for Elasticsearch's API
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// The username to authenticate with.
 	// The username to be used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type ElasticsearchParameters struct {
 
+	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
 	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity
 	// +kubebuilder:validation:Optional
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
 	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity
 	// +kubebuilder:validation:Optional
 	CAPath *string `json:"caPath,omitempty" tf:"ca_path,omitempty"`
 
+	// The path to the certificate for the Elasticsearch client to present for communication.
 	// The path to the certificate for the Elasticsearch client to present for communication
 	// +kubebuilder:validation:Optional
 	ClientCert *string `json:"clientCert,omitempty" tf:"client_cert,omitempty"`
 
+	// The path to the key for the Elasticsearch client to use for communication.
 	// The path to the key for the Elasticsearch client to use for communication
 	// +kubebuilder:validation:Optional
 	ClientKey *string `json:"clientKey,omitempty" tf:"client_key,omitempty"`
 
+	// Whether to disable certificate verification.
 	// Whether to disable certificate verification
 	// +kubebuilder:validation:Optional
 	Insecure *bool `json:"insecure,omitempty" tf:"insecure,omitempty"`
 
+	// The password to authenticate with.
 	// The password to be used in the connection URL
 	// +kubebuilder:validation:Required
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
+	// This, if set, is used to set the SNI host when connecting via TLS.
 	// This, if set, is used to set the SNI host when connecting via TLS
 	// +kubebuilder:validation:Optional
 	TLSServerName *string `json:"tlsServerName,omitempty" tf:"tls_server_name,omitempty"`
 
+	// The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
 	// The URL for Elasticsearch's API
-	// +kubebuilder:validation:Required
-	URL *string `json:"url" tf:"url,omitempty"`
+	// +kubebuilder:validation:Optional
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// The username to authenticate with.
 	// The username to be used in the connection URL
-	// +kubebuilder:validation:Required
-	Username *string `json:"username" tf:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type HanaInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+}
+
 type HanaObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type HanaParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	// +kubebuilder:validation:Optional
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
+type InfluxdbInitParameters struct {
+
+	// The number of seconds to use as a connection
+	// timeout.
+	// The number of seconds to use as a connection timeout.
+	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
+
+	// The host to connect to.
+	// Influxdb host to connect to.
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// Whether to skip verification of the server
+	// certificate when using TLS.
+	// Whether to skip verification of the server certificate when using TLS.
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// The default port to connect to if no port is specified as
+	// part of the host.
+	// The transport port to use to connect to Influxdb.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Whether to use TLS when connecting to Cassandra.
+	// Whether to use TLS when connecting to Influxdb.
+	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// The username to authenticate with.
+	// Specifies the username to use for superuser access.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Template describing how dynamic usernames are generated.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type InfluxdbObservation struct {
 
+	// The number of seconds to use as a connection
+	// timeout.
 	// The number of seconds to use as a connection timeout.
 	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
 
+	// The host to connect to.
 	// Influxdb host to connect to.
 	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Whether to skip verification of the server certificate when using TLS.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Influxdb.
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Whether to use TLS when connecting to Influxdb.
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username to use for superuser access.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type InfluxdbParameters struct {
 
+	// The number of seconds to use as a connection
+	// timeout.
 	// The number of seconds to use as a connection timeout.
 	// +kubebuilder:validation:Optional
 	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
 
+	// The host to connect to.
 	// Influxdb host to connect to.
-	// +kubebuilder:validation:Required
-	Host *string `json:"host" tf:"host,omitempty"`
+	// +kubebuilder:validation:Optional
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Whether to skip verification of the server certificate when using TLS.
 	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The password to authenticate with.
 	// Specifies the password corresponding to the given username.
 	// +kubebuilder:validation:Required
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
+	// Concatenated PEM blocks configuring the certificate
+	// chain.
 	// Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
 	// +kubebuilder:validation:Optional
 	PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"`
 
+	// A JSON structure configuring the certificate chain.
 	// Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
 	// +kubebuilder:validation:Optional
 	PemJSONSecretRef *v1.SecretKeySelector `json:"pemJsonSecretRef,omitempty" tf:"-"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Influxdb.
 	// +kubebuilder:validation:Optional
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Whether to use TLS when connecting to Influxdb.
 	// +kubebuilder:validation:Optional
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username to use for superuser access.
-	// +kubebuilder:validation:Required
-	Username *string `json:"username" tf:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type MongodbInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type MongodbObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type MongodbParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type MongodbatlasInitParameters struct {
+
+	// The Project ID the Database User should be created within.
+	// The Project ID the Database User should be created within.
+	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
+
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+}
+
 type MongodbatlasObservation struct {
 
+	// The Project ID the Database User should be created within.
 	// The Project ID the Database User should be created within.
 	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
 
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
 	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
 	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
 }
 
 type MongodbatlasParameters struct {
 
+	// The Private Programmatic API Key used to connect with MongoDB Atlas API.
 	// The Private Programmatic API Key used to connect with MongoDB Atlas API.
 	// +kubebuilder:validation:Required
 	PrivateKeySecretRef v1.SecretKeySelector `json:"privateKeySecretRef" tf:"-"`
 
 	// The Project ID the Database User should be created within.
-	// +kubebuilder:validation:Required
-	ProjectID *string `json:"projectId" tf:"project_id,omitempty"`
+	// The Project ID the Database User should be created within.
+	// +kubebuilder:validation:Optional
+	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
 
 	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
-	// +kubebuilder:validation:Required
-	PublicKey *string `json:"publicKey" tf:"public_key,omitempty"`
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	// +kubebuilder:validation:Optional
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+}
+
+type MssqlInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// For Vault v1.9+. Set to true when the target is a
+	// Contained Database, e.g. AzureSQL.
+	// See the Vault
+	// docs
+	// Set to true when the target is a Contained Database, e.g. AzureSQL.
+	ContainedDB *bool `json:"containedDb,omitempty" tf:"contained_db,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type MssqlObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// For Vault v1.9+. Set to true when the target is a
+	// Contained Database, e.g. AzureSQL.
+	// See the Vault
+	// docs
 	// Set to true when the target is a Contained Database, e.g. AzureSQL.
 	ContainedDB *bool `json:"containedDb,omitempty" tf:"contained_db,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type MssqlParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// For Vault v1.9+. Set to true when the target is a
+	// Contained Database, e.g. AzureSQL.
+	// See the Vault
+	// docs
 	// Set to true when the target is a Contained Database, e.g. AzureSQL.
 	// +kubebuilder:validation:Optional
 	ContainedDB *bool `json:"containedDb,omitempty" tf:"contained_db,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	// +kubebuilder:validation:Optional
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type MySQLAuroraInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type MySQLAuroraObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
+type MySQLAuroraParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	// +kubebuilder:validation:Optional
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	// +kubebuilder:validation:Optional
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	// +kubebuilder:validation:Optional
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	// +kubebuilder:validation:Optional
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The password to authenticate with.
+	// The root credential password used in the connection URL
+	// +kubebuilder:validation:Optional
+	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	// +kubebuilder:validation:Optional
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
+type MySQLInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
+	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
+	TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"`
+
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
-type MySQLAuroraParameters struct {
+type MySQLLegacyInitParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
-	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
-	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
-	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
-	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
-	// The root credential password used in the connection URL
-	// +kubebuilder:validation:Optional
-	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
-
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
-	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
-	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type MySQLLegacyObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type MySQLLegacyParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
@@ -576,538 +1158,1040 @@ type MySQLLegacyParameters struct {
 
 type MySQLObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
 	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
 	TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type MySQLParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
 	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
 	// +kubebuilder:validation:Optional
 	TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"`
 
+	// x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.
 	// x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.
 	// +kubebuilder:validation:Optional
 	TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type MySQLRDSInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type MySQLRDSObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type MySQLRDSParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type OracleInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type OracleObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type OracleParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type PostgresqlInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type PostgresqlObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type PostgresqlParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	// +kubebuilder:validation:Optional
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type RedisElasticacheInitParameters struct {
+
+	// The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead.
+	// The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
+	// The configuration endpoint for the ElastiCache cluster to connect to.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+}
+
 type RedisElasticacheObservation struct {
 
+	// The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead.
 	// The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.
 	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 
+	// The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
 	// The configuration endpoint for the ElastiCache cluster to connect to.
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 }
 
 type RedisElasticacheParameters struct {
 
+	// The password to authenticate with.
 	// The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead.
 	// The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.
 	// +kubebuilder:validation:Optional
 	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 
+	// The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
 	// The configuration endpoint for the ElastiCache cluster to connect to.
-	// +kubebuilder:validation:Required
-	URL *string `json:"url" tf:"url,omitempty"`
+	// +kubebuilder:validation:Optional
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// The username to authenticate with.
 	// The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.
 	// +kubebuilder:validation:Optional
 	UsernameSecretRef *v1.SecretKeySelector `json:"usernameSecretRef,omitempty" tf:"-"`
 }
 
+type RedisInitParameters struct {
+
+	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
+	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
+	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
+
+	// The host to connect to.
+	// Specifies the host to connect to
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// Whether to skip verification of the server
+	// certificate when using TLS.
+	// Specifies whether to skip verification of the server certificate when using TLS.
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// The default port to connect to if no port is specified as
+	// part of the host.
+	// The transport port to use to connect to Redis.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Whether to use TLS when connecting to Cassandra.
+	// Specifies whether to use TLS when connecting to Redis.
+	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// The username to authenticate with.
+	// Specifies the username for Vault to use.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+}
+
 type RedisObservation struct {
 
+	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
 	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// The host to connect to.
 	// Specifies the host to connect to
 	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Specifies whether to skip verification of the server certificate when using TLS.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Redis.
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Specifies whether to use TLS when connecting to Redis.
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username for Vault to use.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type RedisParameters struct {
 
+	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
 	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
 	// +kubebuilder:validation:Optional
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// The host to connect to.
 	// Specifies the host to connect to
-	// +kubebuilder:validation:Required
-	Host *string `json:"host" tf:"host,omitempty"`
+	// +kubebuilder:validation:Optional
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Specifies whether to skip verification of the server certificate when using TLS.
 	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// The password to authenticate with.
 	// Specifies the password corresponding to the given username.
 	// +kubebuilder:validation:Required
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Redis.
 	// +kubebuilder:validation:Optional
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Specifies whether to use TLS when connecting to Redis.
 	// +kubebuilder:validation:Optional
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username for Vault to use.
-	// +kubebuilder:validation:Required
-	Username *string `json:"username" tf:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+}
+
+type RedshiftInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type RedshiftObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type RedshiftParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	// +kubebuilder:validation:Optional
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
+type SecretBackendConnectionInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// The unique name of the Vault mount to configure.
+	// Unique name of the Vault mount to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// A nested block containing configuration options for Cassandra connections.
+	// Connection parameters for the cassandra-database-plugin plugin.
+	Cassandra []CassandraInitParameters `json:"cassandra,omitempty" tf:"cassandra,omitempty"`
+
+	// A nested block containing configuration options for Couchbase connections.
+	// Connection parameters for the couchbase-database-plugin plugin.
+	Couchbase []CouchbaseInitParameters `json:"couchbase,omitempty" tf:"couchbase,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// A nested block containing configuration options for Elasticsearch connections.
+	// Connection parameters for the elasticsearch-database-plugin.
+	Elasticsearch []ElasticsearchInitParameters `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
+
+	// A nested block containing configuration options for SAP HanaDB connections.
+	// Connection parameters for the hana-database-plugin plugin.
+	Hana []HanaInitParameters `json:"hana,omitempty" tf:"hana,omitempty"`
+
+	// A nested block containing configuration options for InfluxDB connections.
+	// Connection parameters for the influxdb-database-plugin plugin.
+	Influxdb []InfluxdbInitParameters `json:"influxdb,omitempty" tf:"influxdb,omitempty"`
+
+	// A nested block containing configuration options for MongoDB connections.
+	// Connection parameters for the mongodb-database-plugin plugin.
+	Mongodb []MongodbInitParameters `json:"mongodb,omitempty" tf:"mongodb,omitempty"`
+
+	// A nested block containing configuration options for MongoDB Atlas connections.
+	// Connection parameters for the mongodbatlas-database-plugin plugin.
+	Mongodbatlas []MongodbatlasInitParameters `json:"mongodbatlas,omitempty" tf:"mongodbatlas,omitempty"`
+
+	// A nested block containing configuration options for MSSQL connections.
+	// Connection parameters for the mssql-database-plugin plugin.
+	Mssql []MssqlInitParameters `json:"mssql,omitempty" tf:"mssql,omitempty"`
+
+	// A nested block containing configuration options for MySQL connections.
+	// Connection parameters for the mysql-database-plugin plugin.
+	MySQL []MySQLInitParameters `json:"mysql,omitempty" tf:"mysql,omitempty"`
+
+	// A nested block containing configuration options for Aurora MySQL connections.
+	// Connection parameters for the mysql-aurora-database-plugin plugin.
+	MySQLAurora []MySQLAuroraInitParameters `json:"mysqlAurora,omitempty" tf:"mysql_aurora,omitempty"`
+
+	// A nested block containing configuration options for legacy MySQL connections.
+	// Connection parameters for the mysql-legacy-database-plugin plugin.
+	MySQLLegacy []MySQLLegacyInitParameters `json:"mysqlLegacy,omitempty" tf:"mysql_legacy,omitempty"`
+
+	// A nested block containing configuration options for RDS MySQL connections.
+	// Connection parameters for the mysql-rds-database-plugin plugin.
+	MySQLRDS []MySQLRDSInitParameters `json:"mysqlRds,omitempty" tf:"mysql_rds,omitempty"`
+
+	// A unique name to give the database connection.
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// A nested block containing configuration options for Oracle connections.
+	// Connection parameters for the oracle-database-plugin plugin.
+	Oracle []OracleInitParameters `json:"oracle,omitempty" tf:"oracle,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A nested block containing configuration options for PostgreSQL connections.
+	// Connection parameters for the postgresql-database-plugin plugin.
+	Postgresql []PostgresqlInitParameters `json:"postgresql,omitempty" tf:"postgresql,omitempty"`
+
+	// A nested block containing configuration options for Redis connections.
+	// Connection parameters for the redis-database-plugin plugin.
+	Redis []RedisInitParameters `json:"redis,omitempty" tf:"redis,omitempty"`
+
+	// A nested block containing configuration options for Redis ElastiCache connections.
+	// Connection parameters for the redis-elasticache-database-plugin plugin.
+	RedisElasticache []RedisElasticacheInitParameters `json:"redisElasticache,omitempty" tf:"redis_elasticache,omitempty"`
+
+	// Connection parameters for the redshift-database-plugin plugin.
+	Redshift []RedshiftInitParameters `json:"redshift,omitempty" tf:"redshift,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// A nested block containing configuration options for Snowflake connections.
+	// Connection parameters for the snowflake-database-plugin plugin.
+	Snowflake []SnowflakeInitParameters `json:"snowflake,omitempty" tf:"snowflake,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretBackendConnectionObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The unique name of the Vault mount to configure.
 	// Unique name of the Vault mount to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// A nested block containing configuration options for Cassandra connections.
 	// Connection parameters for the cassandra-database-plugin plugin.
 	Cassandra []CassandraObservation `json:"cassandra,omitempty" tf:"cassandra,omitempty"`
 
+	// A nested block containing configuration options for Couchbase connections.
 	// Connection parameters for the couchbase-database-plugin plugin.
 	Couchbase []CouchbaseObservation `json:"couchbase,omitempty" tf:"couchbase,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// A nested block containing configuration options for Elasticsearch connections.
 	// Connection parameters for the elasticsearch-database-plugin.
 	Elasticsearch []ElasticsearchObservation `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
 
+	// A nested block containing configuration options for SAP HanaDB connections.
 	// Connection parameters for the hana-database-plugin plugin.
 	Hana []HanaObservation `json:"hana,omitempty" tf:"hana,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A nested block containing configuration options for InfluxDB connections.
 	// Connection parameters for the influxdb-database-plugin plugin.
 	Influxdb []InfluxdbObservation `json:"influxdb,omitempty" tf:"influxdb,omitempty"`
 
+	// A nested block containing configuration options for MongoDB connections.
 	// Connection parameters for the mongodb-database-plugin plugin.
 	Mongodb []MongodbObservation `json:"mongodb,omitempty" tf:"mongodb,omitempty"`
 
+	// A nested block containing configuration options for MongoDB Atlas connections.
 	// Connection parameters for the mongodbatlas-database-plugin plugin.
 	Mongodbatlas []MongodbatlasObservation `json:"mongodbatlas,omitempty" tf:"mongodbatlas,omitempty"`
 
+	// A nested block containing configuration options for MSSQL connections.
 	// Connection parameters for the mssql-database-plugin plugin.
 	Mssql []MssqlObservation `json:"mssql,omitempty" tf:"mssql,omitempty"`
 
+	// A nested block containing configuration options for MySQL connections.
 	// Connection parameters for the mysql-database-plugin plugin.
 	MySQL []MySQLObservation `json:"mysql,omitempty" tf:"mysql,omitempty"`
 
+	// A nested block containing configuration options for Aurora MySQL connections.
 	// Connection parameters for the mysql-aurora-database-plugin plugin.
 	MySQLAurora []MySQLAuroraObservation `json:"mysqlAurora,omitempty" tf:"mysql_aurora,omitempty"`
 
+	// A nested block containing configuration options for legacy MySQL connections.
 	// Connection parameters for the mysql-legacy-database-plugin plugin.
 	MySQLLegacy []MySQLLegacyObservation `json:"mysqlLegacy,omitempty" tf:"mysql_legacy,omitempty"`
 
+	// A nested block containing configuration options for RDS MySQL connections.
 	// Connection parameters for the mysql-rds-database-plugin plugin.
 	MySQLRDS []MySQLRDSObservation `json:"mysqlRds,omitempty" tf:"mysql_rds,omitempty"`
 
+	// A unique name to give the database connection.
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// A nested block containing configuration options for Oracle connections.
 	// Connection parameters for the oracle-database-plugin plugin.
 	Oracle []OracleObservation `json:"oracle,omitempty" tf:"oracle,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A nested block containing configuration options for PostgreSQL connections.
 	// Connection parameters for the postgresql-database-plugin plugin.
 	Postgresql []PostgresqlObservation `json:"postgresql,omitempty" tf:"postgresql,omitempty"`
 
+	// A nested block containing configuration options for Redis connections.
 	// Connection parameters for the redis-database-plugin plugin.
 	Redis []RedisObservation `json:"redis,omitempty" tf:"redis,omitempty"`
 
+	// A nested block containing configuration options for Redis ElastiCache connections.
 	// Connection parameters for the redis-elasticache-database-plugin plugin.
 	RedisElasticache []RedisElasticacheObservation `json:"redisElasticache,omitempty" tf:"redis_elasticache,omitempty"`
 
 	// Connection parameters for the redshift-database-plugin plugin.
 	Redshift []RedshiftObservation `json:"redshift,omitempty" tf:"redshift,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// A nested block containing configuration options for Snowflake connections.
 	// Connection parameters for the snowflake-database-plugin plugin.
 	Snowflake []SnowflakeObservation `json:"snowflake,omitempty" tf:"snowflake,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretBackendConnectionParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The unique name of the Vault mount to configure.
 	// Unique name of the Vault mount to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// A nested block containing configuration options for Cassandra connections.
 	// Connection parameters for the cassandra-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Cassandra []CassandraParameters `json:"cassandra,omitempty" tf:"cassandra,omitempty"`
 
+	// A nested block containing configuration options for Couchbase connections.
 	// Connection parameters for the couchbase-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Couchbase []CouchbaseParameters `json:"couchbase,omitempty" tf:"couchbase,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// A nested block containing configuration options for Elasticsearch connections.
 	// Connection parameters for the elasticsearch-database-plugin.
 	// +kubebuilder:validation:Optional
 	Elasticsearch []ElasticsearchParameters `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
 
+	// A nested block containing configuration options for SAP HanaDB connections.
 	// Connection parameters for the hana-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Hana []HanaParameters `json:"hana,omitempty" tf:"hana,omitempty"`
 
+	// A nested block containing configuration options for InfluxDB connections.
 	// Connection parameters for the influxdb-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Influxdb []InfluxdbParameters `json:"influxdb,omitempty" tf:"influxdb,omitempty"`
 
+	// A nested block containing configuration options for MongoDB connections.
 	// Connection parameters for the mongodb-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Mongodb []MongodbParameters `json:"mongodb,omitempty" tf:"mongodb,omitempty"`
 
+	// A nested block containing configuration options for MongoDB Atlas connections.
 	// Connection parameters for the mongodbatlas-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Mongodbatlas []MongodbatlasParameters `json:"mongodbatlas,omitempty" tf:"mongodbatlas,omitempty"`
 
+	// A nested block containing configuration options for MSSQL connections.
 	// Connection parameters for the mssql-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Mssql []MssqlParameters `json:"mssql,omitempty" tf:"mssql,omitempty"`
 
+	// A nested block containing configuration options for MySQL connections.
 	// Connection parameters for the mysql-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	MySQL []MySQLParameters `json:"mysql,omitempty" tf:"mysql,omitempty"`
 
+	// A nested block containing configuration options for Aurora MySQL connections.
 	// Connection parameters for the mysql-aurora-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	MySQLAurora []MySQLAuroraParameters `json:"mysqlAurora,omitempty" tf:"mysql_aurora,omitempty"`
 
+	// A nested block containing configuration options for legacy MySQL connections.
 	// Connection parameters for the mysql-legacy-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	MySQLLegacy []MySQLLegacyParameters `json:"mysqlLegacy,omitempty" tf:"mysql_legacy,omitempty"`
 
+	// A nested block containing configuration options for RDS MySQL connections.
 	// Connection parameters for the mysql-rds-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	MySQLRDS []MySQLRDSParameters `json:"mysqlRds,omitempty" tf:"mysql_rds,omitempty"`
 
+	// A unique name to give the database connection.
 	// Name of the database connection.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// A nested block containing configuration options for Oracle connections.
 	// Connection parameters for the oracle-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Oracle []OracleParameters `json:"oracle,omitempty" tf:"oracle,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A nested block containing configuration options for PostgreSQL connections.
 	// Connection parameters for the postgresql-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Postgresql []PostgresqlParameters `json:"postgresql,omitempty" tf:"postgresql,omitempty"`
 
+	// A nested block containing configuration options for Redis connections.
 	// Connection parameters for the redis-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Redis []RedisParameters `json:"redis,omitempty" tf:"redis,omitempty"`
 
+	// A nested block containing configuration options for Redis ElastiCache connections.
 	// Connection parameters for the redis-elasticache-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	RedisElasticache []RedisElasticacheParameters `json:"redisElasticache,omitempty" tf:"redis_elasticache,omitempty"`
@@ -1116,66 +2200,128 @@ type SecretBackendConnectionParameters struct {
 	// +kubebuilder:validation:Optional
 	Redshift []RedshiftParameters `json:"redshift,omitempty" tf:"redshift,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// A nested block containing configuration options for Snowflake connections.
 	// Connection parameters for the snowflake-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Snowflake []SnowflakeParameters `json:"snowflake,omitempty" tf:"snowflake,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SnowflakeInitParameters struct {
+
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+}
+
 type SnowflakeObservation struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 }
 
 type SnowflakeParameters struct {
 
+	// A URL containing connection information. See
+	// the Vault
+	// docs
+	// for an example.
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
@@ -1185,6 +2331,18 @@ type SnowflakeParameters struct {
 type SecretBackendConnectionSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendConnectionParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendConnectionInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendConnectionStatus defines the observed state of SecretBackendConnection.
@@ -1195,7 +2353,7 @@ type SecretBackendConnectionStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendConnection is the Schema for the SecretBackendConnections API. <no value>
+// SecretBackendConnection is the Schema for the SecretBackendConnections API. Configures a database secret backend connection for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -1205,8 +2363,8 @@ type SecretBackendConnectionStatus struct {
 type SecretBackendConnection struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendConnectionSpec   `json:"spec"`
 	Status SecretBackendConnectionStatus `json:"status,omitempty"`
 }
diff --git a/apis/database/v1alpha1/zz_secretbackendrole_types.go b/apis/database/v1alpha1/zz_secretbackendrole_types.go
index bcb944bb..f0af153e 100755
--- a/apis/database/v1alpha1/zz_secretbackendrole_types.go
+++ b/apis/database/v1alpha1/zz_secretbackendrole_types.go
@@ -13,79 +13,172 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendRoleInitParameters struct {
+
+	// The unique name of the Vault mount to configure.
+	// The path of the Database Secret Backend the role belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The database statements to execute when
+	// creating a user.
+	// Database statements to execute to create and configure a user.
+	CreationStatements []*string `json:"creationStatements,omitempty" tf:"creation_statements,omitempty"`
+
+	// The unique name of the database connection to use for
+	// the role.
+	// Database connection to use for this role.
+	DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"`
+
+	// The default number of seconds for leases for this
+	// role.
+	// Default TTL for leases associated with this role, in seconds.
+	DefaultTTL *float64 `json:"defaultTtl,omitempty" tf:"default_ttl,omitempty"`
+
+	// The maximum number of seconds for leases for this
+	// role.
+	// Maximum TTL for leases associated with this role, in seconds.
+	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// A unique name to give the role.
+	// Unique name for the role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The database statements to execute when
+	// renewing a user.
+	// Database statements to execute to renew a user.
+	RenewStatements []*string `json:"renewStatements,omitempty" tf:"renew_statements,omitempty"`
+
+	// The database statements to execute when
+	// revoking a user.
+	// Database statements to execute to revoke a user.
+	RevocationStatements []*string `json:"revocationStatements,omitempty" tf:"revocation_statements,omitempty"`
+
+	// The database statements to execute when
+	// rolling back creation due to an error.
+	// Database statements to execute to rollback a create operation in the event of an error.
+	RollbackStatements []*string `json:"rollbackStatements,omitempty" tf:"rollback_statements,omitempty"`
+}
+
 type SecretBackendRoleObservation struct {
 
+	// The unique name of the Vault mount to configure.
 	// The path of the Database Secret Backend the role belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The database statements to execute when
+	// creating a user.
 	// Database statements to execute to create and configure a user.
 	CreationStatements []*string `json:"creationStatements,omitempty" tf:"creation_statements,omitempty"`
 
+	// The unique name of the database connection to use for
+	// the role.
 	// Database connection to use for this role.
 	DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"`
 
+	// The default number of seconds for leases for this
+	// role.
 	// Default TTL for leases associated with this role, in seconds.
 	DefaultTTL *float64 `json:"defaultTtl,omitempty" tf:"default_ttl,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The maximum number of seconds for leases for this
+	// role.
 	// Maximum TTL for leases associated with this role, in seconds.
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// A unique name to give the role.
 	// Unique name for the role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The database statements to execute when
+	// renewing a user.
 	// Database statements to execute to renew a user.
 	RenewStatements []*string `json:"renewStatements,omitempty" tf:"renew_statements,omitempty"`
 
+	// The database statements to execute when
+	// revoking a user.
 	// Database statements to execute to revoke a user.
 	RevocationStatements []*string `json:"revocationStatements,omitempty" tf:"revocation_statements,omitempty"`
 
+	// The database statements to execute when
+	// rolling back creation due to an error.
 	// Database statements to execute to rollback a create operation in the event of an error.
 	RollbackStatements []*string `json:"rollbackStatements,omitempty" tf:"rollback_statements,omitempty"`
 }
 
 type SecretBackendRoleParameters struct {
 
+	// The unique name of the Vault mount to configure.
 	// The path of the Database Secret Backend the role belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The database statements to execute when
+	// creating a user.
 	// Database statements to execute to create and configure a user.
 	// +kubebuilder:validation:Optional
 	CreationStatements []*string `json:"creationStatements,omitempty" tf:"creation_statements,omitempty"`
 
+	// The unique name of the database connection to use for
+	// the role.
 	// Database connection to use for this role.
 	// +kubebuilder:validation:Optional
 	DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"`
 
+	// The default number of seconds for leases for this
+	// role.
 	// Default TTL for leases associated with this role, in seconds.
 	// +kubebuilder:validation:Optional
 	DefaultTTL *float64 `json:"defaultTtl,omitempty" tf:"default_ttl,omitempty"`
 
+	// The maximum number of seconds for leases for this
+	// role.
 	// Maximum TTL for leases associated with this role, in seconds.
 	// +kubebuilder:validation:Optional
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// A unique name to give the role.
 	// Unique name for the role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The database statements to execute when
+	// renewing a user.
 	// Database statements to execute to renew a user.
 	// +kubebuilder:validation:Optional
 	RenewStatements []*string `json:"renewStatements,omitempty" tf:"renew_statements,omitempty"`
 
+	// The database statements to execute when
+	// revoking a user.
 	// Database statements to execute to revoke a user.
 	// +kubebuilder:validation:Optional
 	RevocationStatements []*string `json:"revocationStatements,omitempty" tf:"revocation_statements,omitempty"`
 
+	// The database statements to execute when
+	// rolling back creation due to an error.
 	// Database statements to execute to rollback a create operation in the event of an error.
 	// +kubebuilder:validation:Optional
 	RollbackStatements []*string `json:"rollbackStatements,omitempty" tf:"rollback_statements,omitempty"`
@@ -95,6 +188,18 @@ type SecretBackendRoleParameters struct {
 type SecretBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRoleStatus defines the observed state of SecretBackendRole.
@@ -105,7 +210,7 @@ type SecretBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRole is the Schema for the SecretBackendRoles API. <no value>
+// SecretBackendRole is the Schema for the SecretBackendRoles API. Configures a database secret backend role for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -115,10 +220,10 @@ type SecretBackendRoleStatus struct {
 type SecretBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.creationStatements)",message="creationStatements is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbName)",message="dbName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.creationStatements) || has(self.initProvider.creationStatements)",message="creationStatements is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dbName) || has(self.initProvider.dbName)",message="dbName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendRoleSpec   `json:"spec"`
 	Status SecretBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go b/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go
index c66b9539..97023d7f 100755
--- a/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go
+++ b/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go
@@ -13,58 +13,112 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendStaticRoleInitParameters struct {
+
+	// The unique name of the Vault mount to configure.
+	// The path of the Database Secret Backend the role belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The unique name of the database connection to use for the static role.
+	// Database connection to use for this role.
+	DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"`
+
+	// A unique name to give the static role.
+	// Unique name for the static role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The amount of time Vault should wait before rotating the password, in seconds.
+	// The amount of time Vault should wait before rotating the password, in seconds.
+	RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"`
+
+	// Database statements to execute to rotate the password for the configured database user.
+	// Database statements to execute to rotate the password for the configured database user.
+	RotationStatements []*string `json:"rotationStatements,omitempty" tf:"rotation_statements,omitempty"`
+
+	// The database username that this static role corresponds to.
+	// The database username that this role corresponds to.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+}
+
 type SecretBackendStaticRoleObservation struct {
 
+	// The unique name of the Vault mount to configure.
 	// The path of the Database Secret Backend the role belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The unique name of the database connection to use for the static role.
 	// Database connection to use for this role.
 	DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A unique name to give the static role.
 	// Unique name for the static role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The amount of time Vault should wait before rotating the password, in seconds.
 	// The amount of time Vault should wait before rotating the password, in seconds.
 	RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"`
 
+	// Database statements to execute to rotate the password for the configured database user.
 	// Database statements to execute to rotate the password for the configured database user.
 	RotationStatements []*string `json:"rotationStatements,omitempty" tf:"rotation_statements,omitempty"`
 
+	// The database username that this static role corresponds to.
 	// The database username that this role corresponds to.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type SecretBackendStaticRoleParameters struct {
 
+	// The unique name of the Vault mount to configure.
 	// The path of the Database Secret Backend the role belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The unique name of the database connection to use for the static role.
 	// Database connection to use for this role.
 	// +kubebuilder:validation:Optional
 	DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"`
 
+	// A unique name to give the static role.
 	// Unique name for the static role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The amount of time Vault should wait before rotating the password, in seconds.
 	// The amount of time Vault should wait before rotating the password, in seconds.
 	// +kubebuilder:validation:Optional
 	RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"`
 
+	// Database statements to execute to rotate the password for the configured database user.
 	// Database statements to execute to rotate the password for the configured database user.
 	// +kubebuilder:validation:Optional
 	RotationStatements []*string `json:"rotationStatements,omitempty" tf:"rotation_statements,omitempty"`
 
+	// The database username that this static role corresponds to.
 	// The database username that this role corresponds to.
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
@@ -74,6 +128,18 @@ type SecretBackendStaticRoleParameters struct {
 type SecretBackendStaticRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendStaticRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendStaticRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStaticRoleStatus defines the observed state of SecretBackendStaticRole.
@@ -84,7 +150,7 @@ type SecretBackendStaticRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendStaticRole is the Schema for the SecretBackendStaticRoles API. <no value>
+// SecretBackendStaticRole is the Schema for the SecretBackendStaticRoles API. Configures a database secret backend static role for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -94,11 +160,11 @@ type SecretBackendStaticRoleStatus struct {
 type SecretBackendStaticRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbName)",message="dbName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rotationPeriod)",message="rotationPeriod is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.username)",message="username is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dbName) || has(self.initProvider.dbName)",message="dbName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.rotationPeriod) || has(self.initProvider.rotationPeriod)",message="rotationPeriod is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || has(self.initProvider.username)",message="username is a required parameter"
 	Spec   SecretBackendStaticRoleSpec   `json:"spec"`
 	Status SecretBackendStaticRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/database/v1alpha1/zz_secretsmount_types.go b/apis/database/v1alpha1/zz_secretsmount_types.go
index eaf39244..339f65b7 100755
--- a/apis/database/v1alpha1/zz_secretsmount_types.go
+++ b/apis/database/v1alpha1/zz_secretsmount_types.go
@@ -13,982 +13,2118 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretsMountCassandraInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// The number of seconds to use as a connection
+	// timeout.
+	// The number of seconds to use as a connection timeout.
+	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The hosts to connect to.
+	// Cassandra hosts to connect to.
+	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
+
+	// Whether to skip verification of the server
+	// certificate when using TLS.
+	// Whether to skip verification of the server certificate when using TLS.
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// The default port to connect to if no port is specified as
+	// part of the host.
+	// The transport port to use to connect to Cassandra.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The CQL protocol version to use.
+	// The CQL protocol version to use.
+	ProtocolVersion *float64 `json:"protocolVersion,omitempty" tf:"protocol_version,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// Whether to use TLS when connecting to Cassandra.
+	// Whether to use TLS when connecting to Cassandra.
+	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// The username to authenticate with.
+	// The username to use when authenticating with Cassandra.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountCassandraObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The number of seconds to use as a connection
+	// timeout.
 	// The number of seconds to use as a connection timeout.
 	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The hosts to connect to.
 	// Cassandra hosts to connect to.
 	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Whether to skip verification of the server certificate when using TLS.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Cassandra.
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// The CQL protocol version to use.
 	// The CQL protocol version to use.
 	ProtocolVersion *float64 `json:"protocolVersion,omitempty" tf:"protocol_version,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Whether to use TLS when connecting to Cassandra.
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// The username to use when authenticating with Cassandra.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountCassandraParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The number of seconds to use as a connection
+	// timeout.
 	// The number of seconds to use as a connection timeout.
 	// +kubebuilder:validation:Optional
 	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The hosts to connect to.
 	// Cassandra hosts to connect to.
 	// +kubebuilder:validation:Optional
 	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Whether to skip verification of the server certificate when using TLS.
 	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The password to use when authenticating with Cassandra.
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Concatenated PEM blocks configuring the certificate
+	// chain.
 	// Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
 	// +kubebuilder:validation:Optional
 	PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"`
 
+	// A JSON structure configuring the certificate chain.
 	// Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
 	// +kubebuilder:validation:Optional
 	PemJSONSecretRef *v1.SecretKeySelector `json:"pemJsonSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Cassandra.
 	// +kubebuilder:validation:Optional
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// The CQL protocol version to use.
 	// The CQL protocol version to use.
 	// +kubebuilder:validation:Optional
 	ProtocolVersion *float64 `json:"protocolVersion,omitempty" tf:"protocol_version,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Whether to use TLS when connecting to Cassandra.
 	// +kubebuilder:validation:Optional
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// The username to use when authenticating with Cassandra.
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountCouchbaseInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
+	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The hosts to connect to.
+	// A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.
+	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
+
+	// Whether to skip verification of the server
+	// certificate when using TLS.
+	// Specifies whether to skip verification of the server certificate when using TLS.
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// Whether to use TLS when connecting to Cassandra.
+	// Specifies whether to use TLS when connecting to Couchbase.
+	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// The username to authenticate with.
+	// Specifies the username for Vault to use.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Template describing how dynamic usernames are generated.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountCouchbaseObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
 	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
 	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The hosts to connect to.
 	// A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.
 	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Specifies whether to skip verification of the server certificate when using TLS.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Specifies whether to use TLS when connecting to Couchbase.
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username for Vault to use.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountCouchbaseParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.
 	// Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.
 	// +kubebuilder:validation:Optional
 	Base64PemSecretRef *v1.SecretKeySelector `json:"base64PemSecretRef,omitempty" tf:"-"`
 
+	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
 	// Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
 	// +kubebuilder:validation:Optional
 	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The hosts to connect to.
 	// A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.
-	// +kubebuilder:validation:Required
-	Hosts []*string `json:"hosts" tf:"hosts,omitempty"`
+	// +kubebuilder:validation:Optional
+	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Specifies whether to skip verification of the server certificate when using TLS.
 	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// Specifies the password corresponding to the given username.
 	// +kubebuilder:validation:Required
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Specifies whether to use TLS when connecting to Couchbase.
 	// +kubebuilder:validation:Optional
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username for Vault to use.
-	// +kubebuilder:validation:Required
-	Username *string `json:"username" tf:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountElasticsearchInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
+	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity
+	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
+
+	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
+	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity
+	CAPath *string `json:"caPath,omitempty" tf:"ca_path,omitempty"`
+
+	// The path to the certificate for the Elasticsearch client to present for communication.
+	// The path to the certificate for the Elasticsearch client to present for communication
+	ClientCert *string `json:"clientCert,omitempty" tf:"client_cert,omitempty"`
+
+	// The path to the key for the Elasticsearch client to use for communication.
+	// The path to the key for the Elasticsearch client to use for communication
+	ClientKey *string `json:"clientKey,omitempty" tf:"client_key,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// Whether to disable certificate verification.
+	// Whether to disable certificate verification
+	Insecure *bool `json:"insecure,omitempty" tf:"insecure,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// This, if set, is used to set the SNI host when connecting via TLS.
+	// This, if set, is used to set the SNI host when connecting via TLS
+	TLSServerName *string `json:"tlsServerName,omitempty" tf:"tls_server_name,omitempty"`
+
+	// The URL for Elasticsearch's API. https requires certificate
+	// by trusted CA if used.
+	// The URL for Elasticsearch's API
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// The username to authenticate with.
+	// The username to be used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Template describing how dynamic usernames are generated.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountElasticsearchObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
 	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
 	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity
 	CAPath *string `json:"caPath,omitempty" tf:"ca_path,omitempty"`
 
+	// The path to the certificate for the Elasticsearch client to present for communication.
 	// The path to the certificate for the Elasticsearch client to present for communication
 	ClientCert *string `json:"clientCert,omitempty" tf:"client_cert,omitempty"`
 
+	// The path to the key for the Elasticsearch client to use for communication.
 	// The path to the key for the Elasticsearch client to use for communication
 	ClientKey *string `json:"clientKey,omitempty" tf:"client_key,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Whether to disable certificate verification.
 	// Whether to disable certificate verification
 	Insecure *bool `json:"insecure,omitempty" tf:"insecure,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// This, if set, is used to set the SNI host when connecting via TLS.
 	// This, if set, is used to set the SNI host when connecting via TLS
 	TLSServerName *string `json:"tlsServerName,omitempty" tf:"tls_server_name,omitempty"`
 
+	// The URL for Elasticsearch's API. https requires certificate
+	// by trusted CA if used.
 	// The URL for Elasticsearch's API
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// The username to authenticate with.
 	// The username to be used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountElasticsearchParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
 	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity
 	// +kubebuilder:validation:Optional
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
 	// The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity
 	// +kubebuilder:validation:Optional
 	CAPath *string `json:"caPath,omitempty" tf:"ca_path,omitempty"`
 
+	// The path to the certificate for the Elasticsearch client to present for communication.
 	// The path to the certificate for the Elasticsearch client to present for communication
 	// +kubebuilder:validation:Optional
 	ClientCert *string `json:"clientCert,omitempty" tf:"client_cert,omitempty"`
 
+	// The path to the key for the Elasticsearch client to use for communication.
 	// The path to the key for the Elasticsearch client to use for communication
 	// +kubebuilder:validation:Optional
 	ClientKey *string `json:"clientKey,omitempty" tf:"client_key,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Whether to disable certificate verification.
 	// Whether to disable certificate verification
 	// +kubebuilder:validation:Optional
 	Insecure *bool `json:"insecure,omitempty" tf:"insecure,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The password to be used in the connection URL
 	// +kubebuilder:validation:Required
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// This, if set, is used to set the SNI host when connecting via TLS.
 	// This, if set, is used to set the SNI host when connecting via TLS
 	// +kubebuilder:validation:Optional
 	TLSServerName *string `json:"tlsServerName,omitempty" tf:"tls_server_name,omitempty"`
 
+	// The URL for Elasticsearch's API. https requires certificate
+	// by trusted CA if used.
 	// The URL for Elasticsearch's API
-	// +kubebuilder:validation:Required
-	URL *string `json:"url" tf:"url,omitempty"`
+	// +kubebuilder:validation:Optional
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// The username to authenticate with.
 	// The username to be used in the connection URL
-	// +kubebuilder:validation:Required
-	Username *string `json:"username" tf:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountHanaInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountHanaObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountHanaParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	// +kubebuilder:validation:Optional
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
-type SecretsMountInfluxdbObservation struct {
+type SecretsMountInfluxdbInitParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The number of seconds to use as a connection
+	// timeout.
 	// The number of seconds to use as a connection timeout.
 	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The host to connect to.
 	// Influxdb host to connect to.
 	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Whether to skip verification of the server certificate when using TLS.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Influxdb.
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Whether to use TLS when connecting to Influxdb.
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username to use for superuser access.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
-type SecretsMountInfluxdbParameters struct {
+type SecretsMountInfluxdbObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
-	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The number of seconds to use as a connection
+	// timeout.
 	// The number of seconds to use as a connection timeout.
-	// +kubebuilder:validation:Optional
 	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
 
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
-	// +kubebuilder:validation:Optional
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The host to connect to.
 	// Influxdb host to connect to.
-	// +kubebuilder:validation:Required
-	Host *string `json:"host" tf:"host,omitempty"`
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Whether to skip verification of the server certificate when using TLS.
-	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
-	// Specifies the password corresponding to the given username.
-	// +kubebuilder:validation:Required
-	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
-	// Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
-	// +kubebuilder:validation:Optional
-	PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"`
+	// The default port to connect to if no port is specified as
+	// part of the host.
+	// The transport port to use to connect to Influxdb.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// Whether to use TLS when connecting to Cassandra.
+	// Whether to use TLS when connecting to Influxdb.
+	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// The username to authenticate with.
+	// Specifies the username to use for superuser access.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Template describing how dynamic usernames are generated.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
+type SecretsMountInfluxdbParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	// +kubebuilder:validation:Optional
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// The number of seconds to use as a connection
+	// timeout.
+	// The number of seconds to use as a connection timeout.
+	// +kubebuilder:validation:Optional
+	ConnectTimeout *float64 `json:"connectTimeout,omitempty" tf:"connect_timeout,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// +kubebuilder:validation:Optional
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The host to connect to.
+	// Influxdb host to connect to.
+	// +kubebuilder:validation:Optional
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// Whether to skip verification of the server
+	// certificate when using TLS.
+	// Whether to skip verification of the server certificate when using TLS.
+	// +kubebuilder:validation:Optional
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The password to authenticate with.
+	// Specifies the password corresponding to the given username.
+	// +kubebuilder:validation:Required
+	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
+
+	// Concatenated PEM blocks configuring the certificate
+	// chain.
+	// Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
+	// +kubebuilder:validation:Optional
+	PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"`
+
+	// A JSON structure configuring the certificate chain.
 	// Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
 	// +kubebuilder:validation:Optional
 	PemJSONSecretRef *v1.SecretKeySelector `json:"pemJsonSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Influxdb.
 	// +kubebuilder:validation:Optional
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Whether to use TLS when connecting to Influxdb.
 	// +kubebuilder:validation:Optional
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username to use for superuser access.
-	// +kubebuilder:validation:Required
-	Username *string `json:"username" tf:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountInitParameters struct {
+
+	// Set of managed key registry entry names that the mount in question is allowed to access
+	// List of managed key registry entry names that the mount in question is allowed to access
+	AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"`
+
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
+
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
+
+	// A nested block containing configuration options for Cassandra connections.
+	// See
+	// Connection parameters for the cassandra-database-plugin plugin.
+	Cassandra []SecretsMountCassandraInitParameters `json:"cassandra,omitempty" tf:"cassandra,omitempty"`
+
+	// A nested block containing configuration options for Couchbase connections.
+	// See
+	// Connection parameters for the couchbase-database-plugin plugin.
+	Couchbase []SecretsMountCouchbaseInitParameters `json:"couchbase,omitempty" tf:"couchbase,omitempty"`
+
+	// Default lease duration for tokens and secrets in seconds
+	// Default lease duration for tokens and secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// Human-friendly description of the mount
+	// Human-friendly description of the mount
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// A nested block containing configuration options for Elasticsearch connections.
+	// See
+	// Connection parameters for the elasticsearch-database-plugin.
+	Elasticsearch []SecretsMountElasticsearchInitParameters `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
+
+	// Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
+	// Enable the secrets engine to access Vault's external entropy source
+	ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"`
+
+	// A nested block containing configuration options for SAP HanaDB connections.
+	// See
+	// Connection parameters for the hana-database-plugin plugin.
+	Hana []SecretsMountHanaInitParameters `json:"hana,omitempty" tf:"hana,omitempty"`
+
+	// A nested block containing configuration options for InfluxDB connections.
+	// See
+	// Connection parameters for the influxdb-database-plugin plugin.
+	Influxdb []SecretsMountInfluxdbInitParameters `json:"influxdb,omitempty" tf:"influxdb,omitempty"`
+
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
+	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// Maximum possible lease duration for tokens and secrets in seconds
+	// Maximum possible lease duration for tokens and secrets in seconds
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// A nested block containing configuration options for MongoDB connections.
+	// See
+	// Connection parameters for the mongodb-database-plugin plugin.
+	Mongodb []SecretsMountMongodbInitParameters `json:"mongodb,omitempty" tf:"mongodb,omitempty"`
+
+	// A nested block containing configuration options for MongoDB Atlas connections.
+	// See
+	// Connection parameters for the mongodbatlas-database-plugin plugin.
+	Mongodbatlas []SecretsMountMongodbatlasInitParameters `json:"mongodbatlas,omitempty" tf:"mongodbatlas,omitempty"`
+
+	// A nested block containing configuration options for MSSQL connections.
+	// See
+	// Connection parameters for the mssql-database-plugin plugin.
+	Mssql []SecretsMountMssqlInitParameters `json:"mssql,omitempty" tf:"mssql,omitempty"`
+
+	// A nested block containing configuration options for MySQL connections.
+	// See
+	// Connection parameters for the mysql-database-plugin plugin.
+	MySQL []SecretsMountMySQLInitParameters `json:"mysql,omitempty" tf:"mysql,omitempty"`
+
+	// A nested block containing configuration options for Aurora MySQL connections.
+	// See
+	// Connection parameters for the mysql-aurora-database-plugin plugin.
+	MySQLAurora []SecretsMountMySQLAuroraInitParameters `json:"mysqlAurora,omitempty" tf:"mysql_aurora,omitempty"`
+
+	// A nested block containing configuration options for legacy MySQL connections.
+	// See
+	// Connection parameters for the mysql-legacy-database-plugin plugin.
+	MySQLLegacy []SecretsMountMySQLLegacyInitParameters `json:"mysqlLegacy,omitempty" tf:"mysql_legacy,omitempty"`
+
+	// A nested block containing configuration options for RDS MySQL connections.
+	// See
+	// Connection parameters for the mysql-rds-database-plugin plugin.
+	MySQLRDS []SecretsMountMySQLRDSInitParameters `json:"mysqlRds,omitempty" tf:"mysql_rds,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies mount type specific options that are passed to the backend
+	// Specifies mount type specific options that are passed to the backend
+	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
+
+	// A nested block containing configuration options for Oracle connections.
+	// See
+	// Connection parameters for the oracle-database-plugin plugin.
+	Oracle []SecretsMountOracleInitParameters `json:"oracle,omitempty" tf:"oracle,omitempty"`
+
+	// Where the secret backend will be mounted
+	// Where the secret backend will be mounted
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// A nested block containing configuration options for PostgreSQL connections.
+	// See
+	// Connection parameters for the postgresql-database-plugin plugin.
+	Postgresql []SecretsMountPostgresqlInitParameters `json:"postgresql,omitempty" tf:"postgresql,omitempty"`
+
+	// A nested block containing configuration options for Redis connections.
+	// See
+	// Connection parameters for the redis-database-plugin plugin.
+	Redis []SecretsMountRedisInitParameters `json:"redis,omitempty" tf:"redis,omitempty"`
+
+	// A nested block containing configuration options for Redis ElastiCache connections.
+	// See
+	// Connection parameters for the redis-elasticache-database-plugin plugin.
+	RedisElasticache []SecretsMountRedisElasticacheInitParameters `json:"redisElasticache,omitempty" tf:"redis_elasticache,omitempty"`
+
+	// A nested block containing configuration options for AWS Redshift connections.
+	// See
+	// Connection parameters for the redshift-database-plugin plugin.
+	Redshift []SecretsMountRedshiftInitParameters `json:"redshift,omitempty" tf:"redshift,omitempty"`
+
+	// Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+	SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"`
+
+	// A nested block containing configuration options for Snowflake connections.
+	// See
+	// Connection parameters for the snowflake-database-plugin plugin.
+	Snowflake []SecretsMountSnowflakeInitParameters `json:"snowflake,omitempty" tf:"snowflake,omitempty"`
+}
+
+type SecretsMountMongodbInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountMongodbObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountMongodbParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	// +kubebuilder:validation:Optional
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	// +kubebuilder:validation:Optional
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// +kubebuilder:validation:Optional
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	// +kubebuilder:validation:Optional
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	// +kubebuilder:validation:Optional
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	// +kubebuilder:validation:Optional
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The password to authenticate with.
+	// The root credential password used in the connection URL
+	// +kubebuilder:validation:Optional
+	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	// +kubebuilder:validation:Optional
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// +kubebuilder:validation:Optional
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	// +kubebuilder:validation:Optional
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	// +kubebuilder:validation:Optional
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
+type SecretsMountMongodbatlasInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// The Project ID the Database User should be created within.
+	// The Project ID the Database User should be created within.
+	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
+
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
+type SecretsMountMongodbatlasObservation struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// The Project ID the Database User should be created within.
+	// The Project ID the Database User should be created within.
+	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
+
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
+type SecretsMountMongodbatlasParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// +kubebuilder:validation:Optional
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	// +kubebuilder:validation:Optional
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// The Private Programmatic API Key used to connect with MongoDB Atlas API.
+	// The Private Programmatic API Key used to connect with MongoDB Atlas API.
+	// +kubebuilder:validation:Required
+	PrivateKeySecretRef v1.SecretKeySelector `json:"privateKeySecretRef" tf:"-"`
+
+	// The Project ID the Database User should be created within.
+	// The Project ID the Database User should be created within.
+	// +kubebuilder:validation:Optional
+	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
+
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
+	// +kubebuilder:validation:Optional
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// +kubebuilder:validation:Optional
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	// +kubebuilder:validation:Optional
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
+type SecretsMountMssqlInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// For Vault v1.9+. Set to true when the target is a
+	// Contained Database, e.g. AzureSQL.
+	// See Vault docs
+	// Set to true when the target is a Contained Database, e.g. AzureSQL.
+	ContainedDB *bool `json:"containedDb,omitempty" tf:"contained_db,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
+type SecretsMountMssqlObservation struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// For Vault v1.9+. Set to true when the target is a
+	// Contained Database, e.g. AzureSQL.
+	// See Vault docs
+	// Set to true when the target is a Contained Database, e.g. AzureSQL.
+	ContainedDB *bool `json:"containedDb,omitempty" tf:"contained_db,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
+type SecretsMountMssqlParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	// +kubebuilder:validation:Optional
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// For Vault v1.9+. Set to true when the target is a
+	// Contained Database, e.g. AzureSQL.
+	// See Vault docs
+	// Set to true when the target is a Contained Database, e.g. AzureSQL.
+	// +kubebuilder:validation:Optional
+	ContainedDB *bool `json:"containedDb,omitempty" tf:"contained_db,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	// +kubebuilder:validation:Optional
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
-type SecretsMountMongodbatlasObservation struct {
+type SecretsMountMySQLAuroraInitParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
-	// Name of the database connection.
-	Name *string `json:"name,omitempty" tf:"name,omitempty"`
-
-	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
-	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
-
-	// The Project ID the Database User should be created within.
-	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
-
-	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
-	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
-
-	// A list of database statements to be executed to rotate the root user's credentials.
-	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
-
-	// Specifies if the connection is verified during initial configuration.
-	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
-}
-
-type SecretsMountMongodbatlasParameters struct {
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
-	// A list of roles that are allowed to use this connection.
-	// +kubebuilder:validation:Optional
-	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
-	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
-	// +kubebuilder:validation:Optional
-	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
-	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
-	// The Private Programmatic API Key used to connect with MongoDB Atlas API.
-	// +kubebuilder:validation:Required
-	PrivateKeySecretRef v1.SecretKeySelector `json:"privateKeySecretRef" tf:"-"`
-
-	// The Project ID the Database User should be created within.
-	// +kubebuilder:validation:Required
-	ProjectID *string `json:"projectId" tf:"project_id,omitempty"`
-
-	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
-	// +kubebuilder:validation:Required
-	PublicKey *string `json:"publicKey" tf:"public_key,omitempty"`
-
 	// A list of database statements to be executed to rotate the root user's credentials.
-	// +kubebuilder:validation:Optional
+	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
-	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
-type SecretsMountMssqlObservation struct {
+type SecretsMountMySQLAuroraObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
-	// Set to true when the target is a Contained Database, e.g. AzureSQL.
-	ContainedDB *bool `json:"containedDb,omitempty" tf:"contained_db,omitempty"`
-
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
-	// Disable special character escaping in username and password
-	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
-
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
-type SecretsMountMssqlParameters struct {
+type SecretsMountMySQLAuroraParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
-	// Set to true when the target is a Contained Database, e.g. AzureSQL.
-	// +kubebuilder:validation:Optional
-	ContainedDB *bool `json:"containedDb,omitempty" tf:"contained_db,omitempty"`
-
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
-	// Disable special character escaping in username and password
-	// +kubebuilder:validation:Optional
-	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
-
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
-type SecretsMountMySQLAuroraObservation struct {
+type SecretsMountMySQLInitParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
+	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
+	TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"`
+
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
-type SecretsMountMySQLAuroraParameters struct {
+type SecretsMountMySQLLegacyInitParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
-	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
-	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
-	// +kubebuilder:validation:Optional
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
-	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
-	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
-	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
-
-	// The root credential password used in the connection URL
-	// +kubebuilder:validation:Optional
-	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
-	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
 	// A list of database statements to be executed to rotate the root user's credentials.
-	// +kubebuilder:validation:Optional
+	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
-	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
-	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
-	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountMySQLLegacyObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountMySQLLegacyParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
@@ -996,198 +2132,332 @@ type SecretsMountMySQLLegacyParameters struct {
 
 type SecretsMountMySQLObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
 	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
 	TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountMySQLParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
 	// x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
 	// +kubebuilder:validation:Optional
 	TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"`
 
+	// x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.
 	// x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.
 	// +kubebuilder:validation:Optional
 	TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountMySQLRDSInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountMySQLRDSObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountMySQLRDSParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
@@ -1198,191 +2468,333 @@ type SecretsMountObservation struct {
 	// Accessor of the mount
 	Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"`
 
+	// Set of managed key registry entry names that the mount in question is allowed to access
 	// List of managed key registry entry names that the mount in question is allowed to access
 	AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"`
 
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
 	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
 	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
 
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
 	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
 	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
 
+	// A nested block containing configuration options for Cassandra connections.
+	// See
 	// Connection parameters for the cassandra-database-plugin plugin.
 	Cassandra []SecretsMountCassandraObservation `json:"cassandra,omitempty" tf:"cassandra,omitempty"`
 
+	// A nested block containing configuration options for Couchbase connections.
+	// See
 	// Connection parameters for the couchbase-database-plugin plugin.
 	Couchbase []SecretsMountCouchbaseObservation `json:"couchbase,omitempty" tf:"couchbase,omitempty"`
 
+	// Default lease duration for tokens and secrets in seconds
 	// Default lease duration for tokens and secrets in seconds
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// Human-friendly description of the mount
 	// Human-friendly description of the mount
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// A nested block containing configuration options for Elasticsearch connections.
+	// See
 	// Connection parameters for the elasticsearch-database-plugin.
 	Elasticsearch []SecretsMountElasticsearchObservation `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
 
+	// The total number of database secrets engines configured.
 	// Total number of database secret engines configured under the mount.
 	EngineCount *float64 `json:"engineCount,omitempty" tf:"engine_count,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
 	// Enable the secrets engine to access Vault's external entropy source
 	ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"`
 
+	// A nested block containing configuration options for SAP HanaDB connections.
+	// See
 	// Connection parameters for the hana-database-plugin plugin.
 	Hana []SecretsMountHanaObservation `json:"hana,omitempty" tf:"hana,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A nested block containing configuration options for InfluxDB connections.
+	// See
 	// Connection parameters for the influxdb-database-plugin plugin.
 	Influxdb []SecretsMountInfluxdbObservation `json:"influxdb,omitempty" tf:"influxdb,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
 	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// Maximum possible lease duration for tokens and secrets in seconds
 	// Maximum possible lease duration for tokens and secrets in seconds
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// A nested block containing configuration options for MongoDB connections.
+	// See
 	// Connection parameters for the mongodb-database-plugin plugin.
 	Mongodb []SecretsMountMongodbObservation `json:"mongodb,omitempty" tf:"mongodb,omitempty"`
 
+	// A nested block containing configuration options for MongoDB Atlas connections.
+	// See
 	// Connection parameters for the mongodbatlas-database-plugin plugin.
 	Mongodbatlas []SecretsMountMongodbatlasObservation `json:"mongodbatlas,omitempty" tf:"mongodbatlas,omitempty"`
 
+	// A nested block containing configuration options for MSSQL connections.
+	// See
 	// Connection parameters for the mssql-database-plugin plugin.
 	Mssql []SecretsMountMssqlObservation `json:"mssql,omitempty" tf:"mssql,omitempty"`
 
+	// A nested block containing configuration options for MySQL connections.
+	// See
 	// Connection parameters for the mysql-database-plugin plugin.
 	MySQL []SecretsMountMySQLObservation `json:"mysql,omitempty" tf:"mysql,omitempty"`
 
+	// A nested block containing configuration options for Aurora MySQL connections.
+	// See
 	// Connection parameters for the mysql-aurora-database-plugin plugin.
 	MySQLAurora []SecretsMountMySQLAuroraObservation `json:"mysqlAurora,omitempty" tf:"mysql_aurora,omitempty"`
 
+	// A nested block containing configuration options for legacy MySQL connections.
+	// See
 	// Connection parameters for the mysql-legacy-database-plugin plugin.
 	MySQLLegacy []SecretsMountMySQLLegacyObservation `json:"mysqlLegacy,omitempty" tf:"mysql_legacy,omitempty"`
 
+	// A nested block containing configuration options for RDS MySQL connections.
+	// See
 	// Connection parameters for the mysql-rds-database-plugin plugin.
 	MySQLRDS []SecretsMountMySQLRDSObservation `json:"mysqlRds,omitempty" tf:"mysql_rds,omitempty"`
 
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies mount type specific options that are passed to the backend
 	// Specifies mount type specific options that are passed to the backend
 	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
 
+	// A nested block containing configuration options for Oracle connections.
+	// See
 	// Connection parameters for the oracle-database-plugin plugin.
 	Oracle []SecretsMountOracleObservation `json:"oracle,omitempty" tf:"oracle,omitempty"`
 
+	// Where the secret backend will be mounted
 	// Where the secret backend will be mounted
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// A nested block containing configuration options for PostgreSQL connections.
+	// See
 	// Connection parameters for the postgresql-database-plugin plugin.
 	Postgresql []SecretsMountPostgresqlObservation `json:"postgresql,omitempty" tf:"postgresql,omitempty"`
 
+	// A nested block containing configuration options for Redis connections.
+	// See
 	// Connection parameters for the redis-database-plugin plugin.
 	Redis []SecretsMountRedisObservation `json:"redis,omitempty" tf:"redis,omitempty"`
 
+	// A nested block containing configuration options for Redis ElastiCache connections.
+	// See
 	// Connection parameters for the redis-elasticache-database-plugin plugin.
 	RedisElasticache []SecretsMountRedisElasticacheObservation `json:"redisElasticache,omitempty" tf:"redis_elasticache,omitempty"`
 
+	// A nested block containing configuration options for AWS Redshift connections.
+	// See
 	// Connection parameters for the redshift-database-plugin plugin.
 	Redshift []SecretsMountRedshiftObservation `json:"redshift,omitempty" tf:"redshift,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
 	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
 	SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"`
 
+	// A nested block containing configuration options for Snowflake connections.
+	// See
 	// Connection parameters for the snowflake-database-plugin plugin.
 	Snowflake []SecretsMountSnowflakeObservation `json:"snowflake,omitempty" tf:"snowflake,omitempty"`
 }
 
+type SecretsMountOracleInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountOracleObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountOracleParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
@@ -1390,82 +2802,114 @@ type SecretsMountOracleParameters struct {
 
 type SecretsMountParameters struct {
 
+	// Set of managed key registry entry names that the mount in question is allowed to access
 	// List of managed key registry entry names that the mount in question is allowed to access
 	// +kubebuilder:validation:Optional
 	AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"`
 
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
 	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
 	// +kubebuilder:validation:Optional
 	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
 
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
 	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
 	// +kubebuilder:validation:Optional
 	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
 
+	// A nested block containing configuration options for Cassandra connections.
+	// See
 	// Connection parameters for the cassandra-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Cassandra []SecretsMountCassandraParameters `json:"cassandra,omitempty" tf:"cassandra,omitempty"`
 
+	// A nested block containing configuration options for Couchbase connections.
+	// See
 	// Connection parameters for the couchbase-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Couchbase []SecretsMountCouchbaseParameters `json:"couchbase,omitempty" tf:"couchbase,omitempty"`
 
+	// Default lease duration for tokens and secrets in seconds
 	// Default lease duration for tokens and secrets in seconds
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// Human-friendly description of the mount
 	// Human-friendly description of the mount
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// A nested block containing configuration options for Elasticsearch connections.
+	// See
 	// Connection parameters for the elasticsearch-database-plugin.
 	// +kubebuilder:validation:Optional
 	Elasticsearch []SecretsMountElasticsearchParameters `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
 	// Enable the secrets engine to access Vault's external entropy source
 	// +kubebuilder:validation:Optional
 	ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"`
 
+	// A nested block containing configuration options for SAP HanaDB connections.
+	// See
 	// Connection parameters for the hana-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Hana []SecretsMountHanaParameters `json:"hana,omitempty" tf:"hana,omitempty"`
 
+	// A nested block containing configuration options for InfluxDB connections.
+	// See
 	// Connection parameters for the influxdb-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Influxdb []SecretsMountInfluxdbParameters `json:"influxdb,omitempty" tf:"influxdb,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
 	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// Maximum possible lease duration for tokens and secrets in seconds
 	// Maximum possible lease duration for tokens and secrets in seconds
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// A nested block containing configuration options for MongoDB connections.
+	// See
 	// Connection parameters for the mongodb-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Mongodb []SecretsMountMongodbParameters `json:"mongodb,omitempty" tf:"mongodb,omitempty"`
 
+	// A nested block containing configuration options for MongoDB Atlas connections.
+	// See
 	// Connection parameters for the mongodbatlas-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Mongodbatlas []SecretsMountMongodbatlasParameters `json:"mongodbatlas,omitempty" tf:"mongodbatlas,omitempty"`
 
+	// A nested block containing configuration options for MSSQL connections.
+	// See
 	// Connection parameters for the mssql-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Mssql []SecretsMountMssqlParameters `json:"mssql,omitempty" tf:"mssql,omitempty"`
 
+	// A nested block containing configuration options for MySQL connections.
+	// See
 	// Connection parameters for the mysql-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	MySQL []SecretsMountMySQLParameters `json:"mysql,omitempty" tf:"mysql,omitempty"`
 
+	// A nested block containing configuration options for Aurora MySQL connections.
+	// See
 	// Connection parameters for the mysql-aurora-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	MySQLAurora []SecretsMountMySQLAuroraParameters `json:"mysqlAurora,omitempty" tf:"mysql_aurora,omitempty"`
 
+	// A nested block containing configuration options for legacy MySQL connections.
+	// See
 	// Connection parameters for the mysql-legacy-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	MySQLLegacy []SecretsMountMySQLLegacyParameters `json:"mysqlLegacy,omitempty" tf:"mysql_legacy,omitempty"`
 
+	// A nested block containing configuration options for RDS MySQL connections.
+	// See
 	// Connection parameters for the mysql-rds-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	MySQLRDS []SecretsMountMySQLRDSParameters `json:"mysqlRds,omitempty" tf:"mysql_rds,omitempty"`
@@ -1474,498 +2918,960 @@ type SecretsMountParameters struct {
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies mount type specific options that are passed to the backend
 	// Specifies mount type specific options that are passed to the backend
 	// +kubebuilder:validation:Optional
 	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
 
+	// A nested block containing configuration options for Oracle connections.
+	// See
 	// Connection parameters for the oracle-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Oracle []SecretsMountOracleParameters `json:"oracle,omitempty" tf:"oracle,omitempty"`
 
+	// Where the secret backend will be mounted
 	// Where the secret backend will be mounted
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// A nested block containing configuration options for PostgreSQL connections.
+	// See
 	// Connection parameters for the postgresql-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Postgresql []SecretsMountPostgresqlParameters `json:"postgresql,omitempty" tf:"postgresql,omitempty"`
 
+	// A nested block containing configuration options for Redis connections.
+	// See
 	// Connection parameters for the redis-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Redis []SecretsMountRedisParameters `json:"redis,omitempty" tf:"redis,omitempty"`
 
+	// A nested block containing configuration options for Redis ElastiCache connections.
+	// See
 	// Connection parameters for the redis-elasticache-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	RedisElasticache []SecretsMountRedisElasticacheParameters `json:"redisElasticache,omitempty" tf:"redis_elasticache,omitempty"`
 
+	// A nested block containing configuration options for AWS Redshift connections.
+	// See
 	// Connection parameters for the redshift-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Redshift []SecretsMountRedshiftParameters `json:"redshift,omitempty" tf:"redshift,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
 	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
 	// +kubebuilder:validation:Optional
 	SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"`
 
+	// A nested block containing configuration options for Snowflake connections.
+	// See
 	// Connection parameters for the snowflake-database-plugin plugin.
 	// +kubebuilder:validation:Optional
 	Snowflake []SecretsMountSnowflakeParameters `json:"snowflake,omitempty" tf:"snowflake,omitempty"`
 }
 
+type SecretsMountPostgresqlInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountPostgresqlObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountPostgresqlParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	// +kubebuilder:validation:Optional
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountRedisElasticacheInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// The AWS region where the ElastiCache cluster is hosted.
+	// If omitted the plugin tries to infer the region from the environment.
+	// The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The URL for Elasticsearch's API. https requires certificate
+	// by trusted CA if used.
+	// The configuration endpoint for the ElastiCache cluster to connect to.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountRedisElasticacheObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// The AWS region where the ElastiCache cluster is hosted.
+	// If omitted the plugin tries to infer the region from the environment.
 	// The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.
 	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The URL for Elasticsearch's API. https requires certificate
+	// by trusted CA if used.
 	// The configuration endpoint for the ElastiCache cluster to connect to.
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountRedisElasticacheParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// The AWS region where the ElastiCache cluster is hosted.
+	// If omitted the plugin tries to infer the region from the environment.
 	// The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.
 	// +kubebuilder:validation:Optional
 	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The URL for Elasticsearch's API. https requires certificate
+	// by trusted CA if used.
 	// The configuration endpoint for the ElastiCache cluster to connect to.
-	// +kubebuilder:validation:Required
-	URL *string `json:"url" tf:"url,omitempty"`
+	// +kubebuilder:validation:Optional
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 
+	// The username to authenticate with.
 	// The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.
 	// +kubebuilder:validation:Optional
 	UsernameSecretRef *v1.SecretKeySelector `json:"usernameSecretRef,omitempty" tf:"-"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountRedisInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
+	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
+	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The host to connect to.
+	// Specifies the host to connect to
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// Whether to skip verification of the server
+	// certificate when using TLS.
+	// Specifies whether to skip verification of the server certificate when using TLS.
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// The default port to connect to if no port is specified as
+	// part of the host.
+	// The transport port to use to connect to Redis.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// Whether to use TLS when connecting to Cassandra.
+	// Specifies whether to use TLS when connecting to Redis.
+	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// The username to authenticate with.
+	// Specifies the username for Vault to use.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountRedisObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
 	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The host to connect to.
 	// Specifies the host to connect to
 	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Specifies whether to skip verification of the server certificate when using TLS.
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Redis.
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Specifies whether to use TLS when connecting to Redis.
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username for Vault to use.
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountRedisParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
 	// The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
 	// +kubebuilder:validation:Optional
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The host to connect to.
 	// Specifies the host to connect to
-	// +kubebuilder:validation:Required
-	Host *string `json:"host" tf:"host,omitempty"`
+	// +kubebuilder:validation:Optional
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Whether to skip verification of the server
+	// certificate when using TLS.
 	// Specifies whether to skip verification of the server certificate when using TLS.
 	// +kubebuilder:validation:Optional
 	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// Specifies the password corresponding to the given username.
 	// +kubebuilder:validation:Required
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// The default port to connect to if no port is specified as
+	// part of the host.
 	// The transport port to use to connect to Redis.
 	// +kubebuilder:validation:Optional
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// Whether to use TLS when connecting to Cassandra.
 	// Specifies whether to use TLS when connecting to Redis.
 	// +kubebuilder:validation:Optional
 	TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"`
 
+	// The username to authenticate with.
 	// Specifies the username for Vault to use.
-	// +kubebuilder:validation:Required
-	Username *string `json:"username" tf:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountRedshiftInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// Disable special character escaping in username and password.
+	// Disable special character escaping in username and password
+	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountRedshiftObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountRedshiftParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// Disable special character escaping in username and password.
 	// Disable special character escaping in username and password
 	// +kubebuilder:validation:Optional
 	DisableEscaping *bool `json:"disableEscaping,omitempty" tf:"disable_escaping,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
+type SecretsMountSnowflakeInitParameters struct {
+
+	// A list of roles that are allowed to use this
+	// connection.
+	// A list of roles that are allowed to use this connection.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// A URL containing connection information.
+	// See Vault docs
+	// Connection string to use to connect to the database.
+	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
+
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The maximum number of seconds to keep
+	// a connection alive for.
+	// Maximum number of seconds a connection may be reused.
+	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
+
+	// The maximum number of idle connections to
+	// maintain.
+	// Maximum number of idle connections to the database.
+	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
+
+	// The maximum number of open connections to
+	// use.
+	// Maximum number of open connections to the database.
+	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
+
+	// for any configured database engine is changed
+	// Name of the database connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the name of the plugin to use.
+	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
+	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
+
+	// A list of database statements to be executed to rotate the root user's credentials.
+	// A list of database statements to be executed to rotate the root user's credentials.
+	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
+
+	// The username to authenticate with.
+	// The root credential username used in the connection URL
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Username generation template.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Whether the connection should be verified on
+	// initial configuration or not.
+	// Specifies if the connection is verified during initial configuration.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretsMountSnowflakeObservation struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretsMountSnowflakeParameters struct {
 
+	// A list of roles that are allowed to use this
+	// connection.
 	// A list of roles that are allowed to use this connection.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// A URL containing connection information.
+	// See Vault docs
 	// Connection string to use to connect to the database.
 	// +kubebuilder:validation:Optional
 	ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"`
 
+	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// The maximum number of seconds to keep
+	// a connection alive for.
 	// Maximum number of seconds a connection may be reused.
 	// +kubebuilder:validation:Optional
 	MaxConnectionLifetime *float64 `json:"maxConnectionLifetime,omitempty" tf:"max_connection_lifetime,omitempty"`
 
+	// The maximum number of idle connections to
+	// maintain.
 	// Maximum number of idle connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxIdleConnections *float64 `json:"maxIdleConnections,omitempty" tf:"max_idle_connections,omitempty"`
 
+	// The maximum number of open connections to
+	// use.
 	// Maximum number of open connections to the database.
 	// +kubebuilder:validation:Optional
 	MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"`
 
+	// for any configured database engine is changed
 	// Name of the database connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The password to authenticate with.
 	// The root credential password used in the connection URL
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
+	// Specifies the name of the plugin to use.
 	// Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.
 	// +kubebuilder:validation:Optional
 	PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"`
 
+	// A list of database statements to be executed to rotate the root user's credentials.
 	// A list of database statements to be executed to rotate the root user's credentials.
 	// +kubebuilder:validation:Optional
 	RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"`
 
+	// The username to authenticate with.
 	// The root credential username used in the connection URL
 	// +kubebuilder:validation:Optional
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Username generation template.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Whether the connection should be verified on
+	// initial configuration or not.
 	// Specifies if the connection is verified during initial configuration.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
@@ -1975,6 +3881,18 @@ type SecretsMountSnowflakeParameters struct {
 type SecretsMountSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretsMountParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretsMountInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretsMountStatus defines the observed state of SecretsMount.
@@ -1985,7 +3903,7 @@ type SecretsMountStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretsMount is the Schema for the SecretsMounts API. <no value>
+// SecretsMount is the Schema for the SecretsMounts API. Configures any number of database secrets engines under a single mount resource
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -1995,7 +3913,7 @@ type SecretsMountStatus struct {
 type SecretsMount struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   SecretsMountSpec   `json:"spec"`
 	Status SecretsMountStatus `json:"status,omitempty"`
 }
diff --git a/apis/egp/v1alpha1/zz_generated.deepcopy.go b/apis/egp/v1alpha1/zz_generated.deepcopy.go
index 8a28ecfc..b19ca8f6 100644
--- a/apis/egp/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/egp/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,52 @@ func (in *Policy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyInitParameters) DeepCopyInto(out *PolicyInitParameters) {
+	*out = *in
+	if in.EnforcementLevel != nil {
+		in, out := &in.EnforcementLevel, &out.EnforcementLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Paths != nil {
+		in, out := &in.Paths, &out.Paths
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyInitParameters.
+func (in *PolicyInitParameters) DeepCopy() *PolicyInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyList) DeepCopyInto(out *PolicyList) {
 	*out = *in
@@ -174,6 +220,7 @@ func (in *PolicySpec) DeepCopyInto(out *PolicySpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
diff --git a/apis/egp/v1alpha1/zz_generated.managed.go b/apis/egp/v1alpha1/zz_generated.managed.go
index 51f4cdcf..a29e31ba 100644
--- a/apis/egp/v1alpha1/zz_generated.managed.go
+++ b/apis/egp/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Policy.
-func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Policy.
+func (mg *Policy) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Policy.
@@ -55,9 +55,9 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Policy.
-func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Policy.
+func (mg *Policy) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Policy.
diff --git a/apis/egp/v1alpha1/zz_generated_terraformed.go b/apis/egp/v1alpha1/zz_generated_terraformed.go
index 25a087f2..d7dbf4fa 100755
--- a/apis/egp/v1alpha1/zz_generated_terraformed.go
+++ b/apis/egp/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Policy) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Policy
+func (tr *Policy) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Policy using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Policy) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/egp/v1alpha1/zz_policy_types.go b/apis/egp/v1alpha1/zz_policy_types.go
index 314cae17..1094eafa 100755
--- a/apis/egp/v1alpha1/zz_policy_types.go
+++ b/apis/egp/v1alpha1/zz_policy_types.go
@@ -13,44 +13,86 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type PolicyInitParameters struct {
+
+	// Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory
+	// Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'
+	EnforcementLevel *string `json:"enforcementLevel,omitempty" tf:"enforcement_level,omitempty"`
+
+	// The name of the policy
+	// Name of the policy
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// List of paths to which the policy will be applied to
+	// List of paths to which the policy will be applied
+	Paths []*string `json:"paths,omitempty" tf:"paths,omitempty"`
+
+	// String containing a Sentinel policy
+	// The policy document
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+}
+
 type PolicyObservation struct {
 
+	// Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory
 	// Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'
 	EnforcementLevel *string `json:"enforcementLevel,omitempty" tf:"enforcement_level,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the policy
 	// Name of the policy
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of paths to which the policy will be applied to
 	// List of paths to which the policy will be applied
 	Paths []*string `json:"paths,omitempty" tf:"paths,omitempty"`
 
+	// String containing a Sentinel policy
 	// The policy document
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type PolicyParameters struct {
 
+	// Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory
 	// Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'
 	// +kubebuilder:validation:Optional
 	EnforcementLevel *string `json:"enforcementLevel,omitempty" tf:"enforcement_level,omitempty"`
 
+	// The name of the policy
 	// Name of the policy
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of paths to which the policy will be applied to
 	// List of paths to which the policy will be applied
 	// +kubebuilder:validation:Optional
 	Paths []*string `json:"paths,omitempty" tf:"paths,omitempty"`
 
+	// String containing a Sentinel policy
 	// The policy document
 	// +kubebuilder:validation:Optional
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
@@ -60,6 +102,18 @@ type PolicyParameters struct {
 type PolicySpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     PolicyParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider PolicyInitParameters `json:"initProvider,omitempty"`
 }
 
 // PolicyStatus defines the observed state of Policy.
@@ -70,7 +124,7 @@ type PolicyStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Policy is the Schema for the Policys API. <no value>
+// Policy is the Schema for the Policys API. Writes Sentinel endpoint governing policies for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -80,10 +134,10 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enforcementLevel)",message="enforcementLevel is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.paths)",message="paths is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.enforcementLevel) || has(self.initProvider.enforcementLevel)",message="enforcementLevel is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.paths) || has(self.initProvider.paths)",message="paths is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || has(self.initProvider.policy)",message="policy is a required parameter"
 	Spec   PolicySpec   `json:"spec"`
 	Status PolicyStatus `json:"status,omitempty"`
 }
diff --git a/apis/gcp/v1alpha1/zz_authbackend_types.go b/apis/gcp/v1alpha1/zz_authbackend_types.go
index 55c34363..256c3434 100755
--- a/apis/gcp/v1alpha1/zz_authbackend_types.go
+++ b/apis/gcp/v1alpha1/zz_authbackend_types.go
@@ -13,6 +13,32 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendInitParameters struct {
+	ClientEmail *string `json:"clientEmail,omitempty" tf:"client_email,omitempty"`
+
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// Specifies overrides to service endpoints used when making API requests to GCP.
+	CustomEndpoint []CustomEndpointInitParameters `json:"customEndpoint,omitempty" tf:"custom_endpoint,omitempty"`
+
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// Specifies if the auth method is local only
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	PrivateKeyID *string `json:"privateKeyId,omitempty" tf:"private_key_id,omitempty"`
+
+	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
+}
+
 type AuthBackendObservation struct {
 	ClientEmail *string `json:"clientEmail,omitempty" tf:"client_email,omitempty"`
 
@@ -81,6 +107,21 @@ type AuthBackendParameters struct {
 	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
 }
 
+type CustomEndpointInitParameters struct {
+
+	// Replaces the service endpoint used in API requests to https://www.googleapis.com.
+	API *string `json:"api,omitempty" tf:"api,omitempty"`
+
+	// Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.
+	Compute *string `json:"compute,omitempty" tf:"compute,omitempty"`
+
+	// Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.
+	Crm *string `json:"crm,omitempty" tf:"crm,omitempty"`
+
+	// Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.
+	IAM *string `json:"iam,omitempty" tf:"iam,omitempty"`
+}
+
 type CustomEndpointObservation struct {
 
 	// Replaces the service endpoint used in API requests to https://www.googleapis.com.
@@ -119,6 +160,18 @@ type CustomEndpointParameters struct {
 type AuthBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendStatus defines the observed state of AuthBackend.
diff --git a/apis/gcp/v1alpha1/zz_authbackendrole_types.go b/apis/gcp/v1alpha1/zz_authbackendrole_types.go
index 00a83328..66389863 100755
--- a/apis/gcp/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/gcp/v1alpha1/zz_authbackendrole_types.go
@@ -13,61 +13,199 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+	AddGroupAliases *bool `json:"addGroupAliases,omitempty" tf:"add_group_aliases,omitempty"`
+
+	// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
+	AllowGceInference *bool `json:"allowGceInference,omitempty" tf:"allow_gce_inference,omitempty"`
+
+	// Path to the mounted GCP auth backend
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too.
+	BoundInstanceGroups []*string `json:"boundInstanceGroups,omitempty" tf:"bound_instance_groups,omitempty"`
+
+	// A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
+	BoundLabels []*string `json:"boundLabels,omitempty" tf:"bound_labels,omitempty"`
+
+	// An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
+	BoundProjects []*string `json:"boundProjects,omitempty" tf:"bound_projects,omitempty"`
+
+	// The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
+	BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"`
+
+	// GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)
+	BoundServiceAccounts []*string `json:"boundServiceAccounts,omitempty" tf:"bound_service_accounts,omitempty"`
+
+	// The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
+	BoundZones []*string `json:"boundZones,omitempty" tf:"bound_zones,omitempty"`
+
+	// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.
+	MaxJwtExp *string `json:"maxJwtExp,omitempty" tf:"max_jwt_exp,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Name of the GCP role
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+
+	// Type of GCP authentication role (either gce or iam)
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 	AddGroupAliases *bool `json:"addGroupAliases,omitempty" tf:"add_group_aliases,omitempty"`
 
+	// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
 	AllowGceInference *bool `json:"allowGceInference,omitempty" tf:"allow_gce_inference,omitempty"`
 
+	// Path to the mounted GCP auth backend
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too.
 	BoundInstanceGroups []*string `json:"boundInstanceGroups,omitempty" tf:"bound_instance_groups,omitempty"`
 
+	// A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
 	BoundLabels []*string `json:"boundLabels,omitempty" tf:"bound_labels,omitempty"`
 
+	// An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
 	BoundProjects []*string `json:"boundProjects,omitempty" tf:"bound_projects,omitempty"`
 
+	// The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
 	BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"`
 
+	// GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)
 	BoundServiceAccounts []*string `json:"boundServiceAccounts,omitempty" tf:"bound_service_accounts,omitempty"`
 
+	// The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
 	BoundZones []*string `json:"boundZones,omitempty" tf:"bound_zones,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.
 	MaxJwtExp *string `json:"maxJwtExp,omitempty" tf:"max_jwt_exp,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the GCP role
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 
+	// Type of GCP authentication role (either gce or iam)
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
@@ -76,76 +214,117 @@ type AuthBackendRoleParameters struct {
 	// +kubebuilder:validation:Optional
 	AddGroupAliases *bool `json:"addGroupAliases,omitempty" tf:"add_group_aliases,omitempty"`
 
+	// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
 	// +kubebuilder:validation:Optional
 	AllowGceInference *bool `json:"allowGceInference,omitempty" tf:"allow_gce_inference,omitempty"`
 
+	// Path to the mounted GCP auth backend
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too.
 	// +kubebuilder:validation:Optional
 	BoundInstanceGroups []*string `json:"boundInstanceGroups,omitempty" tf:"bound_instance_groups,omitempty"`
 
+	// A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
 	// +kubebuilder:validation:Optional
 	BoundLabels []*string `json:"boundLabels,omitempty" tf:"bound_labels,omitempty"`
 
+	// An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
 	// +kubebuilder:validation:Optional
 	BoundProjects []*string `json:"boundProjects,omitempty" tf:"bound_projects,omitempty"`
 
+	// The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
 	// +kubebuilder:validation:Optional
 	BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"`
 
+	// GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)
 	// +kubebuilder:validation:Optional
 	BoundServiceAccounts []*string `json:"boundServiceAccounts,omitempty" tf:"bound_service_accounts,omitempty"`
 
+	// The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
 	// +kubebuilder:validation:Optional
 	BoundZones []*string `json:"boundZones,omitempty" tf:"bound_zones,omitempty"`
 
+	// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.
 	// +kubebuilder:validation:Optional
 	MaxJwtExp *string `json:"maxJwtExp,omitempty" tf:"max_jwt_exp,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the GCP role
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 
+	// Type of GCP authentication role (either gce or iam)
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
@@ -154,6 +333,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -164,7 +355,7 @@ type AuthBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRole is the Schema for the AuthBackendRoles API. <no value>
+// AuthBackendRole is the Schema for the AuthBackendRoles API. Managing roles in an GCP auth backend in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -174,8 +365,8 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/gcp/v1alpha1/zz_generated.deepcopy.go b/apis/gcp/v1alpha1/zz_generated.deepcopy.go
index a15611fb..877c4df7 100644
--- a/apis/gcp/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/gcp/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,73 @@ func (in *AuthBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters) {
+	*out = *in
+	if in.ClientEmail != nil {
+		in, out := &in.ClientEmail, &out.ClientEmail
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomEndpoint != nil {
+		in, out := &in.CustomEndpoint, &out.CustomEndpoint
+		*out = make([]CustomEndpointInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKeyID != nil {
+		in, out := &in.PrivateKeyID, &out.PrivateKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProjectID != nil {
+		in, out := &in.ProjectID, &out.ProjectID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendInitParameters.
+func (in *AuthBackendInitParameters) DeepCopy() *AuthBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendList) DeepCopyInto(out *AuthBackendList) {
 	*out = *in
@@ -244,6 +311,179 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
+	*out = *in
+	if in.AddGroupAliases != nil {
+		in, out := &in.AddGroupAliases, &out.AddGroupAliases
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowGceInference != nil {
+		in, out := &in.AllowGceInference, &out.AllowGceInference
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.BoundInstanceGroups != nil {
+		in, out := &in.BoundInstanceGroups, &out.BoundInstanceGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundLabels != nil {
+		in, out := &in.BoundLabels, &out.BoundLabels
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundProjects != nil {
+		in, out := &in.BoundProjects, &out.BoundProjects
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundRegions != nil {
+		in, out := &in.BoundRegions, &out.BoundRegions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundServiceAccounts != nil {
+		in, out := &in.BoundServiceAccounts, &out.BoundServiceAccounts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundZones != nil {
+		in, out := &in.BoundZones, &out.BoundZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxJwtExp != nil {
+		in, out := &in.MaxJwtExp, &out.MaxJwtExp
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
 	*out = *in
@@ -632,6 +872,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
@@ -666,6 +907,7 @@ func (in *AuthBackendSpec) DeepCopyInto(out *AuthBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendSpec.
@@ -695,6 +937,37 @@ func (in *AuthBackendStatus) DeepCopy() *AuthBackendStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BindingInitParameters) DeepCopyInto(out *BindingInitParameters) {
+	*out = *in
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		*out = new(string)
+		**out = **in
+	}
+	if in.Roles != nil {
+		in, out := &in.Roles, &out.Roles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BindingInitParameters.
+func (in *BindingInitParameters) DeepCopy() *BindingInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(BindingInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BindingObservation) DeepCopyInto(out *BindingObservation) {
 	*out = *in
@@ -757,6 +1030,41 @@ func (in *BindingParameters) DeepCopy() *BindingParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomEndpointInitParameters) DeepCopyInto(out *CustomEndpointInitParameters) {
+	*out = *in
+	if in.API != nil {
+		in, out := &in.API, &out.API
+		*out = new(string)
+		**out = **in
+	}
+	if in.Compute != nil {
+		in, out := &in.Compute, &out.Compute
+		*out = new(string)
+		**out = **in
+	}
+	if in.Crm != nil {
+		in, out := &in.Crm, &out.Crm
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAM != nil {
+		in, out := &in.IAM, &out.IAM
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomEndpointInitParameters.
+func (in *CustomEndpointInitParameters) DeepCopy() *CustomEndpointInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomEndpointInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomEndpointObservation) DeepCopyInto(out *CustomEndpointObservation) {
 	*out = *in
@@ -854,6 +1162,56 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -1001,6 +1359,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
@@ -1057,6 +1416,52 @@ func (in *SecretImpersonatedAccount) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretImpersonatedAccountInitParameters) DeepCopyInto(out *SecretImpersonatedAccountInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImpersonatedAccount != nil {
+		in, out := &in.ImpersonatedAccount, &out.ImpersonatedAccount
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceAccountEmail != nil {
+		in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenScopes != nil {
+		in, out := &in.TokenScopes, &out.TokenScopes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretImpersonatedAccountInitParameters.
+func (in *SecretImpersonatedAccountInitParameters) DeepCopy() *SecretImpersonatedAccountInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretImpersonatedAccountInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretImpersonatedAccountList) DeepCopyInto(out *SecretImpersonatedAccountList) {
 	*out = *in
@@ -1196,6 +1601,7 @@ func (in *SecretImpersonatedAccountSpec) DeepCopyInto(out *SecretImpersonatedAcc
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretImpersonatedAccountSpec.
@@ -1252,6 +1658,64 @@ func (in *SecretRoleset) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretRolesetInitParameters) DeepCopyInto(out *SecretRolesetInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Binding != nil {
+		in, out := &in.Binding, &out.Binding
+		*out = make([]BindingInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Project != nil {
+		in, out := &in.Project, &out.Project
+		*out = new(string)
+		**out = **in
+	}
+	if in.Roleset != nil {
+		in, out := &in.Roleset, &out.Roleset
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretType != nil {
+		in, out := &in.SecretType, &out.SecretType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenScopes != nil {
+		in, out := &in.TokenScopes, &out.TokenScopes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRolesetInitParameters.
+func (in *SecretRolesetInitParameters) DeepCopy() *SecretRolesetInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretRolesetInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretRolesetList) DeepCopyInto(out *SecretRolesetList) {
 	*out = *in
@@ -1415,6 +1879,7 @@ func (in *SecretRolesetSpec) DeepCopyInto(out *SecretRolesetSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRolesetSpec.
@@ -1471,6 +1936,37 @@ func (in *SecretStaticAccount) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStaticAccountBindingInitParameters) DeepCopyInto(out *SecretStaticAccountBindingInitParameters) {
+	*out = *in
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		*out = new(string)
+		**out = **in
+	}
+	if in.Roles != nil {
+		in, out := &in.Roles, &out.Roles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStaticAccountBindingInitParameters.
+func (in *SecretStaticAccountBindingInitParameters) DeepCopy() *SecretStaticAccountBindingInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStaticAccountBindingInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretStaticAccountBindingObservation) DeepCopyInto(out *SecretStaticAccountBindingObservation) {
 	*out = *in
@@ -1533,6 +2029,64 @@ func (in *SecretStaticAccountBindingParameters) DeepCopy() *SecretStaticAccountB
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStaticAccountInitParameters) DeepCopyInto(out *SecretStaticAccountInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Binding != nil {
+		in, out := &in.Binding, &out.Binding
+		*out = make([]SecretStaticAccountBindingInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretType != nil {
+		in, out := &in.SecretType, &out.SecretType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceAccountEmail != nil {
+		in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail
+		*out = new(string)
+		**out = **in
+	}
+	if in.StaticAccount != nil {
+		in, out := &in.StaticAccount, &out.StaticAccount
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenScopes != nil {
+		in, out := &in.TokenScopes, &out.TokenScopes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStaticAccountInitParameters.
+func (in *SecretStaticAccountInitParameters) DeepCopy() *SecretStaticAccountInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStaticAccountInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretStaticAccountList) DeepCopyInto(out *SecretStaticAccountList) {
 	*out = *in
@@ -1696,6 +2250,7 @@ func (in *SecretStaticAccountSpec) DeepCopyInto(out *SecretStaticAccountSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStaticAccountSpec.
diff --git a/apis/gcp/v1alpha1/zz_generated.managed.go b/apis/gcp/v1alpha1/zz_generated.managed.go
index 16390f95..f5036998 100644
--- a/apis/gcp/v1alpha1/zz_generated.managed.go
+++ b/apis/gcp/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackend.
@@ -55,9 +55,9 @@ func (mg *AuthBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackend.
@@ -93,9 +93,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -131,9 +131,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
@@ -169,9 +169,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -207,9 +207,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -245,9 +245,9 @@ func (mg *SecretImpersonatedAccount) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretImpersonatedAccount.
-func (mg *SecretImpersonatedAccount) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretImpersonatedAccount.
+func (mg *SecretImpersonatedAccount) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretImpersonatedAccount.
@@ -283,9 +283,9 @@ func (mg *SecretImpersonatedAccount) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretImpersonatedAccount.
-func (mg *SecretImpersonatedAccount) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretImpersonatedAccount.
+func (mg *SecretImpersonatedAccount) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretImpersonatedAccount.
@@ -321,9 +321,9 @@ func (mg *SecretRoleset) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretRoleset.
-func (mg *SecretRoleset) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretRoleset.
+func (mg *SecretRoleset) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretRoleset.
@@ -359,9 +359,9 @@ func (mg *SecretRoleset) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretRoleset.
-func (mg *SecretRoleset) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretRoleset.
+func (mg *SecretRoleset) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretRoleset.
@@ -397,9 +397,9 @@ func (mg *SecretStaticAccount) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretStaticAccount.
-func (mg *SecretStaticAccount) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretStaticAccount.
+func (mg *SecretStaticAccount) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretStaticAccount.
@@ -435,9 +435,9 @@ func (mg *SecretStaticAccount) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretStaticAccount.
-func (mg *SecretStaticAccount) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretStaticAccount.
+func (mg *SecretStaticAccount) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretStaticAccount.
diff --git a/apis/gcp/v1alpha1/zz_generated_terraformed.go b/apis/gcp/v1alpha1/zz_generated_terraformed.go
index 1b873e01..bc58c9f1 100755
--- a/apis/gcp/v1alpha1/zz_generated_terraformed.go
+++ b/apis/gcp/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackend
+func (tr *AuthBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *SecretImpersonatedAccount) SetParameters(params map[string]any) error
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretImpersonatedAccount
+func (tr *SecretImpersonatedAccount) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretImpersonatedAccount using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretImpersonatedAccount) LateInitialize(attrs []byte) (bool, error) {
@@ -365,6 +405,16 @@ func (tr *SecretRoleset) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretRoleset
+func (tr *SecretRoleset) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretRoleset using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretRoleset) LateInitialize(attrs []byte) (bool, error) {
@@ -439,6 +489,16 @@ func (tr *SecretStaticAccount) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretStaticAccount
+func (tr *SecretStaticAccount) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretStaticAccount using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretStaticAccount) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/gcp/v1alpha1/zz_secretbackend_types.go b/apis/gcp/v1alpha1/zz_secretbackend_types.go
index 40c7637c..1ab20d79 100755
--- a/apis/gcp/v1alpha1/zz_secretbackend_types.go
+++ b/apis/gcp/v1alpha1/zz_secretbackend_types.go
@@ -13,62 +13,129 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// The default TTL for credentials
+	// issued by this backend. Defaults to '0'.
+	// Default lease duration for secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// A human-friendly description for this backend.
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
+	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend. Defaults to '0'.
+	// Maximum possible lease duration for secrets in seconds
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to gcp.
+	// Path to mount the backend at.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
+	// The default TTL for credentials
+	// issued by this backend. Defaults to '0'.
 	// Default lease duration for secrets in seconds
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
 	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend. Defaults to '0'.
 	// Maximum possible lease duration for secrets in seconds
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to gcp.
 	// Path to mount the backend at.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// The GCP service account credentials in JSON format.
 	// JSON-encoded credentials to use to connect to GCP
 	// +kubebuilder:validation:Optional
 	CredentialsSecretRef *v1.SecretKeySelector `json:"credentialsSecretRef,omitempty" tf:"-"`
 
+	// The default TTL for credentials
+	// issued by this backend. Defaults to '0'.
 	// Default lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
 	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend. Defaults to '0'.
 	// Maximum possible lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to gcp.
 	// Path to mount the backend at.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
@@ -78,6 +145,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -88,7 +167,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates an GCP secret backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_types.go b/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_types.go
index 70776c88..7cac3ba1 100755
--- a/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_types.go
+++ b/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_types.go
@@ -13,35 +13,64 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretImpersonatedAccountInitParameters struct {
+
+	// Path where the GCP Secrets Engine is mounted
+	// Path where the GCP secrets engine is mounted.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Name of the Impersonated Account to create
+	// Name of the Impersonated Account to create
+	ImpersonatedAccount *string `json:"impersonatedAccount,omitempty" tf:"impersonated_account,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Email of the GCP service account to impersonate.
+	// Email of the GCP service account.
+	ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"`
+
+	// List of OAuth scopes to assign to access tokens generated under this impersonated account.
+	// List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only)
+	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
+}
+
 type SecretImpersonatedAccountObservation struct {
 
+	// Path where the GCP Secrets Engine is mounted
 	// Path where the GCP secrets engine is mounted.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the Impersonated Account to create
 	// Name of the Impersonated Account to create
 	ImpersonatedAccount *string `json:"impersonatedAccount,omitempty" tf:"impersonated_account,omitempty"`
 
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Email of the GCP service account to impersonate.
 	// Email of the GCP service account.
 	ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"`
 
+	// Project the service account belongs to.
 	// Project of the GCP Service Account managed by this impersonated account
 	ServiceAccountProject *string `json:"serviceAccountProject,omitempty" tf:"service_account_project,omitempty"`
 
+	// List of OAuth scopes to assign to access tokens generated under this impersonated account.
 	// List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only)
 	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
 }
 
 type SecretImpersonatedAccountParameters struct {
 
+	// Path where the GCP Secrets Engine is mounted
 	// Path where the GCP secrets engine is mounted.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Name of the Impersonated Account to create
 	// Name of the Impersonated Account to create
 	// +kubebuilder:validation:Optional
 	ImpersonatedAccount *string `json:"impersonatedAccount,omitempty" tf:"impersonated_account,omitempty"`
@@ -50,10 +79,12 @@ type SecretImpersonatedAccountParameters struct {
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Email of the GCP service account to impersonate.
 	// Email of the GCP service account.
 	// +kubebuilder:validation:Optional
 	ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"`
 
+	// List of OAuth scopes to assign to access tokens generated under this impersonated account.
 	// List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only)
 	// +kubebuilder:validation:Optional
 	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
@@ -63,6 +94,18 @@ type SecretImpersonatedAccountParameters struct {
 type SecretImpersonatedAccountSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretImpersonatedAccountParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretImpersonatedAccountInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretImpersonatedAccountStatus defines the observed state of SecretImpersonatedAccount.
@@ -73,7 +116,7 @@ type SecretImpersonatedAccountStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretImpersonatedAccount is the Schema for the SecretImpersonatedAccounts API. <no value>
+// SecretImpersonatedAccount is the Schema for the SecretImpersonatedAccounts API. Creates a Impersonated Account for the GCP Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -83,9 +126,9 @@ type SecretImpersonatedAccountStatus struct {
 type SecretImpersonatedAccount struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.impersonatedAccount)",message="impersonatedAccount is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceAccountEmail)",message="serviceAccountEmail is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.impersonatedAccount) || has(self.initProvider.impersonatedAccount)",message="impersonatedAccount is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail) || has(self.initProvider.serviceAccountEmail)",message="serviceAccountEmail is a required parameter"
 	Spec   SecretImpersonatedAccountSpec   `json:"spec"`
 	Status SecretImpersonatedAccountStatus `json:"status,omitempty"`
 }
diff --git a/apis/gcp/v1alpha1/zz_secretroleset_types.go b/apis/gcp/v1alpha1/zz_secretroleset_types.go
index d350b51b..531a8a91 100755
--- a/apis/gcp/v1alpha1/zz_secretroleset_types.go
+++ b/apis/gcp/v1alpha1/zz_secretroleset_types.go
@@ -13,79 +13,148 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type BindingInitParameters struct {
+
+	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
+	// Resource name
+	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
+
+	// List of GCP IAM roles for the resource.
+	// List of roles to apply to the resource
+	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
+}
+
 type BindingObservation struct {
 
+	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
 	// Resource name
 	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
 
+	// List of GCP IAM roles for the resource.
 	// List of roles to apply to the resource
 	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
 }
 
 type BindingParameters struct {
 
+	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
 	// Resource name
-	// +kubebuilder:validation:Required
-	Resource *string `json:"resource" tf:"resource,omitempty"`
+	// +kubebuilder:validation:Optional
+	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
 
+	// List of GCP IAM roles for the resource.
 	// List of roles to apply to the resource
-	// +kubebuilder:validation:Required
-	Roles []*string `json:"roles" tf:"roles,omitempty"`
+	// +kubebuilder:validation:Optional
+	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
+}
+
+type SecretRolesetInitParameters struct {
+
+	// Path where the GCP Secrets Engine is mounted
+	// Path where the GCP secrets engine is mounted.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
+	Binding []BindingInitParameters `json:"binding,omitempty" tf:"binding,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Name of the GCP project that this roleset's service account will belong to.
+	// Name of the GCP project that this roleset's service account will belong to.
+	Project *string `json:"project,omitempty" tf:"project,omitempty"`
+
+	// Name of the Roleset to create
+	// Name of the RoleSet to create
+	Roleset *string `json:"roleset,omitempty" tf:"roleset,omitempty"`
+
+	// Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
+	// Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`
+	SecretType *string `json:"secretType,omitempty" tf:"secret_type,omitempty"`
+
+	// List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
+	// List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only)
+	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
 }
 
 type SecretRolesetObservation struct {
 
+	// Path where the GCP Secrets Engine is mounted
 	// Path where the GCP secrets engine is mounted.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
 	Binding []BindingObservation `json:"binding,omitempty" tf:"binding,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the GCP project that this roleset's service account will belong to.
 	// Name of the GCP project that this roleset's service account will belong to.
 	Project *string `json:"project,omitempty" tf:"project,omitempty"`
 
+	// Name of the Roleset to create
 	// Name of the RoleSet to create
 	Roleset *string `json:"roleset,omitempty" tf:"roleset,omitempty"`
 
+	// Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
 	// Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`
 	SecretType *string `json:"secretType,omitempty" tf:"secret_type,omitempty"`
 
+	// Email of the service account created by Vault for this Roleset.
 	// Email of the service account created by Vault for this Roleset
 	ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"`
 
+	// List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
 	// List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only)
 	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
 }
 
 type SecretRolesetParameters struct {
 
+	// Path where the GCP Secrets Engine is mounted
 	// Path where the GCP secrets engine is mounted.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
 	// +kubebuilder:validation:Optional
 	Binding []BindingParameters `json:"binding,omitempty" tf:"binding,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the GCP project that this roleset's service account will belong to.
 	// Name of the GCP project that this roleset's service account will belong to.
 	// +kubebuilder:validation:Optional
 	Project *string `json:"project,omitempty" tf:"project,omitempty"`
 
+	// Name of the Roleset to create
 	// Name of the RoleSet to create
 	// +kubebuilder:validation:Optional
 	Roleset *string `json:"roleset,omitempty" tf:"roleset,omitempty"`
 
+	// Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
 	// Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`
 	// +kubebuilder:validation:Optional
 	SecretType *string `json:"secretType,omitempty" tf:"secret_type,omitempty"`
 
+	// List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
 	// List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only)
 	// +kubebuilder:validation:Optional
 	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
@@ -95,6 +164,18 @@ type SecretRolesetParameters struct {
 type SecretRolesetSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretRolesetParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretRolesetInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretRolesetStatus defines the observed state of SecretRoleset.
@@ -105,7 +186,7 @@ type SecretRolesetStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretRoleset is the Schema for the SecretRolesets API. <no value>
+// SecretRoleset is the Schema for the SecretRolesets API. Creates a Roleset for the GCP Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -115,10 +196,10 @@ type SecretRolesetStatus struct {
 type SecretRoleset struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.binding)",message="binding is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.project)",message="project is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleset)",message="roleset is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.binding) || has(self.initProvider.binding)",message="binding is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.project) || has(self.initProvider.project)",message="project is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleset) || has(self.initProvider.roleset)",message="roleset is a required parameter"
 	Spec   SecretRolesetSpec   `json:"spec"`
 	Status SecretRolesetStatus `json:"status,omitempty"`
 }
diff --git a/apis/gcp/v1alpha1/zz_secretstaticaccount_types.go b/apis/gcp/v1alpha1/zz_secretstaticaccount_types.go
index 6c6bcab8..132d2837 100755
--- a/apis/gcp/v1alpha1/zz_secretstaticaccount_types.go
+++ b/apis/gcp/v1alpha1/zz_secretstaticaccount_types.go
@@ -13,79 +13,148 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretStaticAccountBindingInitParameters struct {
+
+	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
+	// Resource name
+	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
+
+	// List of GCP IAM roles for the resource.
+	// List of roles to apply to the resource
+	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
+}
+
 type SecretStaticAccountBindingObservation struct {
 
+	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
 	// Resource name
 	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
 
+	// List of GCP IAM roles for the resource.
 	// List of roles to apply to the resource
 	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
 }
 
 type SecretStaticAccountBindingParameters struct {
 
+	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
 	// Resource name
-	// +kubebuilder:validation:Required
-	Resource *string `json:"resource" tf:"resource,omitempty"`
+	// +kubebuilder:validation:Optional
+	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
 
+	// List of GCP IAM roles for the resource.
 	// List of roles to apply to the resource
-	// +kubebuilder:validation:Required
-	Roles []*string `json:"roles" tf:"roles,omitempty"`
+	// +kubebuilder:validation:Optional
+	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
+}
+
+type SecretStaticAccountInitParameters struct {
+
+	// Path where the GCP Secrets Engine is mounted
+	// Path where the GCP secrets engine is mounted.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
+	Binding []SecretStaticAccountBindingInitParameters `json:"binding,omitempty" tf:"binding,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
+	// Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`
+	SecretType *string `json:"secretType,omitempty" tf:"secret_type,omitempty"`
+
+	// Email of the GCP service account to manage.
+	// Email of the GCP service account.
+	ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"`
+
+	// Name of the Static Account to create
+	// Name of the Static Account to create
+	StaticAccount *string `json:"staticAccount,omitempty" tf:"static_account,omitempty"`
+
+	// List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
+	// List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only)
+	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
 }
 
 type SecretStaticAccountObservation struct {
 
+	// Path where the GCP Secrets Engine is mounted
 	// Path where the GCP secrets engine is mounted.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
 	Binding []SecretStaticAccountBindingObservation `json:"binding,omitempty" tf:"binding,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
 	// Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`
 	SecretType *string `json:"secretType,omitempty" tf:"secret_type,omitempty"`
 
+	// Email of the GCP service account to manage.
 	// Email of the GCP service account.
 	ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"`
 
+	// Project the service account belongs to.
 	// Project of the GCP Service Account managed by this static account
 	ServiceAccountProject *string `json:"serviceAccountProject,omitempty" tf:"service_account_project,omitempty"`
 
+	// Name of the Static Account to create
 	// Name of the Static Account to create
 	StaticAccount *string `json:"staticAccount,omitempty" tf:"static_account,omitempty"`
 
+	// List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
 	// List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only)
 	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
 }
 
 type SecretStaticAccountParameters struct {
 
+	// Path where the GCP Secrets Engine is mounted
 	// Path where the GCP secrets engine is mounted.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
 	// +kubebuilder:validation:Optional
 	Binding []SecretStaticAccountBindingParameters `json:"binding,omitempty" tf:"binding,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
 	// Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`
 	// +kubebuilder:validation:Optional
 	SecretType *string `json:"secretType,omitempty" tf:"secret_type,omitempty"`
 
+	// Email of the GCP service account to manage.
 	// Email of the GCP service account.
 	// +kubebuilder:validation:Optional
 	ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"`
 
+	// Name of the Static Account to create
 	// Name of the Static Account to create
 	// +kubebuilder:validation:Optional
 	StaticAccount *string `json:"staticAccount,omitempty" tf:"static_account,omitempty"`
 
+	// List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
 	// List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only)
 	// +kubebuilder:validation:Optional
 	TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"`
@@ -95,6 +164,18 @@ type SecretStaticAccountParameters struct {
 type SecretStaticAccountSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretStaticAccountParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretStaticAccountInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretStaticAccountStatus defines the observed state of SecretStaticAccount.
@@ -105,7 +186,7 @@ type SecretStaticAccountStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretStaticAccount is the Schema for the SecretStaticAccounts API. <no value>
+// SecretStaticAccount is the Schema for the SecretStaticAccounts API. Creates a Static Account for the GCP Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -115,9 +196,9 @@ type SecretStaticAccountStatus struct {
 type SecretStaticAccount struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceAccountEmail)",message="serviceAccountEmail is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.staticAccount)",message="staticAccount is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail) || has(self.initProvider.serviceAccountEmail)",message="serviceAccountEmail is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.staticAccount) || has(self.initProvider.staticAccount)",message="staticAccount is a required parameter"
 	Spec   SecretStaticAccountSpec   `json:"spec"`
 	Status SecretStaticAccountStatus `json:"status,omitempty"`
 }
diff --git a/apis/generate.go b/apis/generate.go
index 7dcd77df..00d88e4b 100644
--- a/apis/generate.go
+++ b/apis/generate.go
@@ -17,6 +17,8 @@ Copyright 2021 Upbound Inc.
 //go:generate bash -c "find ../internal/controller -iname 'zz_*' -delete"
 //go:generate bash -c "find ../internal/controller -type d -empty -delete"
 //go:generate rm -rf ../examples-generated
+//go:generate bash -c "find ../cmd/provider -name 'zz_*' -type f -delete"
+//go:generate bash -c "find ../cmd/provider -type d -maxdepth 1 -mindepth 1 -empty -delete"
 
 // Generate documentation from Terraform docs.
 //go:generate go run github.com/upbound/upjet/cmd/scraper -n ${TERRAFORM_PROVIDER_SOURCE} -r ../.work/${TERRAFORM_PROVIDER_SOURCE}/${TERRAFORM_DOCS_PATH} -o ../config/provider-metadata.yaml
@@ -36,4 +38,6 @@ import (
 	_ "sigs.k8s.io/controller-tools/cmd/controller-gen" //nolint:typecheck
 
 	_ "github.com/crossplane/crossplane-tools/cmd/angryjet" //nolint:typecheck
+
+	_ "github.com/upbound/upjet/cmd/scraper"
 )
diff --git a/apis/generic/v1alpha1/zz_endpoint_types.go b/apis/generic/v1alpha1/zz_endpoint_types.go
index 187ca372..748f64b3 100755
--- a/apis/generic/v1alpha1/zz_endpoint_types.go
+++ b/apis/generic/v1alpha1/zz_endpoint_types.go
@@ -13,61 +13,181 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type EndpointInitParameters struct {
+
+	// True/false. Set this to true if your
+	// vault authentication is not able to delete the data or if the endpoint
+	// does not support the DELETE method. Defaults to false.
+	// Don't attempt to delete the path from Vault if true
+	DisableDelete *bool `json:"disableDelete,omitempty" tf:"disable_delete,omitempty"`
+
+	// True/false. Set this to true if your vault
+	// authentication is not able to read the data or if the endpoint does
+	// not support the GET method. Setting this to true will break drift
+	// detection. You should set this to true for endpoints that are
+	// write-only. Defaults to false.
+	// Don't attempt to read the path from Vault if true; drift won't be detected
+	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
+
+	// True/false. If set to true,
+	// ignore any fields present when the endpoint is read but that were not
+	// in data_json. Also, if a field that was written is not returned when
+	// the endpoint is read, treat that field as being up to date. You should
+	// set this to true when writing to endpoint that, when read, returns a
+	// different set of fields from the ones you wrote, as is common with
+	// many configuration endpoints. Defaults to false.
+	// When reading, disregard fields not present in data_json
+	IgnoreAbsentFields *bool `json:"ignoreAbsentFields,omitempty" tf:"ignore_absent_fields,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The full logical path at which to write the given
+	// data. Consult each backend's documentation to see which endpoints
+	// support the PUT methods and to determine whether they also support
+	// DELETE and GET.
+	// Full path where to the endpoint that will be written
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// . A list of fields that should be returned
+	// in write_data_json and write_data. If omitted, data returned by
+	// the write operation is not available to the resource or included in
+	// state. This helps to avoid accidental storage of sensitive values in
+	// state. Some endpoints, such as many dynamic secrets endpoints, return
+	// data from writing to an endpoint rather than reading it. You should
+	// use write_fields if you need information returned in this way.
+	// Top-level fields returned by write to persist in state
+	WriteFields []*string `json:"writeFields,omitempty" tf:"write_fields,omitempty"`
+}
+
 type EndpointObservation struct {
 
+	// True/false. Set this to true if your
+	// vault authentication is not able to delete the data or if the endpoint
+	// does not support the DELETE method. Defaults to false.
 	// Don't attempt to delete the path from Vault if true
 	DisableDelete *bool `json:"disableDelete,omitempty" tf:"disable_delete,omitempty"`
 
+	// True/false. Set this to true if your vault
+	// authentication is not able to read the data or if the endpoint does
+	// not support the GET method. Setting this to true will break drift
+	// detection. You should set this to true for endpoints that are
+	// write-only. Defaults to false.
 	// Don't attempt to read the path from Vault if true; drift won't be detected
 	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// True/false. If set to true,
+	// ignore any fields present when the endpoint is read but that were not
+	// in data_json. Also, if a field that was written is not returned when
+	// the endpoint is read, treat that field as being up to date. You should
+	// set this to true when writing to endpoint that, when read, returns a
+	// different set of fields from the ones you wrote, as is common with
+	// many configuration endpoints. Defaults to false.
 	// When reading, disregard fields not present in data_json
 	IgnoreAbsentFields *bool `json:"ignoreAbsentFields,omitempty" tf:"ignore_absent_fields,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The full logical path at which to write the given
+	// data. Consult each backend's documentation to see which endpoints
+	// support the PUT methods and to determine whether they also support
+	// DELETE and GET.
 	// Full path where to the endpoint that will be written
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// A map whose keys are the top-level data keys
+	// returned from Vault by the write operation and whose values are the
+	// corresponding values. This map can only represent string data, so
+	// any non-string values returned from Vault are serialized as JSON.
+	// Only fields set in write_fields are present in the JSON data.
 	// Map of strings returned by write operation
 	WriteData map[string]*string `json:"writeData,omitempty" tf:"write_data,omitempty"`
 
+	// The JSON data returned by the write operation.
+	// Only fields set in write_fields are present in the JSON data.
 	// JSON data returned by write operation
 	WriteDataJSON *string `json:"writeDataJson,omitempty" tf:"write_data_json,omitempty"`
 
+	// . A list of fields that should be returned
+	// in write_data_json and write_data. If omitted, data returned by
+	// the write operation is not available to the resource or included in
+	// state. This helps to avoid accidental storage of sensitive values in
+	// state. Some endpoints, such as many dynamic secrets endpoints, return
+	// data from writing to an endpoint rather than reading it. You should
+	// use write_fields if you need information returned in this way.
 	// Top-level fields returned by write to persist in state
 	WriteFields []*string `json:"writeFields,omitempty" tf:"write_fields,omitempty"`
 }
 
 type EndpointParameters struct {
 
+	// String containing a JSON-encoded object that will be
+	// written to the given path as the secret data.
 	// JSON-encoded data to write.
 	// +kubebuilder:validation:Optional
 	DataJSONSecretRef v1.SecretKeySelector `json:"dataJsonSecretRef" tf:"-"`
 
+	// True/false. Set this to true if your
+	// vault authentication is not able to delete the data or if the endpoint
+	// does not support the DELETE method. Defaults to false.
 	// Don't attempt to delete the path from Vault if true
 	// +kubebuilder:validation:Optional
 	DisableDelete *bool `json:"disableDelete,omitempty" tf:"disable_delete,omitempty"`
 
+	// True/false. Set this to true if your vault
+	// authentication is not able to read the data or if the endpoint does
+	// not support the GET method. Setting this to true will break drift
+	// detection. You should set this to true for endpoints that are
+	// write-only. Defaults to false.
 	// Don't attempt to read the path from Vault if true; drift won't be detected
 	// +kubebuilder:validation:Optional
 	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
 
+	// True/false. If set to true,
+	// ignore any fields present when the endpoint is read but that were not
+	// in data_json. Also, if a field that was written is not returned when
+	// the endpoint is read, treat that field as being up to date. You should
+	// set this to true when writing to endpoint that, when read, returns a
+	// different set of fields from the ones you wrote, as is common with
+	// many configuration endpoints. Defaults to false.
 	// When reading, disregard fields not present in data_json
 	// +kubebuilder:validation:Optional
 	IgnoreAbsentFields *bool `json:"ignoreAbsentFields,omitempty" tf:"ignore_absent_fields,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The full logical path at which to write the given
+	// data. Consult each backend's documentation to see which endpoints
+	// support the PUT methods and to determine whether they also support
+	// DELETE and GET.
 	// Full path where to the endpoint that will be written
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// . A list of fields that should be returned
+	// in write_data_json and write_data. If omitted, data returned by
+	// the write operation is not available to the resource or included in
+	// state. This helps to avoid accidental storage of sensitive values in
+	// state. Some endpoints, such as many dynamic secrets endpoints, return
+	// data from writing to an endpoint rather than reading it. You should
+	// use write_fields if you need information returned in this way.
 	// Top-level fields returned by write to persist in state
 	// +kubebuilder:validation:Optional
 	WriteFields []*string `json:"writeFields,omitempty" tf:"write_fields,omitempty"`
@@ -77,6 +197,18 @@ type EndpointParameters struct {
 type EndpointSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     EndpointParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider EndpointInitParameters `json:"initProvider,omitempty"`
 }
 
 // EndpointStatus defines the observed state of Endpoint.
@@ -87,7 +219,7 @@ type EndpointStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Endpoint is the Schema for the Endpoints API. <no value>
+// Endpoint is the Schema for the Endpoints API. Writes arbitrary data to a given path in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -97,8 +229,8 @@ type EndpointStatus struct {
 type Endpoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   EndpointSpec   `json:"spec"`
 	Status EndpointStatus `json:"status,omitempty"`
 }
diff --git a/apis/generic/v1alpha1/zz_generated.deepcopy.go b/apis/generic/v1alpha1/zz_generated.deepcopy.go
index 28c30558..4121291d 100644
--- a/apis/generic/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/generic/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,57 @@ func (in *Endpoint) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EndpointInitParameters) DeepCopyInto(out *EndpointInitParameters) {
+	*out = *in
+	if in.DisableDelete != nil {
+		in, out := &in.DisableDelete, &out.DisableDelete
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DisableRead != nil {
+		in, out := &in.DisableRead, &out.DisableRead
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IgnoreAbsentFields != nil {
+		in, out := &in.IgnoreAbsentFields, &out.IgnoreAbsentFields
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.WriteFields != nil {
+		in, out := &in.WriteFields, &out.WriteFields
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointInitParameters.
+func (in *EndpointInitParameters) DeepCopy() *EndpointInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(EndpointInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndpointList) DeepCopyInto(out *EndpointList) {
 	*out = *in
@@ -205,6 +256,7 @@ func (in *EndpointSpec) DeepCopyInto(out *EndpointSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointSpec.
@@ -261,6 +313,41 @@ func (in *Secret) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretInitParameters) DeepCopyInto(out *SecretInitParameters) {
+	*out = *in
+	if in.DeleteAllVersions != nil {
+		in, out := &in.DeleteAllVersions, &out.DeleteAllVersions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DisableRead != nil {
+		in, out := &in.DisableRead, &out.DisableRead
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretInitParameters.
+func (in *SecretInitParameters) DeepCopy() *SecretInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretList) DeepCopyInto(out *SecretList) {
 	*out = *in
@@ -374,6 +461,7 @@ func (in *SecretSpec) DeepCopyInto(out *SecretSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretSpec.
diff --git a/apis/generic/v1alpha1/zz_generated.managed.go b/apis/generic/v1alpha1/zz_generated.managed.go
index 858f759d..8a98897d 100644
--- a/apis/generic/v1alpha1/zz_generated.managed.go
+++ b/apis/generic/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Endpoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Endpoint.
-func (mg *Endpoint) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Endpoint.
+func (mg *Endpoint) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Endpoint.
@@ -55,9 +55,9 @@ func (mg *Endpoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Endpoint.
-func (mg *Endpoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Endpoint.
+func (mg *Endpoint) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Endpoint.
@@ -93,9 +93,9 @@ func (mg *Secret) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Secret.
-func (mg *Secret) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Secret.
+func (mg *Secret) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Secret.
@@ -131,9 +131,9 @@ func (mg *Secret) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Secret.
-func (mg *Secret) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Secret.
+func (mg *Secret) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Secret.
diff --git a/apis/generic/v1alpha1/zz_generated_terraformed.go b/apis/generic/v1alpha1/zz_generated_terraformed.go
index e186d7a1..6cad01ac 100755
--- a/apis/generic/v1alpha1/zz_generated_terraformed.go
+++ b/apis/generic/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Endpoint) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Endpoint
+func (tr *Endpoint) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Endpoint using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Endpoint) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *Secret) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Secret
+func (tr *Secret) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Secret using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Secret) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/generic/v1alpha1/zz_secret_types.go b/apis/generic/v1alpha1/zz_secret_types.go
index a0c98f52..70ca47b6 100755
--- a/apis/generic/v1alpha1/zz_secret_types.go
+++ b/apis/generic/v1alpha1/zz_secret_types.go
@@ -13,41 +13,106 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretInitParameters struct {
+
+	// true/false.  Only applicable for kv-v2 stores.
+	// If set to true, permanently deletes all versions for
+	// the specified key. The default behavior is to only delete the latest version of the
+	// secret.
+	// Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.
+	DeleteAllVersions *bool `json:"deleteAllVersions,omitempty" tf:"delete_all_versions,omitempty"`
+
+	// true/false. Set this to true if your vault
+	// authentication is not able to read the data. Setting this to true will
+	// break drift detection. Defaults to false.
+	// Don't attempt to read the token from Vault if true; drift won't be detected.
+	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The full logical path at which to write the given data.
+	// To write data into the "generic" secret backend mounted in Vault by default,
+	// this should be prefixed with secret/. Writing to other backends with this
+	// resource is possible; consult each backend's documentation to see which
+	// endpoints support the PUT and DELETE methods.
+	// Full path where the generic secret will be written.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+}
+
 type SecretObservation struct {
 
+	// true/false.  Only applicable for kv-v2 stores.
+	// If set to true, permanently deletes all versions for
+	// the specified key. The default behavior is to only delete the latest version of the
+	// secret.
 	// Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.
 	DeleteAllVersions *bool `json:"deleteAllVersions,omitempty" tf:"delete_all_versions,omitempty"`
 
+	// true/false. Set this to true if your vault
+	// authentication is not able to read the data. Setting this to true will
+	// break drift detection. Defaults to false.
 	// Don't attempt to read the token from Vault if true; drift won't be detected.
 	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The full logical path at which to write the given data.
+	// To write data into the "generic" secret backend mounted in Vault by default,
+	// this should be prefixed with secret/. Writing to other backends with this
+	// resource is possible; consult each backend's documentation to see which
+	// endpoints support the PUT and DELETE methods.
 	// Full path where the generic secret will be written.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type SecretParameters struct {
 
+	// String containing a JSON-encoded object that will be
+	// written as the secret data at the given path.
 	// JSON-encoded secret data to write.
 	// +kubebuilder:validation:Optional
 	DataJSONSecretRef v1.SecretKeySelector `json:"dataJsonSecretRef" tf:"-"`
 
+	// true/false.  Only applicable for kv-v2 stores.
+	// If set to true, permanently deletes all versions for
+	// the specified key. The default behavior is to only delete the latest version of the
+	// secret.
 	// Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.
 	// +kubebuilder:validation:Optional
 	DeleteAllVersions *bool `json:"deleteAllVersions,omitempty" tf:"delete_all_versions,omitempty"`
 
+	// true/false. Set this to true if your vault
+	// authentication is not able to read the data. Setting this to true will
+	// break drift detection. Defaults to false.
 	// Don't attempt to read the token from Vault if true; drift won't be detected.
 	// +kubebuilder:validation:Optional
 	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The full logical path at which to write the given data.
+	// To write data into the "generic" secret backend mounted in Vault by default,
+	// this should be prefixed with secret/. Writing to other backends with this
+	// resource is possible; consult each backend's documentation to see which
+	// endpoints support the PUT and DELETE methods.
 	// Full path where the generic secret will be written.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
@@ -57,6 +122,18 @@ type SecretParameters struct {
 type SecretSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretStatus defines the observed state of Secret.
@@ -67,7 +144,7 @@ type SecretStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Secret is the Schema for the Secrets API. <no value>
+// Secret is the Schema for the Secrets API. Writes arbitrary data to a given path in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -77,8 +154,8 @@ type SecretStatus struct {
 type Secret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   SecretSpec   `json:"spec"`
 	Status SecretStatus `json:"status,omitempty"`
 }
diff --git a/apis/github/v1alpha1/zz_authbackend_types.go b/apis/github/v1alpha1/zz_authbackend_types.go
index 66e7728f..223c3849 100755
--- a/apis/github/v1alpha1/zz_authbackend_types.go
+++ b/apis/github/v1alpha1/zz_authbackend_types.go
@@ -13,175 +13,429 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendInitParameters struct {
+
+	// The API endpoint to use. Useful if you
+	// are running GitHub Enterprise or an API-compatible authentication server.
+	// The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.
+	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
+
+	// Specifies the description of the mount.
+	// This overrides the current stored value, if any.
+	// Specifies the description of the mount. This overrides the current stored value, if any.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The organization configured users must be part of.
+	// The organization users must be part of.
+	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
+
+	// The ID of the organization users must be part of.
+	// Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+)
+	// The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)
+	OrganizationID *float64 `json:"organizationId,omitempty" tf:"organization_id,omitempty"`
+
+	// Path where the auth backend is mounted. Defaults to auth/github
+	// if not specified.
+	// Path where the auth backend is mounted
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+
+	// Extra configuration block. Structure is documented below.
+	Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"`
+}
+
 type AuthBackendObservation struct {
 
+	// The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
 	// The mount accessor related to the auth mount.
 	Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"`
 
+	// The API endpoint to use. Useful if you
+	// are running GitHub Enterprise or an API-compatible authentication server.
 	// The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.
 	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
 
+	// Specifies the description of the mount.
+	// This overrides the current stored value, if any.
 	// Specifies the description of the mount. This overrides the current stored value, if any.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The organization configured users must be part of.
 	// The organization users must be part of.
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// The ID of the organization users must be part of.
+	// Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+)
 	// The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)
 	OrganizationID *float64 `json:"organizationId,omitempty" tf:"organization_id,omitempty"`
 
+	// Path where the auth backend is mounted. Defaults to auth/github
+	// if not specified.
 	// Path where the auth backend is mounted
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 
+	// Extra configuration block. Structure is documented below.
 	Tune []TuneObservation `json:"tune,omitempty" tf:"tune,omitempty"`
 }
 
 type AuthBackendParameters struct {
 
+	// The API endpoint to use. Useful if you
+	// are running GitHub Enterprise or an API-compatible authentication server.
 	// The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.
 	// +kubebuilder:validation:Optional
 	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
 
+	// Specifies the description of the mount.
+	// This overrides the current stored value, if any.
 	// Specifies the description of the mount. This overrides the current stored value, if any.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The organization configured users must be part of.
 	// The organization users must be part of.
 	// +kubebuilder:validation:Optional
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// The ID of the organization users must be part of.
+	// Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+)
 	// The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)
 	// +kubebuilder:validation:Optional
 	OrganizationID *float64 `json:"organizationId,omitempty" tf:"organization_id,omitempty"`
 
+	// Path where the auth backend is mounted. Defaults to auth/github
+	// if not specified.
 	// Path where the auth backend is mounted
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 
+	// Extra configuration block. Structure is documented below.
 	// +kubebuilder:validation:Optional
 	Tune []TuneParameters `json:"tune,omitempty" tf:"tune,omitempty"`
 }
 
+type TuneInitParameters struct {
+
+	// List of headers to whitelist and allowing
+	// a plugin to include them in the response.
+	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"`
+
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the request data object.
+	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"`
+
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the response data object.
+	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"`
+
+	// Specifies the default time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
+	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"`
+
+	// Specifies whether to show this mount in
+	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
+	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"`
+
+	// Specifies the maximum time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
+	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"`
+
+	// List of headers to whitelist and
+	// pass from the request to the backend.
+	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"`
+
+	// Specifies the type of tokens that should be returned by
+	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type"`
+}
+
 type TuneObservation struct {
+
+	// List of headers to whitelist and allowing
+	// a plugin to include them in the response.
 	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"`
 
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the request data object.
 	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
 
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the response data object.
 	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
 
+	// Specifies the default time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
 	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl,omitempty"`
 
+	// Specifies whether to show this mount in
+	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
 	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"`
 
+	// Specifies the maximum time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
 	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl,omitempty"`
 
+	// List of headers to whitelist and
+	// pass from the request to the backend.
 	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"`
 
+	// Specifies the type of tokens that should be returned by
+	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
 type TuneParameters struct {
 
+	// List of headers to whitelist and allowing
+	// a plugin to include them in the response.
 	// +kubebuilder:validation:Optional
 	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"`
 
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the request data object.
 	// +kubebuilder:validation:Optional
 	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"`
 
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the response data object.
 	// +kubebuilder:validation:Optional
 	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"`
 
+	// Specifies the default time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"`
 
+	// Specifies whether to show this mount in
+	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
 	// +kubebuilder:validation:Optional
 	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"`
 
+	// Specifies the maximum time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"`
 
+	// List of headers to whitelist and
+	// pass from the request to the backend.
 	// +kubebuilder:validation:Optional
 	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"`
 
+	// Specifies the type of tokens that should be returned by
+	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type"`
 }
@@ -190,6 +444,18 @@ type TuneParameters struct {
 type AuthBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendStatus defines the observed state of AuthBackend.
@@ -200,7 +466,7 @@ type AuthBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackend is the Schema for the AuthBackends API. <no value>
+// AuthBackend is the Schema for the AuthBackends API. Manages GitHub Auth mounts in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -210,7 +476,7 @@ type AuthBackendStatus struct {
 type AuthBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.organization)",message="organization is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.organization) || has(self.initProvider.organization)",message="organization is a required parameter"
 	Spec   AuthBackendSpec   `json:"spec"`
 	Status AuthBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/github/v1alpha1/zz_generated.deepcopy.go b/apis/github/v1alpha1/zz_generated.deepcopy.go
index defb5a65..49d66b3b 100644
--- a/apis/github/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/github/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,120 @@ func (in *AuthBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters) {
+	*out = *in
+	if in.BaseURL != nil {
+		in, out := &in.BaseURL, &out.BaseURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Organization != nil {
+		in, out := &in.Organization, &out.Organization
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationID != nil {
+		in, out := &in.OrganizationID, &out.OrganizationID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tune != nil {
+		in, out := &in.Tune, &out.Tune
+		*out = make([]TuneInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendInitParameters.
+func (in *AuthBackendInitParameters) DeepCopy() *AuthBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendList) DeepCopyInto(out *AuthBackendList) {
 	*out = *in
@@ -315,6 +429,7 @@ func (in *AuthBackendSpec) DeepCopyInto(out *AuthBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendSpec.
@@ -371,6 +486,47 @@ func (in *Team) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TeamInitParameters) DeepCopyInto(out *TeamInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Team != nil {
+		in, out := &in.Team, &out.Team
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeamInitParameters.
+func (in *TeamInitParameters) DeepCopy() *TeamInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(TeamInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TeamList) DeepCopyInto(out *TeamList) {
 	*out = *in
@@ -495,6 +651,7 @@ func (in *TeamSpec) DeepCopyInto(out *TeamSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeamSpec.
@@ -524,6 +681,85 @@ func (in *TeamStatus) DeepCopy() *TeamStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TuneInitParameters) DeepCopyInto(out *TuneInitParameters) {
+	*out = *in
+	if in.AllowedResponseHeaders != nil {
+		in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACRequestKeys != nil {
+		in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACResponseKeys != nil {
+		in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DefaultLeaseTTL != nil {
+		in, out := &in.DefaultLeaseTTL, &out.DefaultLeaseTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.ListingVisibility != nil {
+		in, out := &in.ListingVisibility, &out.ListingVisibility
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxLeaseTTL != nil {
+		in, out := &in.MaxLeaseTTL, &out.MaxLeaseTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.PassthroughRequestHeaders != nil {
+		in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneInitParameters.
+func (in *TuneInitParameters) DeepCopy() *TuneInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(TuneInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TuneObservation) DeepCopyInto(out *TuneObservation) {
 	*out = *in
@@ -709,6 +945,47 @@ func (in *User) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserInitParameters) DeepCopyInto(out *UserInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.User != nil {
+		in, out := &in.User, &out.User
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInitParameters.
+func (in *UserInitParameters) DeepCopy() *UserInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(UserInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserList) DeepCopyInto(out *UserList) {
 	*out = *in
@@ -833,6 +1110,7 @@ func (in *UserSpec) DeepCopyInto(out *UserSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSpec.
diff --git a/apis/github/v1alpha1/zz_generated.managed.go b/apis/github/v1alpha1/zz_generated.managed.go
index f1b5dfa0..611d2586 100644
--- a/apis/github/v1alpha1/zz_generated.managed.go
+++ b/apis/github/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackend.
@@ -55,9 +55,9 @@ func (mg *AuthBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackend.
@@ -93,9 +93,9 @@ func (mg *Team) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Team.
-func (mg *Team) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Team.
+func (mg *Team) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Team.
@@ -131,9 +131,9 @@ func (mg *Team) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Team.
-func (mg *Team) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Team.
+func (mg *Team) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Team.
@@ -169,9 +169,9 @@ func (mg *User) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this User.
-func (mg *User) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this User.
+func (mg *User) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this User.
@@ -207,9 +207,9 @@ func (mg *User) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this User.
-func (mg *User) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this User.
+func (mg *User) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this User.
diff --git a/apis/github/v1alpha1/zz_generated_terraformed.go b/apis/github/v1alpha1/zz_generated_terraformed.go
index 7317fd6d..6816ab07 100755
--- a/apis/github/v1alpha1/zz_generated_terraformed.go
+++ b/apis/github/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackend
+func (tr *AuthBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *Team) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Team
+func (tr *Team) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Team using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Team) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *User) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this User
+func (tr *User) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this User using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *User) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/github/v1alpha1/zz_team_types.go b/apis/github/v1alpha1/zz_team_types.go
index 9a635575..8b56cc46 100755
--- a/apis/github/v1alpha1/zz_team_types.go
+++ b/apis/github/v1alpha1/zz_team_types.go
@@ -13,16 +13,47 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type TeamInitParameters struct {
+
+	// Path where the github auth backend is mounted. Defaults to github
+	// if not specified.
+	// Auth backend to which team mapping will be congigured.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// An array of strings specifying the policies to be set on tokens
+	// issued using this role.
+	// Policies to be assigned to this team.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	// GitHub team name in "slugified" format.
+	Team *string `json:"team,omitempty" tf:"team,omitempty"`
+}
+
 type TeamObservation struct {
 
+	// Path where the github auth backend is mounted. Defaults to github
+	// if not specified.
 	// Auth backend to which team mapping will be congigured.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// An array of strings specifying the policies to be set on tokens
+	// issued using this role.
 	// Policies to be assigned to this team.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
@@ -32,14 +63,22 @@ type TeamObservation struct {
 
 type TeamParameters struct {
 
+	// Path where the github auth backend is mounted. Defaults to github
+	// if not specified.
 	// Auth backend to which team mapping will be congigured.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// An array of strings specifying the policies to be set on tokens
+	// issued using this role.
 	// Policies to be assigned to this team.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
@@ -53,6 +92,18 @@ type TeamParameters struct {
 type TeamSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     TeamParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider TeamInitParameters `json:"initProvider,omitempty"`
 }
 
 // TeamStatus defines the observed state of Team.
@@ -63,7 +114,7 @@ type TeamStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Team is the Schema for the Teams API. <no value>
+// Team is the Schema for the Teams API. Manages Team mappings for Github Auth backend mounts in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,7 +124,7 @@ type TeamStatus struct {
 type Team struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.team)",message="team is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.team) || has(self.initProvider.team)",message="team is a required parameter"
 	Spec   TeamSpec   `json:"spec"`
 	Status TeamStatus `json:"status,omitempty"`
 }
diff --git a/apis/github/v1alpha1/zz_user_types.go b/apis/github/v1alpha1/zz_user_types.go
index 1895c52e..bd9a58ba 100755
--- a/apis/github/v1alpha1/zz_user_types.go
+++ b/apis/github/v1alpha1/zz_user_types.go
@@ -13,37 +13,79 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type UserInitParameters struct {
+
+	// Path where the github auth backend is mounted. Defaults to github
+	// if not specified.
+	// Auth backend to which user mapping will be congigured.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// An array of strings specifying the policies to be set on tokens issued
+	// using this role.
+	// Policies to be assigned to this user.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	// GitHub user name.
+	// GitHub user name.
+	User *string `json:"user,omitempty" tf:"user,omitempty"`
+}
+
 type UserObservation struct {
 
+	// Path where the github auth backend is mounted. Defaults to github
+	// if not specified.
 	// Auth backend to which user mapping will be congigured.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// An array of strings specifying the policies to be set on tokens issued
+	// using this role.
 	// Policies to be assigned to this user.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// GitHub user name.
 	// GitHub user name.
 	User *string `json:"user,omitempty" tf:"user,omitempty"`
 }
 
 type UserParameters struct {
 
+	// Path where the github auth backend is mounted. Defaults to github
+	// if not specified.
 	// Auth backend to which user mapping will be congigured.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// An array of strings specifying the policies to be set on tokens issued
+	// using this role.
 	// Policies to be assigned to this user.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// GitHub user name.
 	// GitHub user name.
 	// +kubebuilder:validation:Optional
 	User *string `json:"user,omitempty" tf:"user,omitempty"`
@@ -53,6 +95,18 @@ type UserParameters struct {
 type UserSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     UserParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider UserInitParameters `json:"initProvider,omitempty"`
 }
 
 // UserStatus defines the observed state of User.
@@ -63,7 +117,7 @@ type UserStatus struct {
 
 // +kubebuilder:object:root=true
 
-// User is the Schema for the Users API. <no value>
+// User is the Schema for the Users API. Manages User mappings for Github Auth backend mounts in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,7 +127,7 @@ type UserStatus struct {
 type User struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.user)",message="user is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.user) || has(self.initProvider.user)",message="user is a required parameter"
 	Spec   UserSpec   `json:"spec"`
 	Status UserStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_entity_types.go b/apis/identity/v1alpha1/zz_entity_types.go
index 9fcb3f6d..4b05d2a9 100755
--- a/apis/identity/v1alpha1/zz_entity_types.go
+++ b/apis/identity/v1alpha1/zz_entity_types.go
@@ -13,51 +13,100 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type EntityInitParameters struct {
+
+	// True/false Is this entity currently disabled. Defaults to false
+	// Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.
+	Disabled *bool `json:"disabled,omitempty" tf:"disabled,omitempty"`
+
+	// false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner.
+	// Manage policies externally through `vault_identity_entity_policies`.
+	ExternalPolicies *bool `json:"externalPolicies,omitempty" tf:"external_policies,omitempty"`
+
+	// A Map of additional metadata to associate with the user.
+	// Metadata to be associated with the entity.
+	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
+
+	// Name of the identity entity to create.
+	// Name of the entity.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// A list of policies to apply to the entity.
+	// Policies to be tied to the entity.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+}
+
 type EntityObservation struct {
 
+	// True/false Is this entity currently disabled. Defaults to false
 	// Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.
 	Disabled *bool `json:"disabled,omitempty" tf:"disabled,omitempty"`
 
+	// false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner.
 	// Manage policies externally through `vault_identity_entity_policies`.
 	ExternalPolicies *bool `json:"externalPolicies,omitempty" tf:"external_policies,omitempty"`
 
+	// The id of the created entity.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A Map of additional metadata to associate with the user.
 	// Metadata to be associated with the entity.
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// Name of the identity entity to create.
 	// Name of the entity.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// A list of policies to apply to the entity.
 	// Policies to be tied to the entity.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 }
 
 type EntityParameters struct {
 
+	// True/false Is this entity currently disabled. Defaults to false
 	// Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.
 	// +kubebuilder:validation:Optional
 	Disabled *bool `json:"disabled,omitempty" tf:"disabled,omitempty"`
 
+	// false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner.
 	// Manage policies externally through `vault_identity_entity_policies`.
 	// +kubebuilder:validation:Optional
 	ExternalPolicies *bool `json:"externalPolicies,omitempty" tf:"external_policies,omitempty"`
 
+	// A Map of additional metadata to associate with the user.
 	// Metadata to be associated with the entity.
 	// +kubebuilder:validation:Optional
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// Name of the identity entity to create.
 	// Name of the entity.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// A list of policies to apply to the entity.
 	// Policies to be tied to the entity.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
@@ -67,6 +116,18 @@ type EntityParameters struct {
 type EntitySpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     EntityParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider EntityInitParameters `json:"initProvider,omitempty"`
 }
 
 // EntityStatus defines the observed state of Entity.
@@ -77,7 +138,7 @@ type EntityStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Entity is the Schema for the Entitys API. <no value>
+// Entity is the Schema for the Entitys API. Creates an Identity Entity for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/identity/v1alpha1/zz_entityalias_types.go b/apis/identity/v1alpha1/zz_entityalias_types.go
index 32023a7a..e4f14a5d 100755
--- a/apis/identity/v1alpha1/zz_entityalias_types.go
+++ b/apis/identity/v1alpha1/zz_entityalias_types.go
@@ -13,28 +13,62 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type EntityAliasInitParameters struct {
+
+	// Entity ID to which this alias belongs to.
+	// ID of the entity to which this is an alias.
+	CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"`
+
+	// Custom metadata to be associated with this alias.
+	CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"`
+
+	// Accessor of the mount to which the alias should belong to.
+	// Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.
+	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
+
+	// Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username.
+	// Name of the entity alias.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type EntityAliasObservation struct {
 
+	// Entity ID to which this alias belongs to.
 	// ID of the entity to which this is an alias.
 	CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"`
 
 	// Custom metadata to be associated with this alias.
 	CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"`
 
+	// ID of the entity alias.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Accessor of the mount to which the alias should belong to.
 	// Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username.
 	// Name of the entity alias.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type EntityAliasParameters struct {
 
+	// Entity ID to which this alias belongs to.
 	// ID of the entity to which this is an alias.
 	// +kubebuilder:validation:Optional
 	CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"`
@@ -43,14 +77,20 @@ type EntityAliasParameters struct {
 	// +kubebuilder:validation:Optional
 	CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"`
 
+	// Accessor of the mount to which the alias should belong to.
 	// Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.
 	// +kubebuilder:validation:Optional
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username.
 	// Name of the entity alias.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -60,6 +100,18 @@ type EntityAliasParameters struct {
 type EntityAliasSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     EntityAliasParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider EntityAliasInitParameters `json:"initProvider,omitempty"`
 }
 
 // EntityAliasStatus defines the observed state of EntityAlias.
@@ -70,7 +122,7 @@ type EntityAliasStatus struct {
 
 // +kubebuilder:object:root=true
 
-// EntityAlias is the Schema for the EntityAliass API. <no value>
+// EntityAlias is the Schema for the EntityAliass API. Creates an Identity Entity Alias for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -80,9 +132,9 @@ type EntityAliasStatus struct {
 type EntityAlias struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.canonicalId)",message="canonicalId is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)",message="mountAccessor is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.canonicalId) || has(self.initProvider.canonicalId)",message="canonicalId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   EntityAliasSpec   `json:"spec"`
 	Status EntityAliasStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_entitypolicies_types.go b/apis/identity/v1alpha1/zz_entitypolicies_types.go
index 39e20dc3..2652d1f2 100755
--- a/apis/identity/v1alpha1/zz_entitypolicies_types.go
+++ b/apis/identity/v1alpha1/zz_entitypolicies_types.go
@@ -13,40 +13,77 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type EntityPoliciesInitParameters struct {
+
+	// Entity ID to assign policies to.
+	// ID of the entity.
+	EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`
+
+	// Defaults to true.
+	// Should the resource manage policies exclusively
+	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// List of policies to assign to the entity
+	// Policies to be tied to the entity.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+}
+
 type EntityPoliciesObservation struct {
 
+	// Entity ID to assign policies to.
 	// ID of the entity.
 	EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`
 
+	// The name of the entity that are assigned the policies.
 	// Name of the entity.
 	EntityName *string `json:"entityName,omitempty" tf:"entity_name,omitempty"`
 
+	// Defaults to true.
 	// Should the resource manage policies exclusively
 	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of policies to assign to the entity
 	// Policies to be tied to the entity.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 }
 
 type EntityPoliciesParameters struct {
 
+	// Entity ID to assign policies to.
 	// ID of the entity.
 	// +kubebuilder:validation:Optional
 	EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`
 
+	// Defaults to true.
 	// Should the resource manage policies exclusively
 	// +kubebuilder:validation:Optional
 	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of policies to assign to the entity
 	// Policies to be tied to the entity.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
@@ -56,6 +93,18 @@ type EntityPoliciesParameters struct {
 type EntityPoliciesSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     EntityPoliciesParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider EntityPoliciesInitParameters `json:"initProvider,omitempty"`
 }
 
 // EntityPoliciesStatus defines the observed state of EntityPolicies.
@@ -66,7 +115,7 @@ type EntityPoliciesStatus struct {
 
 // +kubebuilder:object:root=true
 
-// EntityPolicies is the Schema for the EntityPoliciess API. <no value>
+// EntityPolicies is the Schema for the EntityPoliciess API. Manages policies for an Identity Entity for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -76,8 +125,8 @@ type EntityPoliciesStatus struct {
 type EntityPolicies struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.entityId)",message="entityId is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policies)",message="policies is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.entityId) || has(self.initProvider.entityId)",message="entityId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policies) || has(self.initProvider.policies)",message="policies is a required parameter"
 	Spec   EntityPoliciesSpec   `json:"spec"`
 	Status EntityPoliciesStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_generated.deepcopy.go b/apis/identity/v1alpha1/zz_generated.deepcopy.go
index bcfeca76..0c816799 100644
--- a/apis/identity/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/identity/v1alpha1/zz_generated.deepcopy.go
@@ -67,6 +67,56 @@ func (in *EntityAlias) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EntityAliasInitParameters) DeepCopyInto(out *EntityAliasInitParameters) {
+	*out = *in
+	if in.CanonicalID != nil {
+		in, out := &in.CanonicalID, &out.CanonicalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomMetadata != nil {
+		in, out := &in.CustomMetadata, &out.CustomMetadata
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.MountAccessor != nil {
+		in, out := &in.MountAccessor, &out.MountAccessor
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntityAliasInitParameters.
+func (in *EntityAliasInitParameters) DeepCopy() *EntityAliasInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(EntityAliasInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EntityAliasList) DeepCopyInto(out *EntityAliasList) {
 	*out = *in
@@ -209,6 +259,7 @@ func (in *EntityAliasSpec) DeepCopyInto(out *EntityAliasSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntityAliasSpec.
@@ -238,6 +289,67 @@ func (in *EntityAliasStatus) DeepCopy() *EntityAliasStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EntityInitParameters) DeepCopyInto(out *EntityInitParameters) {
+	*out = *in
+	if in.Disabled != nil {
+		in, out := &in.Disabled, &out.Disabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExternalPolicies != nil {
+		in, out := &in.ExternalPolicies, &out.ExternalPolicies
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntityInitParameters.
+func (in *EntityInitParameters) DeepCopy() *EntityInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(EntityInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EntityList) DeepCopyInto(out *EntityList) {
 	*out = *in
@@ -424,6 +536,47 @@ func (in *EntityPolicies) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EntityPoliciesInitParameters) DeepCopyInto(out *EntityPoliciesInitParameters) {
+	*out = *in
+	if in.EntityID != nil {
+		in, out := &in.EntityID, &out.EntityID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Exclusive != nil {
+		in, out := &in.Exclusive, &out.Exclusive
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntityPoliciesInitParameters.
+func (in *EntityPoliciesInitParameters) DeepCopy() *EntityPoliciesInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(EntityPoliciesInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EntityPoliciesList) DeepCopyInto(out *EntityPoliciesList) {
 	*out = *in
@@ -553,6 +706,7 @@ func (in *EntityPoliciesSpec) DeepCopyInto(out *EntityPoliciesSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntityPoliciesSpec.
@@ -587,6 +741,7 @@ func (in *EntitySpec) DeepCopyInto(out *EntitySpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntitySpec.
@@ -670,6 +825,41 @@ func (in *GroupAlias) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupAliasInitParameters) DeepCopyInto(out *GroupAliasInitParameters) {
+	*out = *in
+	if in.CanonicalID != nil {
+		in, out := &in.CanonicalID, &out.CanonicalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MountAccessor != nil {
+		in, out := &in.MountAccessor, &out.MountAccessor
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupAliasInitParameters.
+func (in *GroupAliasInitParameters) DeepCopy() *GroupAliasInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupAliasInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupAliasList) DeepCopyInto(out *GroupAliasList) {
 	*out = *in
@@ -782,6 +972,7 @@ func (in *GroupAliasSpec) DeepCopyInto(out *GroupAliasSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupAliasSpec.
@@ -811,6 +1002,99 @@ func (in *GroupAliasStatus) DeepCopy() *GroupAliasStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupInitParameters) DeepCopyInto(out *GroupInitParameters) {
+	*out = *in
+	if in.ExternalMemberEntityIds != nil {
+		in, out := &in.ExternalMemberEntityIds, &out.ExternalMemberEntityIds
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExternalMemberGroupIds != nil {
+		in, out := &in.ExternalMemberGroupIds, &out.ExternalMemberGroupIds
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExternalPolicies != nil {
+		in, out := &in.ExternalPolicies, &out.ExternalPolicies
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MemberEntityIds != nil {
+		in, out := &in.MemberEntityIds, &out.MemberEntityIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MemberGroupIds != nil {
+		in, out := &in.MemberGroupIds, &out.MemberGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupInitParameters.
+func (in *GroupInitParameters) DeepCopy() *GroupInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupList) DeepCopyInto(out *GroupList) {
 	*out = *in
@@ -870,6 +1154,47 @@ func (in *GroupMemberEntityIds) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupMemberEntityIdsInitParameters) DeepCopyInto(out *GroupMemberEntityIdsInitParameters) {
+	*out = *in
+	if in.Exclusive != nil {
+		in, out := &in.Exclusive, &out.Exclusive
+		*out = new(bool)
+		**out = **in
+	}
+	if in.GroupID != nil {
+		in, out := &in.GroupID, &out.GroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MemberEntityIds != nil {
+		in, out := &in.MemberEntityIds, &out.MemberEntityIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupMemberEntityIdsInitParameters.
+func (in *GroupMemberEntityIdsInitParameters) DeepCopy() *GroupMemberEntityIdsInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupMemberEntityIdsInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupMemberEntityIdsList) DeepCopyInto(out *GroupMemberEntityIdsList) {
 	*out = *in
@@ -999,6 +1324,7 @@ func (in *GroupMemberEntityIdsSpec) DeepCopyInto(out *GroupMemberEntityIdsSpec)
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupMemberEntityIdsSpec.
@@ -1055,6 +1381,47 @@ func (in *GroupMemberGroupIds) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupMemberGroupIdsInitParameters) DeepCopyInto(out *GroupMemberGroupIdsInitParameters) {
+	*out = *in
+	if in.Exclusive != nil {
+		in, out := &in.Exclusive, &out.Exclusive
+		*out = new(bool)
+		**out = **in
+	}
+	if in.GroupID != nil {
+		in, out := &in.GroupID, &out.GroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MemberGroupIds != nil {
+		in, out := &in.MemberGroupIds, &out.MemberGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupMemberGroupIdsInitParameters.
+func (in *GroupMemberGroupIdsInitParameters) DeepCopy() *GroupMemberGroupIdsInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupMemberGroupIdsInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupMemberGroupIdsList) DeepCopyInto(out *GroupMemberGroupIdsList) {
 	*out = *in
@@ -1179,6 +1546,7 @@ func (in *GroupMemberGroupIdsSpec) DeepCopyInto(out *GroupMemberGroupIdsSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupMemberGroupIdsSpec.
@@ -1426,6 +1794,47 @@ func (in *GroupPolicies) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupPoliciesInitParameters) DeepCopyInto(out *GroupPoliciesInitParameters) {
+	*out = *in
+	if in.Exclusive != nil {
+		in, out := &in.Exclusive, &out.Exclusive
+		*out = new(bool)
+		**out = **in
+	}
+	if in.GroupID != nil {
+		in, out := &in.GroupID, &out.GroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupPoliciesInitParameters.
+func (in *GroupPoliciesInitParameters) DeepCopy() *GroupPoliciesInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupPoliciesInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupPoliciesList) DeepCopyInto(out *GroupPoliciesList) {
 	*out = *in
@@ -1555,6 +1964,7 @@ func (in *GroupPoliciesSpec) DeepCopyInto(out *GroupPoliciesSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupPoliciesSpec.
@@ -1589,6 +1999,7 @@ func (in *GroupSpec) DeepCopyInto(out *GroupSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupSpec.
@@ -1645,6 +2056,46 @@ func (in *MfaDuo) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MfaDuoInitParameters) DeepCopyInto(out *MfaDuoInitParameters) {
+	*out = *in
+	if in.APIHostname != nil {
+		in, out := &in.APIHostname, &out.APIHostname
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PushInfo != nil {
+		in, out := &in.PushInfo, &out.PushInfo
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsePasscode != nil {
+		in, out := &in.UsePasscode, &out.UsePasscode
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UsernameFormat != nil {
+		in, out := &in.UsernameFormat, &out.UsernameFormat
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaDuoInitParameters.
+func (in *MfaDuoInitParameters) DeepCopy() *MfaDuoInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MfaDuoInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MfaDuoList) DeepCopyInto(out *MfaDuoList) {
 	*out = *in
@@ -1804,6 +2255,7 @@ func (in *MfaDuoSpec) DeepCopyInto(out *MfaDuoSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaDuoSpec.
@@ -1828,38 +2280,118 @@ func (in *MfaDuoStatus) DeepCopy() *MfaDuoStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(MfaDuoStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MfaLoginEnforcement) DeepCopyInto(out *MfaLoginEnforcement) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
+	out := new(MfaDuoStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MfaLoginEnforcement) DeepCopyInto(out *MfaLoginEnforcement) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaLoginEnforcement.
+func (in *MfaLoginEnforcement) DeepCopy() *MfaLoginEnforcement {
+	if in == nil {
+		return nil
+	}
+	out := new(MfaLoginEnforcement)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *MfaLoginEnforcement) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MfaLoginEnforcementInitParameters) DeepCopyInto(out *MfaLoginEnforcementInitParameters) {
+	*out = *in
+	if in.AuthMethodAccessors != nil {
+		in, out := &in.AuthMethodAccessors, &out.AuthMethodAccessors
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuthMethodTypes != nil {
+		in, out := &in.AuthMethodTypes, &out.AuthMethodTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IdentityEntityIds != nil {
+		in, out := &in.IdentityEntityIds, &out.IdentityEntityIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IdentityGroupIds != nil {
+		in, out := &in.IdentityGroupIds, &out.IdentityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MfaMethodIds != nil {
+		in, out := &in.MfaMethodIds, &out.MfaMethodIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaLoginEnforcement.
-func (in *MfaLoginEnforcement) DeepCopy() *MfaLoginEnforcement {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaLoginEnforcementInitParameters.
+func (in *MfaLoginEnforcementInitParameters) DeepCopy() *MfaLoginEnforcementInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MfaLoginEnforcement)
+	out := new(MfaLoginEnforcementInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *MfaLoginEnforcement) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MfaLoginEnforcementList) DeepCopyInto(out *MfaLoginEnforcementList) {
 	*out = *in
@@ -2077,6 +2609,7 @@ func (in *MfaLoginEnforcementSpec) DeepCopyInto(out *MfaLoginEnforcementSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaLoginEnforcementSpec.
@@ -2133,6 +2666,46 @@ func (in *MfaOkta) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MfaOktaInitParameters) DeepCopyInto(out *MfaOktaInitParameters) {
+	*out = *in
+	if in.BaseURL != nil {
+		in, out := &in.BaseURL, &out.BaseURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrgName != nil {
+		in, out := &in.OrgName, &out.OrgName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrimaryEmail != nil {
+		in, out := &in.PrimaryEmail, &out.PrimaryEmail
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UsernameFormat != nil {
+		in, out := &in.UsernameFormat, &out.UsernameFormat
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaOktaInitParameters.
+func (in *MfaOktaInitParameters) DeepCopy() *MfaOktaInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MfaOktaInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MfaOktaList) DeepCopyInto(out *MfaOktaList) {
 	*out = *in
@@ -2291,6 +2864,7 @@ func (in *MfaOktaSpec) DeepCopyInto(out *MfaOktaSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaOktaSpec.
@@ -2347,6 +2921,36 @@ func (in *MfaPingid) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MfaPingidInitParameters) DeepCopyInto(out *MfaPingidInitParameters) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.SettingsFileBase64 != nil {
+		in, out := &in.SettingsFileBase64, &out.SettingsFileBase64
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameFormat != nil {
+		in, out := &in.UsernameFormat, &out.UsernameFormat
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaPingidInitParameters.
+func (in *MfaPingidInitParameters) DeepCopy() *MfaPingidInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MfaPingidInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MfaPingidList) DeepCopyInto(out *MfaPingidList) {
 	*out = *in
@@ -2509,6 +3113,7 @@ func (in *MfaPingidSpec) DeepCopyInto(out *MfaPingidSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaPingidSpec.
@@ -2565,6 +3170,66 @@ func (in *MfaTotp) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MfaTotpInitParameters) DeepCopyInto(out *MfaTotpInitParameters) {
+	*out = *in
+	if in.Algorithm != nil {
+		in, out := &in.Algorithm, &out.Algorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.Digits != nil {
+		in, out := &in.Digits, &out.Digits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeySize != nil {
+		in, out := &in.KeySize, &out.KeySize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxValidationAttempts != nil {
+		in, out := &in.MaxValidationAttempts, &out.MaxValidationAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Period != nil {
+		in, out := &in.Period, &out.Period
+		*out = new(float64)
+		**out = **in
+	}
+	if in.QrSize != nil {
+		in, out := &in.QrSize, &out.QrSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Skew != nil {
+		in, out := &in.Skew, &out.Skew
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaTotpInitParameters.
+func (in *MfaTotpInitParameters) DeepCopy() *MfaTotpInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MfaTotpInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MfaTotpList) DeepCopyInto(out *MfaTotpList) {
 	*out = *in
@@ -2762,6 +3427,7 @@ func (in *MfaTotpSpec) DeepCopyInto(out *MfaTotpSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaTotpSpec.
@@ -2845,6 +3511,53 @@ func (in *OidcAssignment) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcAssignmentInitParameters) DeepCopyInto(out *OidcAssignmentInitParameters) {
+	*out = *in
+	if in.EntityIds != nil {
+		in, out := &in.EntityIds, &out.EntityIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.GroupIds != nil {
+		in, out := &in.GroupIds, &out.GroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcAssignmentInitParameters.
+func (in *OidcAssignmentInitParameters) DeepCopy() *OidcAssignmentInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OidcAssignmentInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcAssignmentList) DeepCopyInto(out *OidcAssignmentList) {
 	*out = *in
@@ -2981,6 +3694,7 @@ func (in *OidcAssignmentSpec) DeepCopyInto(out *OidcAssignmentSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcAssignmentSpec.
@@ -3005,38 +3719,105 @@ func (in *OidcAssignmentStatus) DeepCopy() *OidcAssignmentStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(OidcAssignmentStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OidcClient) DeepCopyInto(out *OidcClient) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
+	out := new(OidcAssignmentStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcClient) DeepCopyInto(out *OidcClient) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcClient.
+func (in *OidcClient) DeepCopy() *OidcClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OidcClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OidcClient) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcClientInitParameters) DeepCopyInto(out *OidcClientInitParameters) {
+	*out = *in
+	if in.AccessTokenTTL != nil {
+		in, out := &in.AccessTokenTTL, &out.AccessTokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Assignments != nil {
+		in, out := &in.Assignments, &out.Assignments
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ClientType != nil {
+		in, out := &in.ClientType, &out.ClientType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IDTokenTTL != nil {
+		in, out := &in.IDTokenTTL, &out.IDTokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RedirectUris != nil {
+		in, out := &in.RedirectUris, &out.RedirectUris
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcClient.
-func (in *OidcClient) DeepCopy() *OidcClient {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcClientInitParameters.
+func (in *OidcClientInitParameters) DeepCopy() *OidcClientInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(OidcClient)
+	out := new(OidcClientInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *OidcClient) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcClientList) DeepCopyInto(out *OidcClientList) {
 	*out = *in
@@ -3218,6 +3999,7 @@ func (in *OidcClientSpec) DeepCopyInto(out *OidcClientSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcClientSpec.
@@ -3247,6 +4029,31 @@ func (in *OidcClientStatus) DeepCopy() *OidcClientStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcInitParameters) DeepCopyInto(out *OidcInitParameters) {
+	*out = *in
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcInitParameters.
+func (in *OidcInitParameters) DeepCopy() *OidcInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OidcInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcKey) DeepCopyInto(out *OidcKey) {
 	*out = *in
@@ -3301,6 +4108,36 @@ func (in *OidcKeyAllowedClientID) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcKeyAllowedClientIDInitParameters) DeepCopyInto(out *OidcKeyAllowedClientIDInitParameters) {
+	*out = *in
+	if in.AllowedClientID != nil {
+		in, out := &in.AllowedClientID, &out.AllowedClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyName != nil {
+		in, out := &in.KeyName, &out.KeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcKeyAllowedClientIDInitParameters.
+func (in *OidcKeyAllowedClientIDInitParameters) DeepCopy() *OidcKeyAllowedClientIDInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OidcKeyAllowedClientIDInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcKeyAllowedClientIDList) DeepCopyInto(out *OidcKeyAllowedClientIDList) {
 	*out = *in
@@ -3403,6 +4240,7 @@ func (in *OidcKeyAllowedClientIDSpec) DeepCopyInto(out *OidcKeyAllowedClientIDSp
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcKeyAllowedClientIDSpec.
@@ -3432,6 +4270,57 @@ func (in *OidcKeyAllowedClientIDStatus) DeepCopy() *OidcKeyAllowedClientIDStatus
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcKeyInitParameters) DeepCopyInto(out *OidcKeyInitParameters) {
+	*out = *in
+	if in.Algorithm != nil {
+		in, out := &in.Algorithm, &out.Algorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowedClientIds != nil {
+		in, out := &in.AllowedClientIds, &out.AllowedClientIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RotationPeriod != nil {
+		in, out := &in.RotationPeriod, &out.RotationPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VerificationTTL != nil {
+		in, out := &in.VerificationTTL, &out.VerificationTTL
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcKeyInitParameters.
+func (in *OidcKeyInitParameters) DeepCopy() *OidcKeyInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OidcKeyInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcKeyList) DeepCopyInto(out *OidcKeyList) {
 	*out = *in
@@ -3576,6 +4465,7 @@ func (in *OidcKeySpec) DeepCopyInto(out *OidcKeySpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcKeySpec.
@@ -3719,6 +4609,63 @@ func (in *OidcProvider) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcProviderInitParameters) DeepCopyInto(out *OidcProviderInitParameters) {
+	*out = *in
+	if in.AllowedClientIds != nil {
+		in, out := &in.AllowedClientIds, &out.AllowedClientIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.HTTPSEnabled != nil {
+		in, out := &in.HTTPSEnabled, &out.HTTPSEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IssuerHost != nil {
+		in, out := &in.IssuerHost, &out.IssuerHost
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScopesSupported != nil {
+		in, out := &in.ScopesSupported, &out.ScopesSupported
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcProviderInitParameters.
+func (in *OidcProviderInitParameters) DeepCopy() *OidcProviderInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OidcProviderInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcProviderList) DeepCopyInto(out *OidcProviderList) {
 	*out = *in
@@ -3880,6 +4827,7 @@ func (in *OidcProviderSpec) DeepCopyInto(out *OidcProviderSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcProviderSpec.
@@ -3936,6 +4884,51 @@ func (in *OidcRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcRoleInitParameters) DeepCopyInto(out *OidcRoleInitParameters) {
+	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Template != nil {
+		in, out := &in.Template, &out.Template
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcRoleInitParameters.
+func (in *OidcRoleInitParameters) DeepCopy() *OidcRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OidcRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcRoleList) DeepCopyInto(out *OidcRoleList) {
 	*out = *in
@@ -4068,6 +5061,7 @@ func (in *OidcRoleSpec) DeepCopyInto(out *OidcRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcRoleSpec.
@@ -4124,6 +5118,41 @@ func (in *OidcScope) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OidcScopeInitParameters) DeepCopyInto(out *OidcScopeInitParameters) {
+	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Template != nil {
+		in, out := &in.Template, &out.Template
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcScopeInitParameters.
+func (in *OidcScopeInitParameters) DeepCopy() *OidcScopeInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OidcScopeInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcScopeList) DeepCopyInto(out *OidcScopeList) {
 	*out = *in
@@ -4236,6 +5265,7 @@ func (in *OidcScopeSpec) DeepCopyInto(out *OidcScopeSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcScopeSpec.
@@ -4270,6 +5300,7 @@ func (in *OidcSpec) DeepCopyInto(out *OidcSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcSpec.
diff --git a/apis/identity/v1alpha1/zz_generated.managed.go b/apis/identity/v1alpha1/zz_generated.managed.go
index 6f1dbea3..35ee8551 100644
--- a/apis/identity/v1alpha1/zz_generated.managed.go
+++ b/apis/identity/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Entity) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Entity.
-func (mg *Entity) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Entity.
+func (mg *Entity) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Entity.
@@ -55,9 +55,9 @@ func (mg *Entity) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Entity.
-func (mg *Entity) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Entity.
+func (mg *Entity) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Entity.
@@ -93,9 +93,9 @@ func (mg *EntityAlias) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this EntityAlias.
-func (mg *EntityAlias) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this EntityAlias.
+func (mg *EntityAlias) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this EntityAlias.
@@ -131,9 +131,9 @@ func (mg *EntityAlias) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this EntityAlias.
-func (mg *EntityAlias) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this EntityAlias.
+func (mg *EntityAlias) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this EntityAlias.
@@ -169,9 +169,9 @@ func (mg *EntityPolicies) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this EntityPolicies.
-func (mg *EntityPolicies) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this EntityPolicies.
+func (mg *EntityPolicies) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this EntityPolicies.
@@ -207,9 +207,9 @@ func (mg *EntityPolicies) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this EntityPolicies.
-func (mg *EntityPolicies) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this EntityPolicies.
+func (mg *EntityPolicies) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this EntityPolicies.
@@ -245,9 +245,9 @@ func (mg *Group) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Group.
-func (mg *Group) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Group.
+func (mg *Group) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Group.
@@ -283,9 +283,9 @@ func (mg *Group) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Group.
-func (mg *Group) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Group.
+func (mg *Group) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Group.
@@ -321,9 +321,9 @@ func (mg *GroupAlias) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this GroupAlias.
-func (mg *GroupAlias) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this GroupAlias.
+func (mg *GroupAlias) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this GroupAlias.
@@ -359,9 +359,9 @@ func (mg *GroupAlias) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this GroupAlias.
-func (mg *GroupAlias) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this GroupAlias.
+func (mg *GroupAlias) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this GroupAlias.
@@ -397,9 +397,9 @@ func (mg *GroupMemberEntityIds) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this GroupMemberEntityIds.
-func (mg *GroupMemberEntityIds) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this GroupMemberEntityIds.
+func (mg *GroupMemberEntityIds) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this GroupMemberEntityIds.
@@ -435,9 +435,9 @@ func (mg *GroupMemberEntityIds) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this GroupMemberEntityIds.
-func (mg *GroupMemberEntityIds) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this GroupMemberEntityIds.
+func (mg *GroupMemberEntityIds) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this GroupMemberEntityIds.
@@ -473,9 +473,9 @@ func (mg *GroupMemberGroupIds) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this GroupMemberGroupIds.
-func (mg *GroupMemberGroupIds) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this GroupMemberGroupIds.
+func (mg *GroupMemberGroupIds) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this GroupMemberGroupIds.
@@ -511,9 +511,9 @@ func (mg *GroupMemberGroupIds) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this GroupMemberGroupIds.
-func (mg *GroupMemberGroupIds) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this GroupMemberGroupIds.
+func (mg *GroupMemberGroupIds) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this GroupMemberGroupIds.
@@ -549,9 +549,9 @@ func (mg *GroupPolicies) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this GroupPolicies.
-func (mg *GroupPolicies) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this GroupPolicies.
+func (mg *GroupPolicies) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this GroupPolicies.
@@ -587,9 +587,9 @@ func (mg *GroupPolicies) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this GroupPolicies.
-func (mg *GroupPolicies) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this GroupPolicies.
+func (mg *GroupPolicies) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this GroupPolicies.
@@ -625,9 +625,9 @@ func (mg *MfaDuo) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this MfaDuo.
-func (mg *MfaDuo) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this MfaDuo.
+func (mg *MfaDuo) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this MfaDuo.
@@ -663,9 +663,9 @@ func (mg *MfaDuo) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this MfaDuo.
-func (mg *MfaDuo) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this MfaDuo.
+func (mg *MfaDuo) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this MfaDuo.
@@ -701,9 +701,9 @@ func (mg *MfaLoginEnforcement) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this MfaLoginEnforcement.
-func (mg *MfaLoginEnforcement) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this MfaLoginEnforcement.
+func (mg *MfaLoginEnforcement) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this MfaLoginEnforcement.
@@ -739,9 +739,9 @@ func (mg *MfaLoginEnforcement) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this MfaLoginEnforcement.
-func (mg *MfaLoginEnforcement) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this MfaLoginEnforcement.
+func (mg *MfaLoginEnforcement) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this MfaLoginEnforcement.
@@ -777,9 +777,9 @@ func (mg *MfaOkta) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this MfaOkta.
-func (mg *MfaOkta) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this MfaOkta.
+func (mg *MfaOkta) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this MfaOkta.
@@ -815,9 +815,9 @@ func (mg *MfaOkta) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this MfaOkta.
-func (mg *MfaOkta) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this MfaOkta.
+func (mg *MfaOkta) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this MfaOkta.
@@ -853,9 +853,9 @@ func (mg *MfaPingid) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this MfaPingid.
-func (mg *MfaPingid) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this MfaPingid.
+func (mg *MfaPingid) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this MfaPingid.
@@ -891,9 +891,9 @@ func (mg *MfaPingid) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this MfaPingid.
-func (mg *MfaPingid) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this MfaPingid.
+func (mg *MfaPingid) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this MfaPingid.
@@ -929,9 +929,9 @@ func (mg *MfaTotp) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this MfaTotp.
-func (mg *MfaTotp) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this MfaTotp.
+func (mg *MfaTotp) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this MfaTotp.
@@ -967,9 +967,9 @@ func (mg *MfaTotp) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this MfaTotp.
-func (mg *MfaTotp) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this MfaTotp.
+func (mg *MfaTotp) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this MfaTotp.
@@ -1005,9 +1005,9 @@ func (mg *Oidc) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Oidc.
-func (mg *Oidc) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Oidc.
+func (mg *Oidc) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Oidc.
@@ -1043,9 +1043,9 @@ func (mg *Oidc) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Oidc.
-func (mg *Oidc) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Oidc.
+func (mg *Oidc) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Oidc.
@@ -1081,9 +1081,9 @@ func (mg *OidcAssignment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this OidcAssignment.
-func (mg *OidcAssignment) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this OidcAssignment.
+func (mg *OidcAssignment) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this OidcAssignment.
@@ -1119,9 +1119,9 @@ func (mg *OidcAssignment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this OidcAssignment.
-func (mg *OidcAssignment) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this OidcAssignment.
+func (mg *OidcAssignment) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this OidcAssignment.
@@ -1157,9 +1157,9 @@ func (mg *OidcClient) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this OidcClient.
-func (mg *OidcClient) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this OidcClient.
+func (mg *OidcClient) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this OidcClient.
@@ -1195,9 +1195,9 @@ func (mg *OidcClient) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this OidcClient.
-func (mg *OidcClient) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this OidcClient.
+func (mg *OidcClient) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this OidcClient.
@@ -1233,9 +1233,9 @@ func (mg *OidcKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this OidcKey.
-func (mg *OidcKey) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this OidcKey.
+func (mg *OidcKey) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this OidcKey.
@@ -1271,9 +1271,9 @@ func (mg *OidcKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this OidcKey.
-func (mg *OidcKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this OidcKey.
+func (mg *OidcKey) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this OidcKey.
@@ -1309,9 +1309,9 @@ func (mg *OidcKeyAllowedClientID) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this OidcKeyAllowedClientID.
-func (mg *OidcKeyAllowedClientID) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this OidcKeyAllowedClientID.
+func (mg *OidcKeyAllowedClientID) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this OidcKeyAllowedClientID.
@@ -1347,9 +1347,9 @@ func (mg *OidcKeyAllowedClientID) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this OidcKeyAllowedClientID.
-func (mg *OidcKeyAllowedClientID) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this OidcKeyAllowedClientID.
+func (mg *OidcKeyAllowedClientID) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this OidcKeyAllowedClientID.
@@ -1385,9 +1385,9 @@ func (mg *OidcProvider) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this OidcProvider.
-func (mg *OidcProvider) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this OidcProvider.
+func (mg *OidcProvider) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this OidcProvider.
@@ -1423,9 +1423,9 @@ func (mg *OidcProvider) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this OidcProvider.
-func (mg *OidcProvider) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this OidcProvider.
+func (mg *OidcProvider) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this OidcProvider.
@@ -1461,9 +1461,9 @@ func (mg *OidcRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this OidcRole.
-func (mg *OidcRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this OidcRole.
+func (mg *OidcRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this OidcRole.
@@ -1499,9 +1499,9 @@ func (mg *OidcRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this OidcRole.
-func (mg *OidcRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this OidcRole.
+func (mg *OidcRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this OidcRole.
@@ -1537,9 +1537,9 @@ func (mg *OidcScope) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this OidcScope.
-func (mg *OidcScope) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this OidcScope.
+func (mg *OidcScope) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this OidcScope.
@@ -1575,9 +1575,9 @@ func (mg *OidcScope) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this OidcScope.
-func (mg *OidcScope) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this OidcScope.
+func (mg *OidcScope) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this OidcScope.
diff --git a/apis/identity/v1alpha1/zz_generated_terraformed.go b/apis/identity/v1alpha1/zz_generated_terraformed.go
index 5d03173c..603bc8b8 100755
--- a/apis/identity/v1alpha1/zz_generated_terraformed.go
+++ b/apis/identity/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Entity) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Entity
+func (tr *Entity) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Entity using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Entity) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *EntityAlias) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this EntityAlias
+func (tr *EntityAlias) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this EntityAlias using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *EntityAlias) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *EntityPolicies) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this EntityPolicies
+func (tr *EntityPolicies) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this EntityPolicies using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *EntityPolicies) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *Group) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Group
+func (tr *Group) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Group using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Group) LateInitialize(attrs []byte) (bool, error) {
@@ -365,6 +405,16 @@ func (tr *GroupAlias) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this GroupAlias
+func (tr *GroupAlias) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this GroupAlias using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *GroupAlias) LateInitialize(attrs []byte) (bool, error) {
@@ -439,6 +489,16 @@ func (tr *GroupMemberEntityIds) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this GroupMemberEntityIds
+func (tr *GroupMemberEntityIds) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this GroupMemberEntityIds using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *GroupMemberEntityIds) LateInitialize(attrs []byte) (bool, error) {
@@ -513,6 +573,16 @@ func (tr *GroupMemberGroupIds) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this GroupMemberGroupIds
+func (tr *GroupMemberGroupIds) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this GroupMemberGroupIds using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *GroupMemberGroupIds) LateInitialize(attrs []byte) (bool, error) {
@@ -587,6 +657,16 @@ func (tr *GroupPolicies) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this GroupPolicies
+func (tr *GroupPolicies) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this GroupPolicies using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *GroupPolicies) LateInitialize(attrs []byte) (bool, error) {
@@ -661,6 +741,16 @@ func (tr *MfaDuo) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this MfaDuo
+func (tr *MfaDuo) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this MfaDuo using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *MfaDuo) LateInitialize(attrs []byte) (bool, error) {
@@ -735,6 +825,16 @@ func (tr *MfaLoginEnforcement) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this MfaLoginEnforcement
+func (tr *MfaLoginEnforcement) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this MfaLoginEnforcement using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *MfaLoginEnforcement) LateInitialize(attrs []byte) (bool, error) {
@@ -809,6 +909,16 @@ func (tr *MfaOkta) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this MfaOkta
+func (tr *MfaOkta) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this MfaOkta using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *MfaOkta) LateInitialize(attrs []byte) (bool, error) {
@@ -883,6 +993,16 @@ func (tr *MfaPingid) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this MfaPingid
+func (tr *MfaPingid) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this MfaPingid using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *MfaPingid) LateInitialize(attrs []byte) (bool, error) {
@@ -957,6 +1077,16 @@ func (tr *MfaTotp) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this MfaTotp
+func (tr *MfaTotp) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this MfaTotp using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *MfaTotp) LateInitialize(attrs []byte) (bool, error) {
@@ -1031,6 +1161,16 @@ func (tr *Oidc) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Oidc
+func (tr *Oidc) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Oidc using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Oidc) LateInitialize(attrs []byte) (bool, error) {
@@ -1105,6 +1245,16 @@ func (tr *OidcAssignment) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this OidcAssignment
+func (tr *OidcAssignment) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this OidcAssignment using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *OidcAssignment) LateInitialize(attrs []byte) (bool, error) {
@@ -1179,6 +1329,16 @@ func (tr *OidcClient) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this OidcClient
+func (tr *OidcClient) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this OidcClient using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *OidcClient) LateInitialize(attrs []byte) (bool, error) {
@@ -1253,6 +1413,16 @@ func (tr *OidcKey) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this OidcKey
+func (tr *OidcKey) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this OidcKey using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *OidcKey) LateInitialize(attrs []byte) (bool, error) {
@@ -1327,6 +1497,16 @@ func (tr *OidcKeyAllowedClientID) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this OidcKeyAllowedClientID
+func (tr *OidcKeyAllowedClientID) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this OidcKeyAllowedClientID using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *OidcKeyAllowedClientID) LateInitialize(attrs []byte) (bool, error) {
@@ -1401,6 +1581,16 @@ func (tr *OidcProvider) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this OidcProvider
+func (tr *OidcProvider) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this OidcProvider using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *OidcProvider) LateInitialize(attrs []byte) (bool, error) {
@@ -1475,6 +1665,16 @@ func (tr *OidcRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this OidcRole
+func (tr *OidcRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this OidcRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *OidcRole) LateInitialize(attrs []byte) (bool, error) {
@@ -1549,6 +1749,16 @@ func (tr *OidcScope) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this OidcScope
+func (tr *OidcScope) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this OidcScope using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *OidcScope) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/identity/v1alpha1/zz_group_types.go b/apis/identity/v1alpha1/zz_group_types.go
index 4709cc24..8cefb2cd 100755
--- a/apis/identity/v1alpha1/zz_group_types.go
+++ b/apis/identity/v1alpha1/zz_group_types.go
@@ -13,79 +13,176 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type GroupInitParameters struct {
+
+	// false by default. If set to true, this resource will ignore any Entity IDs
+	// returned from Vault or specified in the resource. You can use
+	// vault_identity_group_member_entity_ids to manage Entity IDs for this group in a
+	// decoupled manner.
+	// Manage member entities externally through `vault_identity_group_member_entity_ids`
+	ExternalMemberEntityIds *bool `json:"externalMemberEntityIds,omitempty" tf:"external_member_entity_ids,omitempty"`
+
+	// false by default. If set to true, this resource will ignore any Group IDs
+	// returned from Vault or specified in the resource. You can use
+	// vault_identity_group_member_group_ids to manage Group IDs for this group in a
+	// decoupled manner.
+	// Manage member groups externally through `vault_identity_group_member_group_ids`
+	ExternalMemberGroupIds *bool `json:"externalMemberGroupIds,omitempty" tf:"external_member_group_ids,omitempty"`
+
+	// false by default. If set to true, this resource will ignore any policies returned from
+	// Vault or specified in the resource. You can use vault_identity_group_policies to manage
+	// policies for this group in a decoupled manner.
+	// Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.
+	ExternalPolicies *bool `json:"externalPolicies,omitempty" tf:"external_policies,omitempty"`
+
+	// A list of Entity IDs to be assigned as group members. Not allowed on external groups.
+	// Entity IDs to be assigned as group members.
+	MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"`
+
+	// A list of Group IDs to be assigned as group members. Not allowed on external groups.
+	// Group IDs to be assigned as group members.
+	MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"`
+
+	// A Map of additional metadata to associate with the group.
+	// Metadata to be associated with the group.
+	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
+
+	// Name of the identity group to create.
+	// Name of the group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// A list of policies to apply to the group.
+	// Policies to be tied to the group.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	// Type of the group, internal or external. Defaults to internal.
+	// Type of the group, internal or external. Defaults to internal.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type GroupObservation struct {
 
+	// false by default. If set to true, this resource will ignore any Entity IDs
+	// returned from Vault or specified in the resource. You can use
+	// vault_identity_group_member_entity_ids to manage Entity IDs for this group in a
+	// decoupled manner.
 	// Manage member entities externally through `vault_identity_group_member_entity_ids`
 	ExternalMemberEntityIds *bool `json:"externalMemberEntityIds,omitempty" tf:"external_member_entity_ids,omitempty"`
 
+	// false by default. If set to true, this resource will ignore any Group IDs
+	// returned from Vault or specified in the resource. You can use
+	// vault_identity_group_member_group_ids to manage Group IDs for this group in a
+	// decoupled manner.
 	// Manage member groups externally through `vault_identity_group_member_group_ids`
 	ExternalMemberGroupIds *bool `json:"externalMemberGroupIds,omitempty" tf:"external_member_group_ids,omitempty"`
 
+	// false by default. If set to true, this resource will ignore any policies returned from
+	// Vault or specified in the resource. You can use vault_identity_group_policies to manage
+	// policies for this group in a decoupled manner.
 	// Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.
 	ExternalPolicies *bool `json:"externalPolicies,omitempty" tf:"external_policies,omitempty"`
 
+	// The id of the created group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of Entity IDs to be assigned as group members. Not allowed on external groups.
 	// Entity IDs to be assigned as group members.
 	MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"`
 
+	// A list of Group IDs to be assigned as group members. Not allowed on external groups.
 	// Group IDs to be assigned as group members.
 	MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"`
 
+	// A Map of additional metadata to associate with the group.
 	// Metadata to be associated with the group.
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// Name of the identity group to create.
 	// Name of the group.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// A list of policies to apply to the group.
 	// Policies to be tied to the group.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// Type of the group, internal or external. Defaults to internal.
 	// Type of the group, internal or external. Defaults to internal.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type GroupParameters struct {
 
+	// false by default. If set to true, this resource will ignore any Entity IDs
+	// returned from Vault or specified in the resource. You can use
+	// vault_identity_group_member_entity_ids to manage Entity IDs for this group in a
+	// decoupled manner.
 	// Manage member entities externally through `vault_identity_group_member_entity_ids`
 	// +kubebuilder:validation:Optional
 	ExternalMemberEntityIds *bool `json:"externalMemberEntityIds,omitempty" tf:"external_member_entity_ids,omitempty"`
 
+	// false by default. If set to true, this resource will ignore any Group IDs
+	// returned from Vault or specified in the resource. You can use
+	// vault_identity_group_member_group_ids to manage Group IDs for this group in a
+	// decoupled manner.
 	// Manage member groups externally through `vault_identity_group_member_group_ids`
 	// +kubebuilder:validation:Optional
 	ExternalMemberGroupIds *bool `json:"externalMemberGroupIds,omitempty" tf:"external_member_group_ids,omitempty"`
 
+	// false by default. If set to true, this resource will ignore any policies returned from
+	// Vault or specified in the resource. You can use vault_identity_group_policies to manage
+	// policies for this group in a decoupled manner.
 	// Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.
 	// +kubebuilder:validation:Optional
 	ExternalPolicies *bool `json:"externalPolicies,omitempty" tf:"external_policies,omitempty"`
 
+	// A list of Entity IDs to be assigned as group members. Not allowed on external groups.
 	// Entity IDs to be assigned as group members.
 	// +kubebuilder:validation:Optional
 	MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"`
 
+	// A list of Group IDs to be assigned as group members. Not allowed on external groups.
 	// Group IDs to be assigned as group members.
 	// +kubebuilder:validation:Optional
 	MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"`
 
+	// A Map of additional metadata to associate with the group.
 	// Metadata to be associated with the group.
 	// +kubebuilder:validation:Optional
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// Name of the identity group to create.
 	// Name of the group.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// A list of policies to apply to the group.
 	// Policies to be tied to the group.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// Type of the group, internal or external. Defaults to internal.
 	// Type of the group, internal or external. Defaults to internal.
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -95,6 +192,18 @@ type GroupParameters struct {
 type GroupSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     GroupParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider GroupInitParameters `json:"initProvider,omitempty"`
 }
 
 // GroupStatus defines the observed state of Group.
@@ -105,7 +214,7 @@ type GroupStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Group is the Schema for the Groups API. <no value>
+// Group is the Schema for the Groups API. Creates an Identity Group for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/identity/v1alpha1/zz_groupalias_types.go b/apis/identity/v1alpha1/zz_groupalias_types.go
index 0eb321c1..49588eea 100755
--- a/apis/identity/v1alpha1/zz_groupalias_types.go
+++ b/apis/identity/v1alpha1/zz_groupalias_types.go
@@ -13,37 +13,74 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type GroupAliasInitParameters struct {
+
+	// ID of the group to which this is an alias.
+	// ID of the group to which this is an alias.
+	CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"`
+
+	// Mount accessor of the authentication backend to which this alias belongs to.
+	// Mount accessor to which this alias belongs to.
+	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
+
+	// Name of the group alias to create.
+	// Name of the group alias.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type GroupAliasObservation struct {
 
+	// ID of the group to which this is an alias.
 	// ID of the group to which this is an alias.
 	CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"`
 
+	// The id of the created group alias.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Mount accessor of the authentication backend to which this alias belongs to.
 	// Mount accessor to which this alias belongs to.
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// Name of the group alias to create.
 	// Name of the group alias.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type GroupAliasParameters struct {
 
+	// ID of the group to which this is an alias.
 	// ID of the group to which this is an alias.
 	// +kubebuilder:validation:Optional
 	CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"`
 
+	// Mount accessor of the authentication backend to which this alias belongs to.
 	// Mount accessor to which this alias belongs to.
 	// +kubebuilder:validation:Optional
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// Name of the group alias to create.
 	// Name of the group alias.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -53,6 +90,18 @@ type GroupAliasParameters struct {
 type GroupAliasSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     GroupAliasParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider GroupAliasInitParameters `json:"initProvider,omitempty"`
 }
 
 // GroupAliasStatus defines the observed state of GroupAlias.
@@ -63,7 +112,7 @@ type GroupAliasStatus struct {
 
 // +kubebuilder:object:root=true
 
-// GroupAlias is the Schema for the GroupAliass API. <no value>
+// GroupAlias is the Schema for the GroupAliass API. Creates an Identity Group Alias for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,9 +122,9 @@ type GroupAliasStatus struct {
 type GroupAlias struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.canonicalId)",message="canonicalId is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)",message="mountAccessor is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.canonicalId) || has(self.initProvider.canonicalId)",message="canonicalId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   GroupAliasSpec   `json:"spec"`
 	Status GroupAliasStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_groupmemberentityids_types.go b/apis/identity/v1alpha1/zz_groupmemberentityids_types.go
index 291a7164..188ae26a 100755
--- a/apis/identity/v1alpha1/zz_groupmemberentityids_types.go
+++ b/apis/identity/v1alpha1/zz_groupmemberentityids_types.go
@@ -13,42 +13,82 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type GroupMemberEntityIdsInitParameters struct {
+
+	// Defaults to true.
+	// If set to true, allows the resource to manage member entity ids
+	// exclusively. Beware of race conditions when disabling exclusive management
+	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
+
+	// Group ID to assign member entities to.
+	// ID of the group.
+	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
+
+	// List of member entities that belong to the group
+	// Entity IDs to be assigned as group members.
+	MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type GroupMemberEntityIdsObservation struct {
 
+	// Defaults to true.
 	// If set to true, allows the resource to manage member entity ids
 	// exclusively. Beware of race conditions when disabling exclusive management
 	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
 
+	// Group ID to assign member entities to.
 	// ID of the group.
 	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
 
+	// The name of the group that are assigned the member entities.
+	// Deprecated: The value for group_name may not always be accurate
+	// use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name instead.
 	// Name of the group.
 	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of member entities that belong to the group
 	// Entity IDs to be assigned as group members.
 	MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type GroupMemberEntityIdsParameters struct {
 
+	// Defaults to true.
 	// If set to true, allows the resource to manage member entity ids
 	// exclusively. Beware of race conditions when disabling exclusive management
 	// +kubebuilder:validation:Optional
 	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
 
+	// Group ID to assign member entities to.
 	// ID of the group.
 	// +kubebuilder:validation:Optional
 	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
 
+	// List of member entities that belong to the group
 	// Entity IDs to be assigned as group members.
 	// +kubebuilder:validation:Optional
 	MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -58,6 +98,18 @@ type GroupMemberEntityIdsParameters struct {
 type GroupMemberEntityIdsSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     GroupMemberEntityIdsParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider GroupMemberEntityIdsInitParameters `json:"initProvider,omitempty"`
 }
 
 // GroupMemberEntityIdsStatus defines the observed state of GroupMemberEntityIds.
@@ -68,7 +120,7 @@ type GroupMemberEntityIdsStatus struct {
 
 // +kubebuilder:object:root=true
 
-// GroupMemberEntityIds is the Schema for the GroupMemberEntityIdss API. <no value>
+// GroupMemberEntityIds is the Schema for the GroupMemberEntityIdss API. Manages member entities for an Identity Group for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -78,7 +130,7 @@ type GroupMemberEntityIdsStatus struct {
 type GroupMemberEntityIds struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupId)",message="groupId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupId) || has(self.initProvider.groupId)",message="groupId is a required parameter"
 	Spec   GroupMemberEntityIdsSpec   `json:"spec"`
 	Status GroupMemberEntityIdsStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_groupmembergroupids_types.go b/apis/identity/v1alpha1/zz_groupmembergroupids_types.go
index 5211f60e..eab48f79 100755
--- a/apis/identity/v1alpha1/zz_groupmembergroupids_types.go
+++ b/apis/identity/v1alpha1/zz_groupmembergroupids_types.go
@@ -13,39 +13,76 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type GroupMemberGroupIdsInitParameters struct {
+
+	// Defaults to true.
+	// If set to true, allows the resource to manage member group ids
+	// exclusively. Beware of race conditions when disabling exclusive management
+	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
+
+	// Group ID to assign member entities to.
+	// ID of the group.
+	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
+
+	// List of member groups that belong to the group
+	// Group IDs to be assigned as group members.
+	MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type GroupMemberGroupIdsObservation struct {
 
+	// Defaults to true.
 	// If set to true, allows the resource to manage member group ids
 	// exclusively. Beware of race conditions when disabling exclusive management
 	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
 
+	// Group ID to assign member entities to.
 	// ID of the group.
 	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of member groups that belong to the group
 	// Group IDs to be assigned as group members.
 	MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type GroupMemberGroupIdsParameters struct {
 
+	// Defaults to true.
 	// If set to true, allows the resource to manage member group ids
 	// exclusively. Beware of race conditions when disabling exclusive management
 	// +kubebuilder:validation:Optional
 	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
 
+	// Group ID to assign member entities to.
 	// ID of the group.
 	// +kubebuilder:validation:Optional
 	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
 
+	// List of member groups that belong to the group
 	// Group IDs to be assigned as group members.
 	// +kubebuilder:validation:Optional
 	MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -55,6 +92,18 @@ type GroupMemberGroupIdsParameters struct {
 type GroupMemberGroupIdsSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     GroupMemberGroupIdsParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider GroupMemberGroupIdsInitParameters `json:"initProvider,omitempty"`
 }
 
 // GroupMemberGroupIdsStatus defines the observed state of GroupMemberGroupIds.
@@ -65,7 +114,7 @@ type GroupMemberGroupIdsStatus struct {
 
 // +kubebuilder:object:root=true
 
-// GroupMemberGroupIds is the Schema for the GroupMemberGroupIdss API. <no value>
+// GroupMemberGroupIds is the Schema for the GroupMemberGroupIdss API. Manages member groups for an Identity Group for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -75,7 +124,7 @@ type GroupMemberGroupIdsStatus struct {
 type GroupMemberGroupIds struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupId)",message="groupId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupId) || has(self.initProvider.groupId)",message="groupId is a required parameter"
 	Spec   GroupMemberGroupIdsSpec   `json:"spec"`
 	Status GroupMemberGroupIdsStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_grouppolicies_types.go b/apis/identity/v1alpha1/zz_grouppolicies_types.go
index 2cc95caa..b6912414 100755
--- a/apis/identity/v1alpha1/zz_grouppolicies_types.go
+++ b/apis/identity/v1alpha1/zz_grouppolicies_types.go
@@ -13,40 +13,77 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type GroupPoliciesInitParameters struct {
+
+	// Defaults to true.
+	// Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management
+	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
+
+	// Group ID to assign policies to.
+	// ID of the group.
+	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// List of policies to assign to the group
+	// Policies to be tied to the group.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+}
+
 type GroupPoliciesObservation struct {
 
+	// Defaults to true.
 	// Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management
 	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
 
+	// Group ID to assign policies to.
 	// ID of the group.
 	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
 
+	// The name of the group that are assigned the policies.
 	// Name of the group.
 	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of policies to assign to the group
 	// Policies to be tied to the group.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 }
 
 type GroupPoliciesParameters struct {
 
+	// Defaults to true.
 	// Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management
 	// +kubebuilder:validation:Optional
 	Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"`
 
+	// Group ID to assign policies to.
 	// ID of the group.
 	// +kubebuilder:validation:Optional
 	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of policies to assign to the group
 	// Policies to be tied to the group.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
@@ -56,6 +93,18 @@ type GroupPoliciesParameters struct {
 type GroupPoliciesSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     GroupPoliciesParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider GroupPoliciesInitParameters `json:"initProvider,omitempty"`
 }
 
 // GroupPoliciesStatus defines the observed state of GroupPolicies.
@@ -66,7 +115,7 @@ type GroupPoliciesStatus struct {
 
 // +kubebuilder:object:root=true
 
-// GroupPolicies is the Schema for the GroupPoliciess API. <no value>
+// GroupPolicies is the Schema for the GroupPoliciess API. Manages policies for an Identity Group for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -76,8 +125,8 @@ type GroupPoliciesStatus struct {
 type GroupPolicies struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupId)",message="groupId is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policies)",message="policies is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupId) || has(self.initProvider.groupId)",message="groupId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policies) || has(self.initProvider.policies)",message="policies is a required parameter"
 	Spec   GroupPoliciesSpec   `json:"spec"`
 	Status GroupPoliciesStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_mfaduo_types.go b/apis/identity/v1alpha1/zz_mfaduo_types.go
index 6dc2606a..5f57b9f9 100755
--- a/apis/identity/v1alpha1/zz_mfaduo_types.go
+++ b/apis/identity/v1alpha1/zz_mfaduo_types.go
@@ -13,73 +13,114 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type MfaDuoInitParameters struct {
+
+	// API hostname for Duo
+	// API hostname for Duo
+	APIHostname *string `json:"apiHostname,omitempty" tf:"api_hostname,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Push information for Duo.
+	// Push information for Duo.
+	PushInfo *string `json:"pushInfo,omitempty" tf:"push_info,omitempty"`
+
+	// Require passcode upon MFA validation.
+	// Require passcode upon MFA validation.
+	UsePasscode *bool `json:"usePasscode,omitempty" tf:"use_passcode,omitempty"`
+
+	// A template string for mapping Identity names to MFA methods.
+	// A template string for mapping Identity names to MFA methods.
+	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
+}
+
 type MfaDuoObservation struct {
 
+	// API hostname for Duo
 	// API hostname for Duo
 	APIHostname *string `json:"apiHostname,omitempty" tf:"api_hostname,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Method ID.
 	// Method ID.
 	MethodID *string `json:"methodId,omitempty" tf:"method_id,omitempty"`
 
+	// Mount accessor.
 	// Mount accessor.
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
 	// Method name.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Target namespace. (requires Enterprise)
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Method's namespace ID.
 	// Method's namespace ID.
 	NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"`
 
+	// Method's namespace path.
 	// Method's namespace path.
 	NamespacePath *string `json:"namespacePath,omitempty" tf:"namespace_path,omitempty"`
 
+	// Push information for Duo.
 	// Push information for Duo.
 	PushInfo *string `json:"pushInfo,omitempty" tf:"push_info,omitempty"`
 
+	// MFA type.
 	// MFA type.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
+	// Resource UUID.
 	// Resource UUID.
 	UUID *string `json:"uuid,omitempty" tf:"uuid,omitempty"`
 
+	// Require passcode upon MFA validation.
 	// Require passcode upon MFA validation.
 	UsePasscode *bool `json:"usePasscode,omitempty" tf:"use_passcode,omitempty"`
 
+	// A template string for mapping Identity names to MFA methods.
 	// A template string for mapping Identity names to MFA methods.
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
 }
 
 type MfaDuoParameters struct {
 
+	// API hostname for Duo
 	// API hostname for Duo
 	// +kubebuilder:validation:Optional
 	APIHostname *string `json:"apiHostname,omitempty" tf:"api_hostname,omitempty"`
 
+	// Integration key for Duo
 	// Integration key for Duo
 	// +kubebuilder:validation:Optional
 	IntegrationKeySecretRef v1.SecretKeySelector `json:"integrationKeySecretRef" tf:"-"`
 
+	// Target namespace. (requires Enterprise)
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Push information for Duo.
 	// Push information for Duo.
 	// +kubebuilder:validation:Optional
 	PushInfo *string `json:"pushInfo,omitempty" tf:"push_info,omitempty"`
 
+	// Secret key for Duo
 	// Secret key for Duo
 	// +kubebuilder:validation:Optional
 	SecretKeySecretRef v1.SecretKeySelector `json:"secretKeySecretRef" tf:"-"`
 
+	// Require passcode upon MFA validation.
 	// Require passcode upon MFA validation.
 	// +kubebuilder:validation:Optional
 	UsePasscode *bool `json:"usePasscode,omitempty" tf:"use_passcode,omitempty"`
 
+	// A template string for mapping Identity names to MFA methods.
 	// A template string for mapping Identity names to MFA methods.
 	// +kubebuilder:validation:Optional
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
@@ -89,6 +130,18 @@ type MfaDuoParameters struct {
 type MfaDuoSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     MfaDuoParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider MfaDuoInitParameters `json:"initProvider,omitempty"`
 }
 
 // MfaDuoStatus defines the observed state of MfaDuo.
@@ -99,7 +152,7 @@ type MfaDuoStatus struct {
 
 // +kubebuilder:object:root=true
 
-// MfaDuo is the Schema for the MfaDuos API. <no value>
+// MfaDuo is the Schema for the MfaDuos API. Resource for configuring the duo MFA method.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -109,9 +162,9 @@ type MfaDuoStatus struct {
 type MfaDuo struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiHostname)",message="apiHostname is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.integrationKeySecretRef)",message="integrationKeySecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.secretKeySecretRef)",message="secretKeySecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiHostname) || has(self.initProvider.apiHostname)",message="apiHostname is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)",message="integrationKeySecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)",message="secretKeySecretRef is a required parameter"
 	Spec   MfaDuoSpec   `json:"spec"`
 	Status MfaDuoStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_mfaloginenforcement_types.go b/apis/identity/v1alpha1/zz_mfaloginenforcement_types.go
index 0f69929d..60b90152 100755
--- a/apis/identity/v1alpha1/zz_mfaloginenforcement_types.go
+++ b/apis/identity/v1alpha1/zz_mfaloginenforcement_types.go
@@ -13,67 +13,115 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type MfaLoginEnforcementInitParameters struct {
+
+	// Set of auth method accessor IDs.
+	// Set of auth method accessor IDs.
+	AuthMethodAccessors []*string `json:"authMethodAccessors,omitempty" tf:"auth_method_accessors,omitempty"`
+
+	// Set of auth method types.
+	// Set of auth method types.
+	AuthMethodTypes []*string `json:"authMethodTypes,omitempty" tf:"auth_method_types,omitempty"`
+
+	// Set of identity entity IDs.
+	// Set of identity entity IDs.
+	IdentityEntityIds []*string `json:"identityEntityIds,omitempty" tf:"identity_entity_ids,omitempty"`
+
+	// Set of identity group IDs.
+	// Set of identity group IDs.
+	IdentityGroupIds []*string `json:"identityGroupIds,omitempty" tf:"identity_group_ids,omitempty"`
+
+	// Set of MFA method UUIDs.
+	// Set of MFA method UUIDs.
+	MfaMethodIds []*string `json:"mfaMethodIds,omitempty" tf:"mfa_method_ids,omitempty"`
+
+	// Login enforcement name.
+	// Login enforcement name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type MfaLoginEnforcementObservation struct {
 
+	// Set of auth method accessor IDs.
 	// Set of auth method accessor IDs.
 	AuthMethodAccessors []*string `json:"authMethodAccessors,omitempty" tf:"auth_method_accessors,omitempty"`
 
+	// Set of auth method types.
 	// Set of auth method types.
 	AuthMethodTypes []*string `json:"authMethodTypes,omitempty" tf:"auth_method_types,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Set of identity entity IDs.
 	// Set of identity entity IDs.
 	IdentityEntityIds []*string `json:"identityEntityIds,omitempty" tf:"identity_entity_ids,omitempty"`
 
+	// Set of identity group IDs.
 	// Set of identity group IDs.
 	IdentityGroupIds []*string `json:"identityGroupIds,omitempty" tf:"identity_group_ids,omitempty"`
 
+	// Set of MFA method UUIDs.
 	// Set of MFA method UUIDs.
 	MfaMethodIds []*string `json:"mfaMethodIds,omitempty" tf:"mfa_method_ids,omitempty"`
 
+	// Login enforcement name.
 	// Login enforcement name.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Target namespace. (requires Enterprise)
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Method's namespace ID.
 	// Method's namespace ID.
 	NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"`
 
+	// Method's namespace path.
 	// Method's namespace path.
 	NamespacePath *string `json:"namespacePath,omitempty" tf:"namespace_path,omitempty"`
 
+	// Resource UUID.
 	// Resource UUID.
 	UUID *string `json:"uuid,omitempty" tf:"uuid,omitempty"`
 }
 
 type MfaLoginEnforcementParameters struct {
 
+	// Set of auth method accessor IDs.
 	// Set of auth method accessor IDs.
 	// +kubebuilder:validation:Optional
 	AuthMethodAccessors []*string `json:"authMethodAccessors,omitempty" tf:"auth_method_accessors,omitempty"`
 
+	// Set of auth method types.
 	// Set of auth method types.
 	// +kubebuilder:validation:Optional
 	AuthMethodTypes []*string `json:"authMethodTypes,omitempty" tf:"auth_method_types,omitempty"`
 
+	// Set of identity entity IDs.
 	// Set of identity entity IDs.
 	// +kubebuilder:validation:Optional
 	IdentityEntityIds []*string `json:"identityEntityIds,omitempty" tf:"identity_entity_ids,omitempty"`
 
+	// Set of identity group IDs.
 	// Set of identity group IDs.
 	// +kubebuilder:validation:Optional
 	IdentityGroupIds []*string `json:"identityGroupIds,omitempty" tf:"identity_group_ids,omitempty"`
 
+	// Set of MFA method UUIDs.
 	// Set of MFA method UUIDs.
 	// +kubebuilder:validation:Optional
 	MfaMethodIds []*string `json:"mfaMethodIds,omitempty" tf:"mfa_method_ids,omitempty"`
 
+	// Login enforcement name.
 	// Login enforcement name.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Target namespace. (requires Enterprise)
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -83,6 +131,18 @@ type MfaLoginEnforcementParameters struct {
 type MfaLoginEnforcementSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     MfaLoginEnforcementParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider MfaLoginEnforcementInitParameters `json:"initProvider,omitempty"`
 }
 
 // MfaLoginEnforcementStatus defines the observed state of MfaLoginEnforcement.
@@ -93,7 +153,7 @@ type MfaLoginEnforcementStatus struct {
 
 // +kubebuilder:object:root=true
 
-// MfaLoginEnforcement is the Schema for the MfaLoginEnforcements API. <no value>
+// MfaLoginEnforcement is the Schema for the MfaLoginEnforcements API. Resource for configuring MFA login-enforcement
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -103,8 +163,8 @@ type MfaLoginEnforcementStatus struct {
 type MfaLoginEnforcement struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mfaMethodIds)",message="mfaMethodIds is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mfaMethodIds) || has(self.initProvider.mfaMethodIds)",message="mfaMethodIds is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   MfaLoginEnforcementSpec   `json:"spec"`
 	Status MfaLoginEnforcementStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_mfaokta_types.go b/apis/identity/v1alpha1/zz_mfaokta_types.go
index efd3119d..227205e6 100755
--- a/apis/identity/v1alpha1/zz_mfaokta_types.go
+++ b/apis/identity/v1alpha1/zz_mfaokta_types.go
@@ -13,69 +13,109 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type MfaOktaInitParameters struct {
+
+	// The base domain to use for API requests.
+	// The base domain to use for API requests.
+	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Name of the organization to be used in the Okta API.
+	// Name of the organization to be used in the Okta API.
+	OrgName *string `json:"orgName,omitempty" tf:"org_name,omitempty"`
+
+	// Only match the primary email for the account.
+	// Only match the primary email for the account.
+	PrimaryEmail *bool `json:"primaryEmail,omitempty" tf:"primary_email,omitempty"`
+
+	// A template string for mapping Identity names to MFA methods.
+	// A template string for mapping Identity names to MFA methods.
+	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
+}
+
 type MfaOktaObservation struct {
 
+	// The base domain to use for API requests.
 	// The base domain to use for API requests.
 	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Method ID.
 	// Method ID.
 	MethodID *string `json:"methodId,omitempty" tf:"method_id,omitempty"`
 
+	// Mount accessor.
 	// Mount accessor.
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
 	// Method name.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Target namespace. (requires Enterprise)
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Method's namespace ID.
 	// Method's namespace ID.
 	NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"`
 
+	// Method's namespace path.
 	// Method's namespace path.
 	NamespacePath *string `json:"namespacePath,omitempty" tf:"namespace_path,omitempty"`
 
+	// Name of the organization to be used in the Okta API.
 	// Name of the organization to be used in the Okta API.
 	OrgName *string `json:"orgName,omitempty" tf:"org_name,omitempty"`
 
+	// Only match the primary email for the account.
 	// Only match the primary email for the account.
 	PrimaryEmail *bool `json:"primaryEmail,omitempty" tf:"primary_email,omitempty"`
 
+	// MFA type.
 	// MFA type.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
+	// Resource UUID.
 	// Resource UUID.
 	UUID *string `json:"uuid,omitempty" tf:"uuid,omitempty"`
 
+	// A template string for mapping Identity names to MFA methods.
 	// A template string for mapping Identity names to MFA methods.
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
 }
 
 type MfaOktaParameters struct {
 
+	// Okta API token.
 	// Okta API token.
 	// +kubebuilder:validation:Optional
 	APITokenSecretRef v1.SecretKeySelector `json:"apiTokenSecretRef" tf:"-"`
 
+	// The base domain to use for API requests.
 	// The base domain to use for API requests.
 	// +kubebuilder:validation:Optional
 	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
 
+	// Target namespace. (requires Enterprise)
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the organization to be used in the Okta API.
 	// Name of the organization to be used in the Okta API.
 	// +kubebuilder:validation:Optional
 	OrgName *string `json:"orgName,omitempty" tf:"org_name,omitempty"`
 
+	// Only match the primary email for the account.
 	// Only match the primary email for the account.
 	// +kubebuilder:validation:Optional
 	PrimaryEmail *bool `json:"primaryEmail,omitempty" tf:"primary_email,omitempty"`
 
+	// A template string for mapping Identity names to MFA methods.
 	// A template string for mapping Identity names to MFA methods.
 	// +kubebuilder:validation:Optional
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
@@ -85,6 +125,18 @@ type MfaOktaParameters struct {
 type MfaOktaSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     MfaOktaParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider MfaOktaInitParameters `json:"initProvider,omitempty"`
 }
 
 // MfaOktaStatus defines the observed state of MfaOkta.
@@ -95,7 +147,7 @@ type MfaOktaStatus struct {
 
 // +kubebuilder:object:root=true
 
-// MfaOkta is the Schema for the MfaOktas API. <no value>
+// MfaOkta is the Schema for the MfaOktas API. Resource for configuring the okta MFA method.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -105,8 +157,8 @@ type MfaOktaStatus struct {
 type MfaOkta struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiTokenSecretRef)",message="apiTokenSecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.orgName)",message="orgName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)",message="apiTokenSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.orgName) || has(self.initProvider.orgName)",message="orgName is a required parameter"
 	Spec   MfaOktaSpec   `json:"spec"`
 	Status MfaOktaStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_mfapingid_types.go b/apis/identity/v1alpha1/zz_mfapingid_types.go
index 9ef0361c..6c002c32 100755
--- a/apis/identity/v1alpha1/zz_mfapingid_types.go
+++ b/apis/identity/v1alpha1/zz_mfapingid_types.go
@@ -13,6 +13,18 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type MfaPingidInitParameters struct {
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// A base64-encoded third-party settings contents as retrieved from PingID's configuration page.
+	SettingsFileBase64 *string `json:"settingsFileBase64,omitempty" tf:"settings_file_base64,omitempty"`
+
+	// A template string for mapping Identity names to MFA methods.
+	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
+}
+
 type MfaPingidObservation struct {
 
 	// The admin URL, derived from "settings_file_base64"
@@ -82,6 +94,18 @@ type MfaPingidParameters struct {
 type MfaPingidSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     MfaPingidParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider MfaPingidInitParameters `json:"initProvider,omitempty"`
 }
 
 // MfaPingidStatus defines the observed state of MfaPingid.
@@ -102,7 +126,7 @@ type MfaPingidStatus struct {
 type MfaPingid struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settingsFileBase64)",message="settingsFileBase64 is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.settingsFileBase64) || has(self.initProvider.settingsFileBase64)",message="settingsFileBase64 is a required parameter"
 	Spec   MfaPingidSpec   `json:"spec"`
 	Status MfaPingidStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_mfatotp_types.go b/apis/identity/v1alpha1/zz_mfatotp_types.go
index 8a39238b..07669935 100755
--- a/apis/identity/v1alpha1/zz_mfatotp_types.go
+++ b/apis/identity/v1alpha1/zz_mfatotp_types.go
@@ -13,93 +13,156 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type MfaTotpInitParameters struct {
+
+	// Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.
+	// Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.
+	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
+
+	// The number of digits in the generated TOTP token. This value can either be 6 or 8
+	// The number of digits in the generated TOTP token. This value can either be 6 or 8
+	Digits *float64 `json:"digits,omitempty" tf:"digits,omitempty"`
+
+	// The name of the key's issuing organization.
+	// The name of the key's issuing organization.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
+
+	// Specifies the size in bytes of the generated key.
+	// Specifies the size in bytes of the generated key.
+	KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"`
+
+	// The maximum number of consecutive failed validation attempts allowed.
+	// The maximum number of consecutive failed validation attempts allowed.
+	MaxValidationAttempts *float64 `json:"maxValidationAttempts,omitempty" tf:"max_validation_attempts,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The length of time in seconds used to generate a counter for the TOTP token calculation.
+	// The length of time in seconds used to generate a counter for the TOTP token calculation.
+	Period *float64 `json:"period,omitempty" tf:"period,omitempty"`
+
+	// The pixel size of the generated square QR code.
+	// The pixel size of the generated square QR code.
+	QrSize *float64 `json:"qrSize,omitempty" tf:"qr_size,omitempty"`
+
+	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
+	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
+	Skew *float64 `json:"skew,omitempty" tf:"skew,omitempty"`
+}
+
 type MfaTotpObservation struct {
 
+	// Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.
 	// Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.
 	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
 
+	// The number of digits in the generated TOTP token. This value can either be 6 or 8
 	// The number of digits in the generated TOTP token. This value can either be 6 or 8
 	Digits *float64 `json:"digits,omitempty" tf:"digits,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the key's issuing organization.
 	// The name of the key's issuing organization.
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// Specifies the size in bytes of the generated key.
 	// Specifies the size in bytes of the generated key.
 	KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"`
 
+	// The maximum number of consecutive failed validation attempts allowed.
 	// The maximum number of consecutive failed validation attempts allowed.
 	MaxValidationAttempts *float64 `json:"maxValidationAttempts,omitempty" tf:"max_validation_attempts,omitempty"`
 
+	// Method ID.
 	// Method ID.
 	MethodID *string `json:"methodId,omitempty" tf:"method_id,omitempty"`
 
+	// Mount accessor.
 	// Mount accessor.
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
 	// Method name.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Target namespace. (requires Enterprise)
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Method's namespace ID.
 	// Method's namespace ID.
 	NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"`
 
+	// Method's namespace path.
 	// Method's namespace path.
 	NamespacePath *string `json:"namespacePath,omitempty" tf:"namespace_path,omitempty"`
 
+	// The length of time in seconds used to generate a counter for the TOTP token calculation.
 	// The length of time in seconds used to generate a counter for the TOTP token calculation.
 	Period *float64 `json:"period,omitempty" tf:"period,omitempty"`
 
+	// The pixel size of the generated square QR code.
 	// The pixel size of the generated square QR code.
 	QrSize *float64 `json:"qrSize,omitempty" tf:"qr_size,omitempty"`
 
+	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
 	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
 	Skew *float64 `json:"skew,omitempty" tf:"skew,omitempty"`
 
+	// MFA type.
 	// MFA type.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
+	// Resource UUID.
 	// Resource UUID.
 	UUID *string `json:"uuid,omitempty" tf:"uuid,omitempty"`
 }
 
 type MfaTotpParameters struct {
 
+	// Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.
 	// Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.
 	// +kubebuilder:validation:Optional
 	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
 
+	// The number of digits in the generated TOTP token. This value can either be 6 or 8
 	// The number of digits in the generated TOTP token. This value can either be 6 or 8
 	// +kubebuilder:validation:Optional
 	Digits *float64 `json:"digits,omitempty" tf:"digits,omitempty"`
 
+	// The name of the key's issuing organization.
 	// The name of the key's issuing organization.
 	// +kubebuilder:validation:Optional
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// Specifies the size in bytes of the generated key.
 	// Specifies the size in bytes of the generated key.
 	// +kubebuilder:validation:Optional
 	KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"`
 
+	// The maximum number of consecutive failed validation attempts allowed.
 	// The maximum number of consecutive failed validation attempts allowed.
 	// +kubebuilder:validation:Optional
 	MaxValidationAttempts *float64 `json:"maxValidationAttempts,omitempty" tf:"max_validation_attempts,omitempty"`
 
+	// Target namespace. (requires Enterprise)
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The length of time in seconds used to generate a counter for the TOTP token calculation.
 	// The length of time in seconds used to generate a counter for the TOTP token calculation.
 	// +kubebuilder:validation:Optional
 	Period *float64 `json:"period,omitempty" tf:"period,omitempty"`
 
+	// The pixel size of the generated square QR code.
 	// The pixel size of the generated square QR code.
 	// +kubebuilder:validation:Optional
 	QrSize *float64 `json:"qrSize,omitempty" tf:"qr_size,omitempty"`
 
+	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
 	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
 	// +kubebuilder:validation:Optional
 	Skew *float64 `json:"skew,omitempty" tf:"skew,omitempty"`
@@ -109,6 +172,18 @@ type MfaTotpParameters struct {
 type MfaTotpSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     MfaTotpParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider MfaTotpInitParameters `json:"initProvider,omitempty"`
 }
 
 // MfaTotpStatus defines the observed state of MfaTotp.
@@ -119,7 +194,7 @@ type MfaTotpStatus struct {
 
 // +kubebuilder:object:root=true
 
-// MfaTotp is the Schema for the MfaTotps API. <no value>
+// MfaTotp is the Schema for the MfaTotps API. Resource for configuring the totp MFA method.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -129,7 +204,7 @@ type MfaTotpStatus struct {
 type MfaTotp struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.issuer)",message="issuer is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.issuer) || has(self.initProvider.issuer)",message="issuer is a required parameter"
 	Spec   MfaTotpSpec   `json:"spec"`
 	Status MfaTotpStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_oidc_types.go b/apis/identity/v1alpha1/zz_oidc_types.go
index 0990de86..3eb759e4 100755
--- a/apis/identity/v1alpha1/zz_oidc_types.go
+++ b/apis/identity/v1alpha1/zz_oidc_types.go
@@ -13,22 +13,55 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OidcInitParameters struct {
+
+	// Issuer URL to be used in the iss claim of the token. If not set, Vault's
+	// api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains
+	// scheme, host, and optionally, port number and path components, but no query or fragment
+	// components.
+	// Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type OidcObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Issuer URL to be used in the iss claim of the token. If not set, Vault's
+	// api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains
+	// scheme, host, and optionally, port number and path components, but no query or fragment
+	// components.
 	// Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type OidcParameters struct {
 
+	// Issuer URL to be used in the iss claim of the token. If not set, Vault's
+	// api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains
+	// scheme, host, and optionally, port number and path components, but no query or fragment
+	// components.
 	// Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.
 	// +kubebuilder:validation:Optional
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -38,6 +71,18 @@ type OidcParameters struct {
 type OidcSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OidcParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OidcInitParameters `json:"initProvider,omitempty"`
 }
 
 // OidcStatus defines the observed state of Oidc.
@@ -48,7 +93,7 @@ type OidcStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Oidc is the Schema for the Oidcs API. <no value>
+// Oidc is the Schema for the Oidcs API. Configure the Identity Tokens Backend for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/identity/v1alpha1/zz_oidcassignment_types.go b/apis/identity/v1alpha1/zz_oidcassignment_types.go
index 3bb26e2e..8b8c37b0 100755
--- a/apis/identity/v1alpha1/zz_oidcassignment_types.go
+++ b/apis/identity/v1alpha1/zz_oidcassignment_types.go
@@ -13,37 +13,73 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OidcAssignmentInitParameters struct {
+
+	// A set of Vault entity IDs.
+	// A list of Vault entity IDs.
+	EntityIds []*string `json:"entityIds,omitempty" tf:"entity_ids,omitempty"`
+
+	// A set of Vault group IDs.
+	// A list of Vault group IDs.
+	GroupIds []*string `json:"groupIds,omitempty" tf:"group_ids,omitempty"`
+
+	// The name of the assignment.
+	// The name of the assignment.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type OidcAssignmentObservation struct {
 
+	// A set of Vault entity IDs.
 	// A list of Vault entity IDs.
 	EntityIds []*string `json:"entityIds,omitempty" tf:"entity_ids,omitempty"`
 
+	// A set of Vault group IDs.
 	// A list of Vault group IDs.
 	GroupIds []*string `json:"groupIds,omitempty" tf:"group_ids,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the assignment.
 	// The name of the assignment.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type OidcAssignmentParameters struct {
 
+	// A set of Vault entity IDs.
 	// A list of Vault entity IDs.
 	// +kubebuilder:validation:Optional
 	EntityIds []*string `json:"entityIds,omitempty" tf:"entity_ids,omitempty"`
 
+	// A set of Vault group IDs.
 	// A list of Vault group IDs.
 	// +kubebuilder:validation:Optional
 	GroupIds []*string `json:"groupIds,omitempty" tf:"group_ids,omitempty"`
 
+	// The name of the assignment.
 	// The name of the assignment.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -53,6 +89,18 @@ type OidcAssignmentParameters struct {
 type OidcAssignmentSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OidcAssignmentParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OidcAssignmentInitParameters `json:"initProvider,omitempty"`
 }
 
 // OidcAssignmentStatus defines the observed state of OidcAssignment.
@@ -63,7 +111,7 @@ type OidcAssignmentStatus struct {
 
 // +kubebuilder:object:root=true
 
-// OidcAssignment is the Schema for the OidcAssignments API. <no value>
+// OidcAssignment is the Schema for the OidcAssignments API. Provision OIDC Assignments in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,7 +121,7 @@ type OidcAssignmentStatus struct {
 type OidcAssignment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   OidcAssignmentSpec   `json:"spec"`
 	Status OidcAssignmentStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_oidcclient_types.go b/apis/identity/v1alpha1/zz_oidcclient_types.go
index d9e6aa61..f98a314c 100755
--- a/apis/identity/v1alpha1/zz_oidcclient_types.go
+++ b/apis/identity/v1alpha1/zz_oidcclient_types.go
@@ -13,68 +13,146 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OidcClientInitParameters struct {
+
+	// The time-to-live for access tokens obtained by the client.
+	// The time-to-live for access tokens obtained by the client.
+	AccessTokenTTL *float64 `json:"accessTokenTtl,omitempty" tf:"access_token_ttl,omitempty"`
+
+	// A list of assignment resources associated with the client.
+	// A list of assignment resources associated with the client.
+	Assignments []*string `json:"assignments,omitempty" tf:"assignments,omitempty"`
+
+	// The client type based on its ability to maintain confidentiality of credentials.
+	// The following client types are supported: confidential, public. Defaults to confidential.
+	// The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.
+	ClientType *string `json:"clientType,omitempty" tf:"client_type,omitempty"`
+
+	// The time-to-live for ID tokens obtained by the client.
+	// The value should be less than the verification_ttl on the key.
+	// The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.
+	IDTokenTTL *float64 `json:"idTokenTtl,omitempty" tf:"id_token_ttl,omitempty"`
+
+	// A reference to a named key resource in Vault.
+	// This cannot be modified after creation. If not provided, the default
+	// key is used.
+	// A reference to a named key resource in Vault. This cannot be modified after creation.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The name of the client.
+	// The name of the client.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Redirection URI values used by the client.
+	// One of these values must exactly match the redirect_uri parameter value
+	// used in each authentication request.
+	// Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.
+	RedirectUris []*string `json:"redirectUris,omitempty" tf:"redirect_uris,omitempty"`
+}
+
 type OidcClientObservation struct {
 
+	// The time-to-live for access tokens obtained by the client.
 	// The time-to-live for access tokens obtained by the client.
 	AccessTokenTTL *float64 `json:"accessTokenTtl,omitempty" tf:"access_token_ttl,omitempty"`
 
+	// A list of assignment resources associated with the client.
 	// A list of assignment resources associated with the client.
 	Assignments []*string `json:"assignments,omitempty" tf:"assignments,omitempty"`
 
 	// The Client ID from Vault.
 	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
 
+	// The client type based on its ability to maintain confidentiality of credentials.
+	// The following client types are supported: confidential, public. Defaults to confidential.
 	// The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.
 	ClientType *string `json:"clientType,omitempty" tf:"client_type,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The time-to-live for ID tokens obtained by the client.
+	// The value should be less than the verification_ttl on the key.
 	// The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.
 	IDTokenTTL *float64 `json:"idTokenTtl,omitempty" tf:"id_token_ttl,omitempty"`
 
+	// A reference to a named key resource in Vault.
+	// This cannot be modified after creation. If not provided, the default
+	// key is used.
 	// A reference to a named key resource in Vault. This cannot be modified after creation.
 	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
+	// The name of the client.
 	// The name of the client.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Redirection URI values used by the client.
+	// One of these values must exactly match the redirect_uri parameter value
+	// used in each authentication request.
 	// Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.
 	RedirectUris []*string `json:"redirectUris,omitempty" tf:"redirect_uris,omitempty"`
 }
 
 type OidcClientParameters struct {
 
+	// The time-to-live for access tokens obtained by the client.
 	// The time-to-live for access tokens obtained by the client.
 	// +kubebuilder:validation:Optional
 	AccessTokenTTL *float64 `json:"accessTokenTtl,omitempty" tf:"access_token_ttl,omitempty"`
 
+	// A list of assignment resources associated with the client.
 	// A list of assignment resources associated with the client.
 	// +kubebuilder:validation:Optional
 	Assignments []*string `json:"assignments,omitempty" tf:"assignments,omitempty"`
 
+	// The client type based on its ability to maintain confidentiality of credentials.
+	// The following client types are supported: confidential, public. Defaults to confidential.
 	// The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.
 	// +kubebuilder:validation:Optional
 	ClientType *string `json:"clientType,omitempty" tf:"client_type,omitempty"`
 
+	// The time-to-live for ID tokens obtained by the client.
+	// The value should be less than the verification_ttl on the key.
 	// The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.
 	// +kubebuilder:validation:Optional
 	IDTokenTTL *float64 `json:"idTokenTtl,omitempty" tf:"id_token_ttl,omitempty"`
 
+	// A reference to a named key resource in Vault.
+	// This cannot be modified after creation. If not provided, the default
+	// key is used.
 	// A reference to a named key resource in Vault. This cannot be modified after creation.
 	// +kubebuilder:validation:Optional
 	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
+	// The name of the client.
 	// The name of the client.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Redirection URI values used by the client.
+	// One of these values must exactly match the redirect_uri parameter value
+	// used in each authentication request.
 	// Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.
 	// +kubebuilder:validation:Optional
 	RedirectUris []*string `json:"redirectUris,omitempty" tf:"redirect_uris,omitempty"`
@@ -84,6 +162,18 @@ type OidcClientParameters struct {
 type OidcClientSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OidcClientParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OidcClientInitParameters `json:"initProvider,omitempty"`
 }
 
 // OidcClientStatus defines the observed state of OidcClient.
@@ -94,7 +184,7 @@ type OidcClientStatus struct {
 
 // +kubebuilder:object:root=true
 
-// OidcClient is the Schema for the OidcClients API. <no value>
+// OidcClient is the Schema for the OidcClients API. Provision OIDC Clients in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -104,7 +194,7 @@ type OidcClientStatus struct {
 type OidcClient struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   OidcClientSpec   `json:"spec"`
 	Status OidcClientStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_oidckey_types.go b/apis/identity/v1alpha1/zz_oidckey_types.go
index 9ca00642..03c0ddb9 100755
--- a/apis/identity/v1alpha1/zz_oidckey_types.go
+++ b/apis/identity/v1alpha1/zz_oidckey_types.go
@@ -13,51 +13,109 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OidcKeyInitParameters struct {
+
+	// Signing algorithm to use. Signing algorithm to use.
+	// Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
+	// Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
+	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
+
+	// : Array of role client ID allowed to use this key for signing. If
+	// empty, no roles are allowed. If ["*"], all roles are allowed.
+	// Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed.
+	AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"`
+
+	// Name of the OIDC Key to create.
+	// Name of the key.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// How often to generate a new signing key in number of seconds
+	// How often to generate a new signing key in number of seconds
+	RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"`
+
+	// "Controls how long the public portion of a signing key will be
+	// available for verification after being rotated in seconds.
+	// Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.
+	VerificationTTL *float64 `json:"verificationTtl,omitempty" tf:"verification_ttl,omitempty"`
+}
+
 type OidcKeyObservation struct {
 
+	// Signing algorithm to use. Signing algorithm to use.
+	// Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
 	// Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
 	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
 
+	// : Array of role client ID allowed to use this key for signing. If
+	// empty, no roles are allowed. If ["*"], all roles are allowed.
 	// Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed.
 	AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"`
 
+	// The name of the created key.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the OIDC Key to create.
 	// Name of the key.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// How often to generate a new signing key in number of seconds
 	// How often to generate a new signing key in number of seconds
 	RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"`
 
+	// "Controls how long the public portion of a signing key will be
+	// available for verification after being rotated in seconds.
 	// Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.
 	VerificationTTL *float64 `json:"verificationTtl,omitempty" tf:"verification_ttl,omitempty"`
 }
 
 type OidcKeyParameters struct {
 
+	// Signing algorithm to use. Signing algorithm to use.
+	// Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
 	// Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
 	// +kubebuilder:validation:Optional
 	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
 
+	// : Array of role client ID allowed to use this key for signing. If
+	// empty, no roles are allowed. If ["*"], all roles are allowed.
 	// Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed.
 	// +kubebuilder:validation:Optional
 	AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"`
 
+	// Name of the OIDC Key to create.
 	// Name of the key.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// How often to generate a new signing key in number of seconds
 	// How often to generate a new signing key in number of seconds
 	// +kubebuilder:validation:Optional
 	RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"`
 
+	// "Controls how long the public portion of a signing key will be
+	// available for verification after being rotated in seconds.
 	// Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.
 	// +kubebuilder:validation:Optional
 	VerificationTTL *float64 `json:"verificationTtl,omitempty" tf:"verification_ttl,omitempty"`
@@ -67,6 +125,18 @@ type OidcKeyParameters struct {
 type OidcKeySpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OidcKeyParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OidcKeyInitParameters `json:"initProvider,omitempty"`
 }
 
 // OidcKeyStatus defines the observed state of OidcKey.
@@ -77,7 +147,7 @@ type OidcKeyStatus struct {
 
 // +kubebuilder:object:root=true
 
-// OidcKey is the Schema for the OidcKeys API. <no value>
+// OidcKey is the Schema for the OidcKeys API. Creates an Identity OIDC Named Key for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -87,7 +157,7 @@ type OidcKeyStatus struct {
 type OidcKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   OidcKeySpec   `json:"spec"`
 	Status OidcKeyStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_oidckeyallowedclientid_types.go b/apis/identity/v1alpha1/zz_oidckeyallowedclientid_types.go
index 3e29060d..bdf27e14 100755
--- a/apis/identity/v1alpha1/zz_oidckeyallowedclientid_types.go
+++ b/apis/identity/v1alpha1/zz_oidckeyallowedclientid_types.go
@@ -13,30 +13,60 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OidcKeyAllowedClientIDInitParameters struct {
+
+	// Client ID to allow usage with the OIDC named key
+	// Role Client ID allowed to use the key for signing.
+	AllowedClientID *string `json:"allowedClientId,omitempty" tf:"allowed_client_id,omitempty"`
+
+	// Name of the OIDC Key allow the Client ID.
+	// Name of the key.
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type OidcKeyAllowedClientIDObservation struct {
 
+	// Client ID to allow usage with the OIDC named key
 	// Role Client ID allowed to use the key for signing.
 	AllowedClientID *string `json:"allowedClientId,omitempty" tf:"allowed_client_id,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the OIDC Key allow the Client ID.
 	// Name of the key.
 	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type OidcKeyAllowedClientIDParameters struct {
 
+	// Client ID to allow usage with the OIDC named key
 	// Role Client ID allowed to use the key for signing.
 	// +kubebuilder:validation:Optional
 	AllowedClientID *string `json:"allowedClientId,omitempty" tf:"allowed_client_id,omitempty"`
 
+	// Name of the OIDC Key allow the Client ID.
 	// Name of the key.
 	// +kubebuilder:validation:Optional
 	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -46,6 +76,18 @@ type OidcKeyAllowedClientIDParameters struct {
 type OidcKeyAllowedClientIDSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OidcKeyAllowedClientIDParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OidcKeyAllowedClientIDInitParameters `json:"initProvider,omitempty"`
 }
 
 // OidcKeyAllowedClientIDStatus defines the observed state of OidcKeyAllowedClientID.
@@ -56,7 +98,7 @@ type OidcKeyAllowedClientIDStatus struct {
 
 // +kubebuilder:object:root=true
 
-// OidcKeyAllowedClientID is the Schema for the OidcKeyAllowedClientIDs API. <no value>
+// OidcKeyAllowedClientID is the Schema for the OidcKeyAllowedClientIDs API. Allows an Identity OIDC Role to use an OIDC Named key.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -66,8 +108,8 @@ type OidcKeyAllowedClientIDStatus struct {
 type OidcKeyAllowedClientID struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.allowedClientId)",message="allowedClientId is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyName)",message="keyName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.allowedClientId) || has(self.initProvider.allowedClientId)",message="allowedClientId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.keyName) || has(self.initProvider.keyName)",message="keyName is a required parameter"
 	Spec   OidcKeyAllowedClientIDSpec   `json:"spec"`
 	Status OidcKeyAllowedClientIDStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_oidcprovider_types.go b/apis/identity/v1alpha1/zz_oidcprovider_types.go
index 308882c2..394da667 100755
--- a/apis/identity/v1alpha1/zz_oidcprovider_types.go
+++ b/apis/identity/v1alpha1/zz_oidcprovider_types.go
@@ -13,54 +13,108 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OidcProviderInitParameters struct {
+
+	// The client IDs that are permitted to use the provider.
+	// If empty, no clients are allowed. If *, all clients are allowed.
+	// The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed.
+	AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"`
+
+	// Set to true if the issuer endpoint uses HTTPS.
+	// Set to true if the issuer endpoint uses HTTPS.
+	HTTPSEnabled *bool `json:"httpsEnabled,omitempty" tf:"https_enabled,omitempty"`
+
+	// The host for the issuer. Can be either host or host:port.
+	// The host for the issuer. Can be either host or host:port.
+	IssuerHost *string `json:"issuerHost,omitempty" tf:"issuer_host,omitempty"`
+
+	// The name of the provider.
+	// The name of the provider.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The scopes available for requesting on the provider.
+	// The scopes available for requesting on the provider.
+	ScopesSupported []*string `json:"scopesSupported,omitempty" tf:"scopes_supported,omitempty"`
+}
+
 type OidcProviderObservation struct {
 
+	// The client IDs that are permitted to use the provider.
+	// If empty, no clients are allowed. If *, all clients are allowed.
 	// The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed.
 	AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"`
 
+	// Set to true if the issuer endpoint uses HTTPS.
 	// Set to true if the issuer endpoint uses HTTPS.
 	HTTPSEnabled *bool `json:"httpsEnabled,omitempty" tf:"https_enabled,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies what will be used as the scheme://host:port
+	// component for the iss claim of ID tokens. This value is computed using the
+	// issuer_host and https_enabled fields.
 	// Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields.
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// The host for the issuer. Can be either host or host:port.
 	// The host for the issuer. Can be either host or host:port.
 	IssuerHost *string `json:"issuerHost,omitempty" tf:"issuer_host,omitempty"`
 
+	// The name of the provider.
 	// The name of the provider.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The scopes available for requesting on the provider.
 	// The scopes available for requesting on the provider.
 	ScopesSupported []*string `json:"scopesSupported,omitempty" tf:"scopes_supported,omitempty"`
 }
 
 type OidcProviderParameters struct {
 
+	// The client IDs that are permitted to use the provider.
+	// If empty, no clients are allowed. If *, all clients are allowed.
 	// The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed.
 	// +kubebuilder:validation:Optional
 	AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"`
 
+	// Set to true if the issuer endpoint uses HTTPS.
 	// Set to true if the issuer endpoint uses HTTPS.
 	// +kubebuilder:validation:Optional
 	HTTPSEnabled *bool `json:"httpsEnabled,omitempty" tf:"https_enabled,omitempty"`
 
+	// The host for the issuer. Can be either host or host:port.
 	// The host for the issuer. Can be either host or host:port.
 	// +kubebuilder:validation:Optional
 	IssuerHost *string `json:"issuerHost,omitempty" tf:"issuer_host,omitempty"`
 
+	// The name of the provider.
 	// The name of the provider.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The scopes available for requesting on the provider.
 	// The scopes available for requesting on the provider.
 	// +kubebuilder:validation:Optional
 	ScopesSupported []*string `json:"scopesSupported,omitempty" tf:"scopes_supported,omitempty"`
@@ -70,6 +124,18 @@ type OidcProviderParameters struct {
 type OidcProviderSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OidcProviderParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OidcProviderInitParameters `json:"initProvider,omitempty"`
 }
 
 // OidcProviderStatus defines the observed state of OidcProvider.
@@ -80,7 +146,7 @@ type OidcProviderStatus struct {
 
 // +kubebuilder:object:root=true
 
-// OidcProvider is the Schema for the OidcProviders API. <no value>
+// OidcProvider is the Schema for the OidcProviders API. Provision OIDC Providers in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -90,7 +156,7 @@ type OidcProviderStatus struct {
 type OidcProvider struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   OidcProviderSpec   `json:"spec"`
 	Status OidcProviderStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_oidcrole_types.go b/apis/identity/v1alpha1/zz_oidcrole_types.go
index b03ae8e9..7d6858d5 100755
--- a/apis/identity/v1alpha1/zz_oidcrole_types.go
+++ b/apis/identity/v1alpha1/zz_oidcrole_types.go
@@ -13,51 +13,115 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OidcRoleInitParameters struct {
+
+	// The value that will be included in the aud field of all the OIDC identity
+	// tokens issued by this role
+	// The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// A configured named key, the key must already exist
+	// before tokens can be issued.
+	// A configured named key, the key must already exist.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Name of the OIDC Role to create.
+	// Name of the role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// TTL of the tokens generated against the role in number of seconds.
+	// TTL of the tokens generated against the role in number of seconds.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// The template string to use for generating tokens. This may be in
+	// string-ified JSON or base64 format. See the
+	// documentation
+	// for the template format.
+	// The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
+	Template *string `json:"template,omitempty" tf:"template,omitempty"`
+}
+
 type OidcRoleObservation struct {
 
+	// The value that will be included in the aud field of all the OIDC identity
+	// tokens issued by this role
 	// The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role
 	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
 
+	// The name of the created role.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A configured named key, the key must already exist
+	// before tokens can be issued.
 	// A configured named key, the key must already exist.
 	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
+	// Name of the OIDC Role to create.
 	// Name of the role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// TTL of the tokens generated against the role in number of seconds.
 	// TTL of the tokens generated against the role in number of seconds.
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// The template string to use for generating tokens. This may be in
+	// string-ified JSON or base64 format. See the
+	// documentation
+	// for the template format.
 	// The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
 	Template *string `json:"template,omitempty" tf:"template,omitempty"`
 }
 
 type OidcRoleParameters struct {
 
+	// The value that will be included in the aud field of all the OIDC identity
+	// tokens issued by this role
 	// The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role
 	// +kubebuilder:validation:Optional
 	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
 
+	// A configured named key, the key must already exist
+	// before tokens can be issued.
 	// A configured named key, the key must already exist.
 	// +kubebuilder:validation:Optional
 	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
+	// Name of the OIDC Role to create.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// TTL of the tokens generated against the role in number of seconds.
 	// TTL of the tokens generated against the role in number of seconds.
 	// +kubebuilder:validation:Optional
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// The template string to use for generating tokens. This may be in
+	// string-ified JSON or base64 format. See the
+	// documentation
+	// for the template format.
 	// The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
 	// +kubebuilder:validation:Optional
 	Template *string `json:"template,omitempty" tf:"template,omitempty"`
@@ -67,6 +131,18 @@ type OidcRoleParameters struct {
 type OidcRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OidcRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OidcRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // OidcRoleStatus defines the observed state of OidcRole.
@@ -77,7 +153,7 @@ type OidcRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// OidcRole is the Schema for the OidcRoles API. <no value>
+// OidcRole is the Schema for the OidcRoles API. Creates an Identity OIDC Role for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -87,8 +163,8 @@ type OidcRoleStatus struct {
 type OidcRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)",message="key is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.key) || has(self.initProvider.key)",message="key is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   OidcRoleSpec   `json:"spec"`
 	Status OidcRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/identity/v1alpha1/zz_oidcscope_types.go b/apis/identity/v1alpha1/zz_oidcscope_types.go
index dcdd8eb7..5fb91c5c 100755
--- a/apis/identity/v1alpha1/zz_oidcscope_types.go
+++ b/apis/identity/v1alpha1/zz_oidcscope_types.go
@@ -13,37 +13,73 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OidcScopeInitParameters struct {
+
+	// A description of the scope.
+	// The scope's description.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The name of the scope. The openid scope name is reserved.
+	// The name of the scope. The openid scope name is reserved.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
+	// The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
+	Template *string `json:"template,omitempty" tf:"template,omitempty"`
+}
+
 type OidcScopeObservation struct {
 
+	// A description of the scope.
 	// The scope's description.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the scope. The openid scope name is reserved.
 	// The name of the scope. The openid scope name is reserved.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
 	// The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
 	Template *string `json:"template,omitempty" tf:"template,omitempty"`
 }
 
 type OidcScopeParameters struct {
 
+	// A description of the scope.
 	// The scope's description.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// The name of the scope. The openid scope name is reserved.
 	// The name of the scope. The openid scope name is reserved.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
 	// The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
 	// +kubebuilder:validation:Optional
 	Template *string `json:"template,omitempty" tf:"template,omitempty"`
@@ -53,6 +89,18 @@ type OidcScopeParameters struct {
 type OidcScopeSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OidcScopeParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OidcScopeInitParameters `json:"initProvider,omitempty"`
 }
 
 // OidcScopeStatus defines the observed state of OidcScope.
@@ -63,7 +111,7 @@ type OidcScopeStatus struct {
 
 // +kubebuilder:object:root=true
 
-// OidcScope is the Schema for the OidcScopes API. <no value>
+// OidcScope is the Schema for the OidcScopes API. Provision OIDC Scopes in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,7 +121,7 @@ type OidcScopeStatus struct {
 type OidcScope struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   OidcScopeSpec   `json:"spec"`
 	Status OidcScopeStatus `json:"status,omitempty"`
 }
diff --git a/apis/jwt/v1alpha1/zz_authbackend_types.go b/apis/jwt/v1alpha1/zz_authbackend_types.go
index 7f431001..9cc9cf99 100755
--- a/apis/jwt/v1alpha1/zz_authbackend_types.go
+++ b/apis/jwt/v1alpha1/zz_authbackend_types.go
@@ -13,147 +13,279 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendInitParameters struct {
+
+	// The value against which to match the iss claim in a JWT
+	// The value against which to match the iss claim in a JWT
+	BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"`
+
+	// The default role to use if none is provided during login
+	// The default role to use if none is provided during login
+	DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"`
+
+	// The description of the auth backend
+	// The description of the auth backend
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
+	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
+	JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"`
+
+	// JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+	// JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.
+	JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"`
+
+	// A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
+	// A list of supported signing algorithms. Defaults to [RS256]
+	JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"`
+
+	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
+	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
+	JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"`
+
+	// Specifies if the auth method is local only.
+	// Specifies if the auth method is local only
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
+	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
+	NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"`
+
+	// Client ID used for OIDC backends
+	// Client ID used for OIDC
+	OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"`
+
+	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
+	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
+	OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"`
+
+	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
+	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
+	OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"`
+
+	// The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
+	// The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.
+	OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"`
+
+	// List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
+	// The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.
+	OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"`
+
+	// Path to mount the JWT/OIDC auth backend
+	// path to mount the backend
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
+	// Provider specific handling configuration
+	ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"`
+
+	Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"`
+
+	// Type of auth backend. Should be one of jwt or oidc. Default - jwt
+	// Type of backend. Can be either 'jwt' or 'oidc'
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type AuthBackendObservation struct {
 
+	// The accessor for this auth method
 	// The accessor of the JWT auth backend
 	Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"`
 
+	// The value against which to match the iss claim in a JWT
 	// The value against which to match the iss claim in a JWT
 	BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"`
 
+	// The default role to use if none is provided during login
 	// The default role to use if none is provided during login
 	DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"`
 
+	// The description of the auth backend
 	// The description of the auth backend
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
 	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
 	JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"`
 
+	// JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
 	// JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.
 	JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"`
 
+	// A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
 	// A list of supported signing algorithms. Defaults to [RS256]
 	JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"`
 
+	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
 	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
 	JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"`
 
+	// Specifies if the auth method is local only.
 	// Specifies if the auth method is local only
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
 	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
 	NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"`
 
+	// Client ID used for OIDC backends
 	// Client ID used for OIDC
 	OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"`
 
+	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
 	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
 	OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"`
 
+	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
 	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
 	OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"`
 
+	// The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
 	// The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.
 	OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"`
 
+	// List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
 	// The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.
 	OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"`
 
+	// Path to mount the JWT/OIDC auth backend
 	// path to mount the backend
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
 	// Provider specific handling configuration
 	ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"`
 
 	Tune []TuneObservation `json:"tune,omitempty" tf:"tune,omitempty"`
 
+	// Type of auth backend. Should be one of jwt or oidc. Default - jwt
 	// Type of backend. Can be either 'jwt' or 'oidc'
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type AuthBackendParameters struct {
 
+	// The value against which to match the iss claim in a JWT
 	// The value against which to match the iss claim in a JWT
 	// +kubebuilder:validation:Optional
 	BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"`
 
+	// The default role to use if none is provided during login
 	// The default role to use if none is provided during login
 	// +kubebuilder:validation:Optional
 	DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"`
 
+	// The description of the auth backend
 	// The description of the auth backend
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
 	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
 	// +kubebuilder:validation:Optional
 	JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"`
 
+	// JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
 	// JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.
 	// +kubebuilder:validation:Optional
 	JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"`
 
+	// A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
 	// A list of supported signing algorithms. Defaults to [RS256]
 	// +kubebuilder:validation:Optional
 	JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"`
 
+	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
 	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
 	// +kubebuilder:validation:Optional
 	JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"`
 
+	// Specifies if the auth method is local only.
 	// Specifies if the auth method is local only
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
 	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
 	// +kubebuilder:validation:Optional
 	NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"`
 
+	// Client ID used for OIDC backends
 	// Client ID used for OIDC
 	// +kubebuilder:validation:Optional
 	OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"`
 
+	// Client Secret used for OIDC backends
 	// Client Secret used for OIDC
 	// +kubebuilder:validation:Optional
 	OidcClientSecretSecretRef *v1.SecretKeySelector `json:"oidcClientSecretSecretRef,omitempty" tf:"-"`
 
+	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
 	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
 	// +kubebuilder:validation:Optional
 	OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"`
 
+	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
 	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
 	// +kubebuilder:validation:Optional
 	OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"`
 
+	// The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
 	// The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.
 	// +kubebuilder:validation:Optional
 	OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"`
 
+	// List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
 	// The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.
 	// +kubebuilder:validation:Optional
 	OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"`
 
+	// Path to mount the JWT/OIDC auth backend
 	// path to mount the backend
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
 	// Provider specific handling configuration
 	// +kubebuilder:validation:Optional
 	ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"`
@@ -161,52 +293,127 @@ type AuthBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	Tune []TuneParameters `json:"tune,omitempty" tf:"tune,omitempty"`
 
+	// Type of auth backend. Should be one of jwt or oidc. Default - jwt
 	// Type of backend. Can be either 'jwt' or 'oidc'
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
+type TuneInitParameters struct {
+
+	// List of headers to whitelist and allowing
+	// a plugin to include them in the response.
+	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"`
+
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the request data object.
+	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"`
+
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the response data object.
+	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"`
+
+	// Specifies the default time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
+	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"`
+
+	// Specifies whether to show this mount in
+	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
+	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"`
+
+	// Specifies the maximum time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
+	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"`
+
+	// List of headers to whitelist and
+	// pass from the request to the backend.
+	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"`
+
+	// Specifies the type of tokens that should be returned by
+	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type"`
+}
+
 type TuneObservation struct {
+
+	// List of headers to whitelist and allowing
+	// a plugin to include them in the response.
 	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"`
 
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the request data object.
 	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
 
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the response data object.
 	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
 
+	// Specifies the default time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
 	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl,omitempty"`
 
+	// Specifies whether to show this mount in
+	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
 	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"`
 
+	// Specifies the maximum time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
 	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl,omitempty"`
 
+	// List of headers to whitelist and
+	// pass from the request to the backend.
 	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"`
 
+	// Specifies the type of tokens that should be returned by
+	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
 type TuneParameters struct {
 
+	// List of headers to whitelist and allowing
+	// a plugin to include them in the response.
 	// +kubebuilder:validation:Optional
 	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"`
 
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the request data object.
 	// +kubebuilder:validation:Optional
 	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"`
 
+	// Specifies the list of keys that will
+	// not be HMAC'd by audit devices in the response data object.
 	// +kubebuilder:validation:Optional
 	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"`
 
+	// Specifies the default time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"`
 
+	// Specifies whether to show this mount in
+	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
 	// +kubebuilder:validation:Optional
 	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"`
 
+	// Specifies the maximum time-to-live.
+	// If set, this overrides the global default.
+	// Must be a valid duration string
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"`
 
+	// List of headers to whitelist and
+	// pass from the request to the backend.
 	// +kubebuilder:validation:Optional
 	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"`
 
+	// Specifies the type of tokens that should be returned by
+	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type"`
 }
@@ -215,6 +422,18 @@ type TuneParameters struct {
 type AuthBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendStatus defines the observed state of AuthBackend.
@@ -225,7 +444,7 @@ type AuthBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackend is the Schema for the AuthBackends API. <no value>
+// AuthBackend is the Schema for the AuthBackends API. Managing JWT/OIDC auth backends in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/jwt/v1alpha1/zz_authbackendrole_types.go b/apis/jwt/v1alpha1/zz_authbackendrole_types.go
index 09d649c6..3c0a682b 100755
--- a/apis/jwt/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/jwt/v1alpha1/zz_authbackendrole_types.go
@@ -13,128 +13,390 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+
+	// The list of allowed values for redirect_uri during OIDC logins.
+	// Required for OIDC roles
+	// The list of allowed values for redirect_uri during OIDC logins.
+	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`
+
+	// The unique name of the auth backend to configure.
+	// Defaults to jwt.
+	// Unique name of the auth backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims
+	// or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against.
+	// Any match is sufficient.
+	// List of aud claims to match against. Any match is sufficient.
+	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`
+
+	// If set, a map of claims to values to match against.
+	// A claim's value must be a string, which may contain one value or multiple
+	// comma-separated values, e.g. "red" or "red,green,blue".
+	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
+	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`
+
+	// How to interpret values in the claims/values
+	// map (bound_claims): can be either string (exact match) or glob (wildcard
+	// match). Requires Vault 1.4.0 or above.
+	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
+	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`
+
+	// If set, requires that the sub claim matches
+	// this value.
+	// If set, requires that the sub claim matches this value.
+	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`
+
+	// If set, a map of claims (keys) to be copied
+	// to specified metadata fields (values).
+	// Map of claims (keys) to be copied to specified metadata fields (values).
+	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`
+
+	// The amount of leeway to add to all claims to account for clock skew, in
+	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
+	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
+	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`
+
+	// Disable bound claim value parsing. Useful when values contain commas.
+	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`
+
+	// The amount of leeway to add to expiration (exp) claims to account for
+	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
+	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
+	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`
+
+	// The claim to use to uniquely identify
+	// the set of groups to which the user belongs; this will be used as the names
+	// for the Identity group aliases created due to a successful login. The claim
+	// value must be a list of strings.
+	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
+	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`
+
+	// Specifies the allowable elapsed time in seconds since the last time
+	// the user was actively authenticated with the OIDC provider.
+	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
+	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The amount of leeway to add to not before (nbf) claims to account for
+	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
+	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
+	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`
+
+	// If set, a list of OIDC scopes to be used with an OIDC role.
+	// The standard scope "openid" is automatically included and need not be specified.
+	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
+	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`
+
+	// The name of the role.
+	// Name of the role.
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	// Type of role, either "oidc" (default) or "jwt".
+	// Type of role, either "oidc" (default) or "jwt"
+	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+
+	// The claim to use to uniquely identify
+	// the user; this will be used as the name for the Identity entity alias created
+	// due to a successful login.
+	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
+	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`
+
+	// Specifies if the user_claim value uses
+	// JSON pointer
+	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
+	// Requires Vault 1.11+.
+	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
+	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`
+
+	// Log received OIDC tokens and claims when debug-level
+	// logging is active. Not recommended in production since sensitive information may be present
+	// in OIDC responses.
+	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
+	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 
+	// The list of allowed values for redirect_uri during OIDC logins.
+	// Required for OIDC roles
 	// The list of allowed values for redirect_uri during OIDC logins.
 	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`
 
+	// The unique name of the auth backend to configure.
+	// Defaults to jwt.
 	// Unique name of the auth backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims
+	// or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against.
+	// Any match is sufficient.
 	// List of aud claims to match against. Any match is sufficient.
 	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`
 
+	// If set, a map of claims to values to match against.
+	// A claim's value must be a string, which may contain one value or multiple
+	// comma-separated values, e.g. "red" or "red,green,blue".
 	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
 	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`
 
+	// How to interpret values in the claims/values
+	// map (bound_claims): can be either string (exact match) or glob (wildcard
+	// match). Requires Vault 1.4.0 or above.
 	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
 	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`
 
+	// If set, requires that the sub claim matches
+	// this value.
 	// If set, requires that the sub claim matches this value.
 	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`
 
+	// If set, a map of claims (keys) to be copied
+	// to specified metadata fields (values).
 	// Map of claims (keys) to be copied to specified metadata fields (values).
 	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`
 
+	// The amount of leeway to add to all claims to account for clock skew, in
+	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
 	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
 	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`
 
 	// Disable bound claim value parsing. Useful when values contain commas.
 	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`
 
+	// The amount of leeway to add to expiration (exp) claims to account for
+	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
 	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
 	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`
 
+	// The claim to use to uniquely identify
+	// the set of groups to which the user belongs; this will be used as the names
+	// for the Identity group aliases created due to a successful login. The claim
+	// value must be a list of strings.
 	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
 	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the allowable elapsed time in seconds since the last time
+	// the user was actively authenticated with the OIDC provider.
 	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
 	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The amount of leeway to add to not before (nbf) claims to account for
+	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
 	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
 	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`
 
+	// If set, a list of OIDC scopes to be used with an OIDC role.
+	// The standard scope "openid" is automatically included and need not be specified.
 	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
 	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// Type of role, either "oidc" (default) or "jwt".
 	// Type of role, either "oidc" (default) or "jwt"
 	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 
+	// The claim to use to uniquely identify
+	// the user; this will be used as the name for the Identity entity alias created
+	// due to a successful login.
 	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
 	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`
 
+	// Specifies if the user_claim value uses
+	// JSON pointer
+	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
+	// Requires Vault 1.11+.
 	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
 	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`
 
+	// Log received OIDC tokens and claims when debug-level
+	// logging is active. Not recommended in production since sensitive information may be present
+	// in OIDC responses.
 	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
 	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
 }
 
 type AuthBackendRoleParameters struct {
 
+	// The list of allowed values for redirect_uri during OIDC logins.
+	// Required for OIDC roles
 	// The list of allowed values for redirect_uri during OIDC logins.
 	// +kubebuilder:validation:Optional
 	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`
 
+	// The unique name of the auth backend to configure.
+	// Defaults to jwt.
 	// Unique name of the auth backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims
+	// or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against.
+	// Any match is sufficient.
 	// List of aud claims to match against. Any match is sufficient.
 	// +kubebuilder:validation:Optional
 	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`
 
+	// If set, a map of claims to values to match against.
+	// A claim's value must be a string, which may contain one value or multiple
+	// comma-separated values, e.g. "red" or "red,green,blue".
 	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
 	// +kubebuilder:validation:Optional
 	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`
 
+	// How to interpret values in the claims/values
+	// map (bound_claims): can be either string (exact match) or glob (wildcard
+	// match). Requires Vault 1.4.0 or above.
 	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
 	// +kubebuilder:validation:Optional
 	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`
 
+	// If set, requires that the sub claim matches
+	// this value.
 	// If set, requires that the sub claim matches this value.
 	// +kubebuilder:validation:Optional
 	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`
 
+	// If set, a map of claims (keys) to be copied
+	// to specified metadata fields (values).
 	// Map of claims (keys) to be copied to specified metadata fields (values).
 	// +kubebuilder:validation:Optional
 	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`
 
+	// The amount of leeway to add to all claims to account for clock skew, in
+	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
 	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
 	// +kubebuilder:validation:Optional
 	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`
@@ -143,82 +405,138 @@ type AuthBackendRoleParameters struct {
 	// +kubebuilder:validation:Optional
 	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`
 
+	// The amount of leeway to add to expiration (exp) claims to account for
+	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
 	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
 	// +kubebuilder:validation:Optional
 	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`
 
+	// The claim to use to uniquely identify
+	// the set of groups to which the user belongs; this will be used as the names
+	// for the Identity group aliases created due to a successful login. The claim
+	// value must be a list of strings.
 	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
 	// +kubebuilder:validation:Optional
 	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`
 
+	// Specifies the allowable elapsed time in seconds since the last time
+	// the user was actively authenticated with the OIDC provider.
 	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
 	// +kubebuilder:validation:Optional
 	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The amount of leeway to add to not before (nbf) claims to account for
+	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
+	// Only applicable with "jwt" roles.
 	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
 	// +kubebuilder:validation:Optional
 	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`
 
+	// If set, a list of OIDC scopes to be used with an OIDC role.
+	// The standard scope "openid" is automatically included and need not be specified.
 	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
 	// +kubebuilder:validation:Optional
 	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// Type of role, either "oidc" (default) or "jwt".
 	// Type of role, either "oidc" (default) or "jwt"
 	// +kubebuilder:validation:Optional
 	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 
+	// The claim to use to uniquely identify
+	// the user; this will be used as the name for the Identity entity alias created
+	// due to a successful login.
 	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
 	// +kubebuilder:validation:Optional
 	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`
 
+	// Specifies if the user_claim value uses
+	// JSON pointer
+	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
+	// Requires Vault 1.11+.
 	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
 	// +kubebuilder:validation:Optional
 	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`
 
+	// Log received OIDC tokens and claims when debug-level
+	// logging is active. Not recommended in production since sensitive information may be present
+	// in OIDC responses.
 	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
 	// +kubebuilder:validation:Optional
 	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
@@ -228,6 +546,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -238,7 +568,7 @@ type AuthBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRole is the Schema for the AuthBackendRoles API. <no value>
+// AuthBackendRole is the Schema for the AuthBackendRoles API. Manages JWT/OIDC auth backend roles in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -248,8 +578,8 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)",message="roleName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userClaim)",message="userClaim is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.userClaim) || has(self.initProvider.userClaim)",message="userClaim is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/jwt/v1alpha1/zz_generated.deepcopy.go b/apis/jwt/v1alpha1/zz_generated.deepcopy.go
index 7e0d1315..a46c37db 100644
--- a/apis/jwt/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/jwt/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,151 @@ func (in *AuthBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters) {
+	*out = *in
+	if in.BoundIssuer != nil {
+		in, out := &in.BoundIssuer, &out.BoundIssuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultRole != nil {
+		in, out := &in.DefaultRole, &out.DefaultRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.JwksCAPem != nil {
+		in, out := &in.JwksCAPem, &out.JwksCAPem
+		*out = new(string)
+		**out = **in
+	}
+	if in.JwksURL != nil {
+		in, out := &in.JwksURL, &out.JwksURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.JwtSupportedAlgs != nil {
+		in, out := &in.JwtSupportedAlgs, &out.JwtSupportedAlgs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.JwtValidationPubkeys != nil {
+		in, out := &in.JwtValidationPubkeys, &out.JwtValidationPubkeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.NamespaceInState != nil {
+		in, out := &in.NamespaceInState, &out.NamespaceInState
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OidcClientID != nil {
+		in, out := &in.OidcClientID, &out.OidcClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.OidcDiscoveryCAPem != nil {
+		in, out := &in.OidcDiscoveryCAPem, &out.OidcDiscoveryCAPem
+		*out = new(string)
+		**out = **in
+	}
+	if in.OidcDiscoveryURL != nil {
+		in, out := &in.OidcDiscoveryURL, &out.OidcDiscoveryURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.OidcResponseMode != nil {
+		in, out := &in.OidcResponseMode, &out.OidcResponseMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.OidcResponseTypes != nil {
+		in, out := &in.OidcResponseTypes, &out.OidcResponseTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProviderConfig != nil {
+		in, out := &in.ProviderConfig, &out.ProviderConfig
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Tune != nil {
+		in, out := &in.Tune, &out.Tune
+		*out = make([]TuneInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendInitParameters.
+func (in *AuthBackendInitParameters) DeepCopy() *AuthBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendList) DeepCopyInto(out *AuthBackendList) {
 	*out = *in
@@ -405,6 +550,216 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
+	*out = *in
+	if in.AllowedRedirectUris != nil {
+		in, out := &in.AllowedRedirectUris, &out.AllowedRedirectUris
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.BoundAudiences != nil {
+		in, out := &in.BoundAudiences, &out.BoundAudiences
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundClaims != nil {
+		in, out := &in.BoundClaims, &out.BoundClaims
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.BoundClaimsType != nil {
+		in, out := &in.BoundClaimsType, &out.BoundClaimsType
+		*out = new(string)
+		**out = **in
+	}
+	if in.BoundSubject != nil {
+		in, out := &in.BoundSubject, &out.BoundSubject
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClaimMappings != nil {
+		in, out := &in.ClaimMappings, &out.ClaimMappings
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ClockSkewLeeway != nil {
+		in, out := &in.ClockSkewLeeway, &out.ClockSkewLeeway
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DisableBoundClaimsParsing != nil {
+		in, out := &in.DisableBoundClaimsParsing, &out.DisableBoundClaimsParsing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExpirationLeeway != nil {
+		in, out := &in.ExpirationLeeway, &out.ExpirationLeeway
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GroupsClaim != nil {
+		in, out := &in.GroupsClaim, &out.GroupsClaim
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxAge != nil {
+		in, out := &in.MaxAge, &out.MaxAge
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotBeforeLeeway != nil {
+		in, out := &in.NotBeforeLeeway, &out.NotBeforeLeeway
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OidcScopes != nil {
+		in, out := &in.OidcScopes, &out.OidcScopes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleType != nil {
+		in, out := &in.RoleType, &out.RoleType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserClaim != nil {
+		in, out := &in.UserClaim, &out.UserClaim
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserClaimJSONPointer != nil {
+		in, out := &in.UserClaimJSONPointer, &out.UserClaimJSONPointer
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VerboseOidcLogging != nil {
+		in, out := &in.VerboseOidcLogging, &out.VerboseOidcLogging
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
 	*out = *in
@@ -867,6 +1222,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
@@ -901,6 +1257,7 @@ func (in *AuthBackendSpec) DeepCopyInto(out *AuthBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendSpec.
@@ -930,6 +1287,85 @@ func (in *AuthBackendStatus) DeepCopy() *AuthBackendStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TuneInitParameters) DeepCopyInto(out *TuneInitParameters) {
+	*out = *in
+	if in.AllowedResponseHeaders != nil {
+		in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACRequestKeys != nil {
+		in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACResponseKeys != nil {
+		in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DefaultLeaseTTL != nil {
+		in, out := &in.DefaultLeaseTTL, &out.DefaultLeaseTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.ListingVisibility != nil {
+		in, out := &in.ListingVisibility, &out.ListingVisibility
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxLeaseTTL != nil {
+		in, out := &in.MaxLeaseTTL, &out.MaxLeaseTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.PassthroughRequestHeaders != nil {
+		in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneInitParameters.
+func (in *TuneInitParameters) DeepCopy() *TuneInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(TuneInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TuneObservation) DeepCopyInto(out *TuneObservation) {
 	*out = *in
diff --git a/apis/jwt/v1alpha1/zz_generated.managed.go b/apis/jwt/v1alpha1/zz_generated.managed.go
index 5ec464b0..3f2960fc 100644
--- a/apis/jwt/v1alpha1/zz_generated.managed.go
+++ b/apis/jwt/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackend.
@@ -55,9 +55,9 @@ func (mg *AuthBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackend.
@@ -93,9 +93,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -131,9 +131,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
diff --git a/apis/jwt/v1alpha1/zz_generated_terraformed.go b/apis/jwt/v1alpha1/zz_generated_terraformed.go
index 8adf0986..f1698339 100755
--- a/apis/jwt/v1alpha1/zz_generated_terraformed.go
+++ b/apis/jwt/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackend
+func (tr *AuthBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/kmip/v1alpha1/zz_generated.deepcopy.go b/apis/kmip/v1alpha1/zz_generated.deepcopy.go
index e9508217..b767e773 100644
--- a/apis/kmip/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/kmip/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,104 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.DefaultTLSClientKeyBits != nil {
+		in, out := &in.DefaultTLSClientKeyBits, &out.DefaultTLSClientKeyBits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DefaultTLSClientKeyType != nil {
+		in, out := &in.DefaultTLSClientKeyType, &out.DefaultTLSClientKeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultTLSClientTTL != nil {
+		in, out := &in.DefaultTLSClientTTL, &out.DefaultTLSClientTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ListenAddrs != nil {
+		in, out := &in.ListenAddrs, &out.ListenAddrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerHostnames != nil {
+		in, out := &in.ServerHostnames, &out.ServerHostnames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ServerIps != nil {
+		in, out := &in.ServerIps, &out.ServerIps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLSCAKeyBits != nil {
+		in, out := &in.TLSCAKeyBits, &out.TLSCAKeyBits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TLSCAKeyType != nil {
+		in, out := &in.TLSCAKeyType, &out.TLSCAKeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSMinVersion != nil {
+		in, out := &in.TLSMinVersion, &out.TLSMinVersion
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -278,6 +376,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
@@ -334,6 +433,126 @@ func (in *SecretRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OperationActivate != nil {
+		in, out := &in.OperationActivate, &out.OperationActivate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationAddAttribute != nil {
+		in, out := &in.OperationAddAttribute, &out.OperationAddAttribute
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationAll != nil {
+		in, out := &in.OperationAll, &out.OperationAll
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationCreate != nil {
+		in, out := &in.OperationCreate, &out.OperationCreate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationDestroy != nil {
+		in, out := &in.OperationDestroy, &out.OperationDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationDiscoverVersions != nil {
+		in, out := &in.OperationDiscoverVersions, &out.OperationDiscoverVersions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationGet != nil {
+		in, out := &in.OperationGet, &out.OperationGet
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationGetAttributeList != nil {
+		in, out := &in.OperationGetAttributeList, &out.OperationGetAttributeList
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationGetAttributes != nil {
+		in, out := &in.OperationGetAttributes, &out.OperationGetAttributes
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationLocate != nil {
+		in, out := &in.OperationLocate, &out.OperationLocate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationNone != nil {
+		in, out := &in.OperationNone, &out.OperationNone
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationRegister != nil {
+		in, out := &in.OperationRegister, &out.OperationRegister
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationRekey != nil {
+		in, out := &in.OperationRekey, &out.OperationRekey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OperationRevoke != nil {
+		in, out := &in.OperationRevoke, &out.OperationRevoke
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSClientKeyBits != nil {
+		in, out := &in.TLSClientKeyBits, &out.TLSClientKeyBits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TLSClientKeyType != nil {
+		in, out := &in.TLSClientKeyType, &out.TLSClientKeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSClientTTL != nil {
+		in, out := &in.TLSClientTTL, &out.TLSClientTTL
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRoleInitParameters.
+func (in *SecretRoleInitParameters) DeepCopy() *SecretRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretRoleList) DeepCopyInto(out *SecretRoleList) {
 	*out = *in
@@ -616,6 +835,7 @@ func (in *SecretRoleSpec) DeepCopyInto(out *SecretRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRoleSpec.
@@ -672,6 +892,41 @@ func (in *SecretScope) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretScopeInitParameters) DeepCopyInto(out *SecretScopeInitParameters) {
+	*out = *in
+	if in.Force != nil {
+		in, out := &in.Force, &out.Force
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretScopeInitParameters.
+func (in *SecretScopeInitParameters) DeepCopy() *SecretScopeInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretScopeInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretScopeList) DeepCopyInto(out *SecretScopeList) {
 	*out = *in
@@ -784,6 +1039,7 @@ func (in *SecretScopeSpec) DeepCopyInto(out *SecretScopeSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretScopeSpec.
diff --git a/apis/kmip/v1alpha1/zz_generated.managed.go b/apis/kmip/v1alpha1/zz_generated.managed.go
index 202e5c1d..fcadd298 100644
--- a/apis/kmip/v1alpha1/zz_generated.managed.go
+++ b/apis/kmip/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -55,9 +55,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -93,9 +93,9 @@ func (mg *SecretRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretRole.
-func (mg *SecretRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretRole.
+func (mg *SecretRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretRole.
@@ -131,9 +131,9 @@ func (mg *SecretRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretRole.
-func (mg *SecretRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretRole.
+func (mg *SecretRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretRole.
@@ -169,9 +169,9 @@ func (mg *SecretScope) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretScope.
-func (mg *SecretScope) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretScope.
+func (mg *SecretScope) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretScope.
@@ -207,9 +207,9 @@ func (mg *SecretScope) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretScope.
-func (mg *SecretScope) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretScope.
+func (mg *SecretScope) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretScope.
diff --git a/apis/kmip/v1alpha1/zz_generated_terraformed.go b/apis/kmip/v1alpha1/zz_generated_terraformed.go
index 43759f89..dfad9847 100755
--- a/apis/kmip/v1alpha1/zz_generated_terraformed.go
+++ b/apis/kmip/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretRole
+func (tr *SecretRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *SecretScope) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretScope
+func (tr *SecretScope) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretScope using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretScope) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/kmip/v1alpha1/zz_secretbackend_types.go b/apis/kmip/v1alpha1/zz_secretbackend_types.go
index 6bd1f23b..c2a6dd98 100755
--- a/apis/kmip/v1alpha1/zz_secretbackend_types.go
+++ b/apis/kmip/v1alpha1/zz_secretbackend_types.go
@@ -13,56 +13,134 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// Client certificate key bits, valid values depend on key type.
+	// Client certificate key bits, valid values depend on key type
+	DefaultTLSClientKeyBits *float64 `json:"defaultTlsClientKeyBits,omitempty" tf:"default_tls_client_key_bits,omitempty"`
+
+	// Client certificate key type, rsa or ec.
+	// Client certificate key type, rsa or ec
+	DefaultTLSClientKeyType *string `json:"defaultTlsClientKeyType,omitempty" tf:"default_tls_client_key_type,omitempty"`
+
+	// Client certificate TTL in seconds
+	DefaultTLSClientTTL *float64 `json:"defaultTlsClientTtl,omitempty" tf:"default_tls_client_ttl,omitempty"`
+
+	// A human-friendly description for this backend.
+	// Human-friendly description of the mount for the backend
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// Addresses the KMIP server should listen on (host:port).
+	// Addresses the KMIP server should listen on (host:port)
+	ListenAddrs []*string `json:"listenAddrs,omitempty" tf:"listen_addrs,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
+	// Path where KMIP secret backend will be mounted
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN).
+	// Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)
+	ServerHostnames []*string `json:"serverHostnames,omitempty" tf:"server_hostnames,omitempty"`
+
+	// IPs to include in the server's TLS certificate as SAN IP addresses.
+	// IPs to include in the server's TLS certificate as SAN IP addresses
+	ServerIps []*string `json:"serverIps,omitempty" tf:"server_ips,omitempty"`
+
+	// CA key bits, valid values depend on key type.
+	// CA key bits, valid values depend on key type
+	TLSCAKeyBits *float64 `json:"tlsCaKeyBits,omitempty" tf:"tls_ca_key_bits,omitempty"`
+
+	// CA key type, rsa or ec.
+	// CA key type, rsa or ec
+	TLSCAKeyType *string `json:"tlsCaKeyType,omitempty" tf:"tls_ca_key_type,omitempty"`
+
+	// Minimum TLS version to accept.
+	// Minimum TLS version to accept
+	TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
+	// Client certificate key bits, valid values depend on key type.
 	// Client certificate key bits, valid values depend on key type
 	DefaultTLSClientKeyBits *float64 `json:"defaultTlsClientKeyBits,omitempty" tf:"default_tls_client_key_bits,omitempty"`
 
+	// Client certificate key type, rsa or ec.
 	// Client certificate key type, rsa or ec
 	DefaultTLSClientKeyType *string `json:"defaultTlsClientKeyType,omitempty" tf:"default_tls_client_key_type,omitempty"`
 
 	// Client certificate TTL in seconds
 	DefaultTLSClientTTL *float64 `json:"defaultTlsClientTtl,omitempty" tf:"default_tls_client_ttl,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Addresses the KMIP server should listen on (host:port).
 	// Addresses the KMIP server should listen on (host:port)
 	ListenAddrs []*string `json:"listenAddrs,omitempty" tf:"listen_addrs,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
 	// Path where KMIP secret backend will be mounted
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN).
 	// Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)
 	ServerHostnames []*string `json:"serverHostnames,omitempty" tf:"server_hostnames,omitempty"`
 
+	// IPs to include in the server's TLS certificate as SAN IP addresses.
 	// IPs to include in the server's TLS certificate as SAN IP addresses
 	ServerIps []*string `json:"serverIps,omitempty" tf:"server_ips,omitempty"`
 
+	// CA key bits, valid values depend on key type.
 	// CA key bits, valid values depend on key type
 	TLSCAKeyBits *float64 `json:"tlsCaKeyBits,omitempty" tf:"tls_ca_key_bits,omitempty"`
 
+	// CA key type, rsa or ec.
 	// CA key type, rsa or ec
 	TLSCAKeyType *string `json:"tlsCaKeyType,omitempty" tf:"tls_ca_key_type,omitempty"`
 
+	// Minimum TLS version to accept.
 	// Minimum TLS version to accept
 	TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// Client certificate key bits, valid values depend on key type.
 	// Client certificate key bits, valid values depend on key type
 	// +kubebuilder:validation:Optional
 	DefaultTLSClientKeyBits *float64 `json:"defaultTlsClientKeyBits,omitempty" tf:"default_tls_client_key_bits,omitempty"`
 
+	// Client certificate key type, rsa or ec.
 	// Client certificate key type, rsa or ec
 	// +kubebuilder:validation:Optional
 	DefaultTLSClientKeyType *string `json:"defaultTlsClientKeyType,omitempty" tf:"default_tls_client_key_type,omitempty"`
@@ -71,42 +149,57 @@ type SecretBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	DefaultTLSClientTTL *float64 `json:"defaultTlsClientTtl,omitempty" tf:"default_tls_client_ttl,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// Addresses the KMIP server should listen on (host:port).
 	// Addresses the KMIP server should listen on (host:port)
 	// +kubebuilder:validation:Optional
 	ListenAddrs []*string `json:"listenAddrs,omitempty" tf:"listen_addrs,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
 	// Path where KMIP secret backend will be mounted
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN).
 	// Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)
 	// +kubebuilder:validation:Optional
 	ServerHostnames []*string `json:"serverHostnames,omitempty" tf:"server_hostnames,omitempty"`
 
+	// IPs to include in the server's TLS certificate as SAN IP addresses.
 	// IPs to include in the server's TLS certificate as SAN IP addresses
 	// +kubebuilder:validation:Optional
 	ServerIps []*string `json:"serverIps,omitempty" tf:"server_ips,omitempty"`
 
+	// CA key bits, valid values depend on key type.
 	// CA key bits, valid values depend on key type
 	// +kubebuilder:validation:Optional
 	TLSCAKeyBits *float64 `json:"tlsCaKeyBits,omitempty" tf:"tls_ca_key_bits,omitempty"`
 
+	// CA key type, rsa or ec.
 	// CA key type, rsa or ec
 	// +kubebuilder:validation:Optional
 	TLSCAKeyType *string `json:"tlsCaKeyType,omitempty" tf:"tls_ca_key_type,omitempty"`
 
+	// Minimum TLS version to accept.
 	// Minimum TLS version to accept
 	// +kubebuilder:validation:Optional
 	TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"`
@@ -116,6 +209,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -126,7 +231,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Provision KMIP Secret backends in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -136,7 +241,7 @@ type SecretBackendStatus struct {
 type SecretBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   SecretBackendSpec   `json:"spec"`
 	Status SecretBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/kmip/v1alpha1/zz_secretrole_types.go b/apis/kmip/v1alpha1/zz_secretrole_types.go
index 620a194d..c236a537 100755
--- a/apis/kmip/v1alpha1/zz_secretrole_types.go
+++ b/apis/kmip/v1alpha1/zz_secretrole_types.go
@@ -13,155 +13,296 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretRoleInitParameters struct {
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Grant permission to use the KMIP Activate operation.
+	// Grant permission to use the KMIP Activate operation
+	OperationActivate *bool `json:"operationActivate,omitempty" tf:"operation_activate,omitempty"`
+
+	// Grant permission to use the KMIP Add Attribute operation.
+	// Grant permission to use the KMIP Add Attribute operation
+	OperationAddAttribute *bool `json:"operationAddAttribute,omitempty" tf:"operation_add_attribute,omitempty"`
+
+	// Grant all permissions to this role. May not be specified with any other operation_* params.
+	// Grant all permissions to this role. May not be specified with any other operation_* params
+	OperationAll *bool `json:"operationAll,omitempty" tf:"operation_all,omitempty"`
+
+	// Grant permission to use the KMIP Create operation.
+	// Grant permission to use the KMIP Create operation
+	OperationCreate *bool `json:"operationCreate,omitempty" tf:"operation_create,omitempty"`
+
+	// Grant permission to use the KMIP Destroy operation.
+	// Grant permission to use the KMIP Destroy operation
+	OperationDestroy *bool `json:"operationDestroy,omitempty" tf:"operation_destroy,omitempty"`
+
+	// Grant permission to use the KMIP Discover Version operation.
+	// Grant permission to use the KMIP Discover Version operation
+	OperationDiscoverVersions *bool `json:"operationDiscoverVersions,omitempty" tf:"operation_discover_versions,omitempty"`
+
+	// Grant permission to use the KMIP Get operation.
+	// Grant permission to use the KMIP Get operation
+	OperationGet *bool `json:"operationGet,omitempty" tf:"operation_get,omitempty"`
+
+	// Grant permission to use the KMIP Get Atrribute List operation.
+	// Grant permission to use the KMIP Get Attribute List operation
+	OperationGetAttributeList *bool `json:"operationGetAttributeList,omitempty" tf:"operation_get_attribute_list,omitempty"`
+
+	// Grant permission to use the KMIP Get Atrributes operation.
+	// Grant permission to use the KMIP Get Attributes operation
+	OperationGetAttributes *bool `json:"operationGetAttributes,omitempty" tf:"operation_get_attributes,omitempty"`
+
+	// Grant permission to use the KMIP Get Locate operation.
+	// Grant permission to use the KMIP Locate operation
+	OperationLocate *bool `json:"operationLocate,omitempty" tf:"operation_locate,omitempty"`
+
+	// Remove all permissions from this role. May not be specified with any other operation_* params.
+	// Remove all permissions from this role. May not be specified with any other operation_* params
+	OperationNone *bool `json:"operationNone,omitempty" tf:"operation_none,omitempty"`
+
+	// Grant permission to use the KMIP Register operation.
+	// Grant permission to use the KMIP Register operation
+	OperationRegister *bool `json:"operationRegister,omitempty" tf:"operation_register,omitempty"`
+
+	// Grant permission to use the KMIP Rekey operation.
+	// Grant permission to use the KMIP Rekey operation
+	OperationRekey *bool `json:"operationRekey,omitempty" tf:"operation_rekey,omitempty"`
+
+	// Grant permission to use the KMIP Revoke operation.
+	// Grant permission to use the KMIP Revoke operation
+	OperationRevoke *bool `json:"operationRevoke,omitempty" tf:"operation_revoke,omitempty"`
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
+	// Path where KMIP backend is mounted
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Name of the role.
+	// Name of the role
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// Name of the scope.
+	// Name of the scope
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// Client certificate key bits, valid values depend on key type.
+	// Client certificate key bits, valid values depend on key type
+	TLSClientKeyBits *float64 `json:"tlsClientKeyBits,omitempty" tf:"tls_client_key_bits,omitempty"`
+
+	// Client certificate key type, rsa or ec.
+	// Client certificate key type, rsa or ec
+	TLSClientKeyType *string `json:"tlsClientKeyType,omitempty" tf:"tls_client_key_type,omitempty"`
+
+	// Client certificate TTL in seconds.
+	// Client certificate TTL in seconds
+	TLSClientTTL *float64 `json:"tlsClientTtl,omitempty" tf:"tls_client_ttl,omitempty"`
+}
+
 type SecretRoleObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Grant permission to use the KMIP Activate operation.
 	// Grant permission to use the KMIP Activate operation
 	OperationActivate *bool `json:"operationActivate,omitempty" tf:"operation_activate,omitempty"`
 
+	// Grant permission to use the KMIP Add Attribute operation.
 	// Grant permission to use the KMIP Add Attribute operation
 	OperationAddAttribute *bool `json:"operationAddAttribute,omitempty" tf:"operation_add_attribute,omitempty"`
 
+	// Grant all permissions to this role. May not be specified with any other operation_* params.
 	// Grant all permissions to this role. May not be specified with any other operation_* params
 	OperationAll *bool `json:"operationAll,omitempty" tf:"operation_all,omitempty"`
 
+	// Grant permission to use the KMIP Create operation.
 	// Grant permission to use the KMIP Create operation
 	OperationCreate *bool `json:"operationCreate,omitempty" tf:"operation_create,omitempty"`
 
+	// Grant permission to use the KMIP Destroy operation.
 	// Grant permission to use the KMIP Destroy operation
 	OperationDestroy *bool `json:"operationDestroy,omitempty" tf:"operation_destroy,omitempty"`
 
+	// Grant permission to use the KMIP Discover Version operation.
 	// Grant permission to use the KMIP Discover Version operation
 	OperationDiscoverVersions *bool `json:"operationDiscoverVersions,omitempty" tf:"operation_discover_versions,omitempty"`
 
+	// Grant permission to use the KMIP Get operation.
 	// Grant permission to use the KMIP Get operation
 	OperationGet *bool `json:"operationGet,omitempty" tf:"operation_get,omitempty"`
 
+	// Grant permission to use the KMIP Get Atrribute List operation.
 	// Grant permission to use the KMIP Get Attribute List operation
 	OperationGetAttributeList *bool `json:"operationGetAttributeList,omitempty" tf:"operation_get_attribute_list,omitempty"`
 
+	// Grant permission to use the KMIP Get Atrributes operation.
 	// Grant permission to use the KMIP Get Attributes operation
 	OperationGetAttributes *bool `json:"operationGetAttributes,omitempty" tf:"operation_get_attributes,omitempty"`
 
+	// Grant permission to use the KMIP Get Locate operation.
 	// Grant permission to use the KMIP Locate operation
 	OperationLocate *bool `json:"operationLocate,omitempty" tf:"operation_locate,omitempty"`
 
+	// Remove all permissions from this role. May not be specified with any other operation_* params.
 	// Remove all permissions from this role. May not be specified with any other operation_* params
 	OperationNone *bool `json:"operationNone,omitempty" tf:"operation_none,omitempty"`
 
+	// Grant permission to use the KMIP Register operation.
 	// Grant permission to use the KMIP Register operation
 	OperationRegister *bool `json:"operationRegister,omitempty" tf:"operation_register,omitempty"`
 
+	// Grant permission to use the KMIP Rekey operation.
 	// Grant permission to use the KMIP Rekey operation
 	OperationRekey *bool `json:"operationRekey,omitempty" tf:"operation_rekey,omitempty"`
 
+	// Grant permission to use the KMIP Revoke operation.
 	// Grant permission to use the KMIP Revoke operation
 	OperationRevoke *bool `json:"operationRevoke,omitempty" tf:"operation_revoke,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
 	// Path where KMIP backend is mounted
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Name of the role.
 	// Name of the role
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// Name of the scope.
 	// Name of the scope
 	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
 
+	// Client certificate key bits, valid values depend on key type.
 	// Client certificate key bits, valid values depend on key type
 	TLSClientKeyBits *float64 `json:"tlsClientKeyBits,omitempty" tf:"tls_client_key_bits,omitempty"`
 
+	// Client certificate key type, rsa or ec.
 	// Client certificate key type, rsa or ec
 	TLSClientKeyType *string `json:"tlsClientKeyType,omitempty" tf:"tls_client_key_type,omitempty"`
 
+	// Client certificate TTL in seconds.
 	// Client certificate TTL in seconds
 	TLSClientTTL *float64 `json:"tlsClientTtl,omitempty" tf:"tls_client_ttl,omitempty"`
 }
 
 type SecretRoleParameters struct {
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Grant permission to use the KMIP Activate operation.
 	// Grant permission to use the KMIP Activate operation
 	// +kubebuilder:validation:Optional
 	OperationActivate *bool `json:"operationActivate,omitempty" tf:"operation_activate,omitempty"`
 
+	// Grant permission to use the KMIP Add Attribute operation.
 	// Grant permission to use the KMIP Add Attribute operation
 	// +kubebuilder:validation:Optional
 	OperationAddAttribute *bool `json:"operationAddAttribute,omitempty" tf:"operation_add_attribute,omitempty"`
 
+	// Grant all permissions to this role. May not be specified with any other operation_* params.
 	// Grant all permissions to this role. May not be specified with any other operation_* params
 	// +kubebuilder:validation:Optional
 	OperationAll *bool `json:"operationAll,omitempty" tf:"operation_all,omitempty"`
 
+	// Grant permission to use the KMIP Create operation.
 	// Grant permission to use the KMIP Create operation
 	// +kubebuilder:validation:Optional
 	OperationCreate *bool `json:"operationCreate,omitempty" tf:"operation_create,omitempty"`
 
+	// Grant permission to use the KMIP Destroy operation.
 	// Grant permission to use the KMIP Destroy operation
 	// +kubebuilder:validation:Optional
 	OperationDestroy *bool `json:"operationDestroy,omitempty" tf:"operation_destroy,omitempty"`
 
+	// Grant permission to use the KMIP Discover Version operation.
 	// Grant permission to use the KMIP Discover Version operation
 	// +kubebuilder:validation:Optional
 	OperationDiscoverVersions *bool `json:"operationDiscoverVersions,omitempty" tf:"operation_discover_versions,omitempty"`
 
+	// Grant permission to use the KMIP Get operation.
 	// Grant permission to use the KMIP Get operation
 	// +kubebuilder:validation:Optional
 	OperationGet *bool `json:"operationGet,omitempty" tf:"operation_get,omitempty"`
 
+	// Grant permission to use the KMIP Get Atrribute List operation.
 	// Grant permission to use the KMIP Get Attribute List operation
 	// +kubebuilder:validation:Optional
 	OperationGetAttributeList *bool `json:"operationGetAttributeList,omitempty" tf:"operation_get_attribute_list,omitempty"`
 
+	// Grant permission to use the KMIP Get Atrributes operation.
 	// Grant permission to use the KMIP Get Attributes operation
 	// +kubebuilder:validation:Optional
 	OperationGetAttributes *bool `json:"operationGetAttributes,omitempty" tf:"operation_get_attributes,omitempty"`
 
+	// Grant permission to use the KMIP Get Locate operation.
 	// Grant permission to use the KMIP Locate operation
 	// +kubebuilder:validation:Optional
 	OperationLocate *bool `json:"operationLocate,omitempty" tf:"operation_locate,omitempty"`
 
+	// Remove all permissions from this role. May not be specified with any other operation_* params.
 	// Remove all permissions from this role. May not be specified with any other operation_* params
 	// +kubebuilder:validation:Optional
 	OperationNone *bool `json:"operationNone,omitempty" tf:"operation_none,omitempty"`
 
+	// Grant permission to use the KMIP Register operation.
 	// Grant permission to use the KMIP Register operation
 	// +kubebuilder:validation:Optional
 	OperationRegister *bool `json:"operationRegister,omitempty" tf:"operation_register,omitempty"`
 
+	// Grant permission to use the KMIP Rekey operation.
 	// Grant permission to use the KMIP Rekey operation
 	// +kubebuilder:validation:Optional
 	OperationRekey *bool `json:"operationRekey,omitempty" tf:"operation_rekey,omitempty"`
 
+	// Grant permission to use the KMIP Revoke operation.
 	// Grant permission to use the KMIP Revoke operation
 	// +kubebuilder:validation:Optional
 	OperationRevoke *bool `json:"operationRevoke,omitempty" tf:"operation_revoke,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
 	// Path where KMIP backend is mounted
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Name of the role.
 	// Name of the role
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// Name of the scope.
 	// Name of the scope
 	// +kubebuilder:validation:Optional
 	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
 
+	// Client certificate key bits, valid values depend on key type.
 	// Client certificate key bits, valid values depend on key type
 	// +kubebuilder:validation:Optional
 	TLSClientKeyBits *float64 `json:"tlsClientKeyBits,omitempty" tf:"tls_client_key_bits,omitempty"`
 
+	// Client certificate key type, rsa or ec.
 	// Client certificate key type, rsa or ec
 	// +kubebuilder:validation:Optional
 	TLSClientKeyType *string `json:"tlsClientKeyType,omitempty" tf:"tls_client_key_type,omitempty"`
 
+	// Client certificate TTL in seconds.
 	// Client certificate TTL in seconds
 	// +kubebuilder:validation:Optional
 	TLSClientTTL *float64 `json:"tlsClientTtl,omitempty" tf:"tls_client_ttl,omitempty"`
@@ -171,6 +312,18 @@ type SecretRoleParameters struct {
 type SecretRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretRoleStatus defines the observed state of SecretRole.
@@ -181,7 +334,7 @@ type SecretRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretRole is the Schema for the SecretRoles API. <no value>
+// SecretRole is the Schema for the SecretRoles API. Provision KMIP Secret roles in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -191,9 +344,9 @@ type SecretRoleStatus struct {
 type SecretRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scope)",message="scope is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.scope) || has(self.initProvider.scope)",message="scope is a required parameter"
 	Spec   SecretRoleSpec   `json:"spec"`
 	Status SecretRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/kmip/v1alpha1/zz_secretscope_types.go b/apis/kmip/v1alpha1/zz_secretscope_types.go
index 74bab6c7..ea19537f 100755
--- a/apis/kmip/v1alpha1/zz_secretscope_types.go
+++ b/apis/kmip/v1alpha1/zz_secretscope_types.go
@@ -13,37 +13,76 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretScopeInitParameters struct {
+
+	// Boolean field to force deletion even if there are managed objects in the scope.
+	// Force deletion even if there are managed objects in the scope
+	Force *bool `json:"force,omitempty" tf:"force,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
+	// Path where KMIP backend is mounted
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Name of the scope.
+	// Name of the scope
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+}
+
 type SecretScopeObservation struct {
 
+	// Boolean field to force deletion even if there are managed objects in the scope.
 	// Force deletion even if there are managed objects in the scope
 	Force *bool `json:"force,omitempty" tf:"force,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
 	// Path where KMIP backend is mounted
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Name of the scope.
 	// Name of the scope
 	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
 }
 
 type SecretScopeParameters struct {
 
+	// Boolean field to force deletion even if there are managed objects in the scope.
 	// Force deletion even if there are managed objects in the scope
 	// +kubebuilder:validation:Optional
 	Force *bool `json:"force,omitempty" tf:"force,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to kmip.
 	// Path where KMIP backend is mounted
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Name of the scope.
 	// Name of the scope
 	// +kubebuilder:validation:Optional
 	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
@@ -53,6 +92,18 @@ type SecretScopeParameters struct {
 type SecretScopeSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretScopeParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretScopeInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretScopeStatus defines the observed state of SecretScope.
@@ -63,7 +114,7 @@ type SecretScopeStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretScope is the Schema for the SecretScopes API. <no value>
+// SecretScope is the Schema for the SecretScopes API. Provision KMIP Secret scopes in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,8 +124,8 @@ type SecretScopeStatus struct {
 type SecretScope struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scope)",message="scope is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.scope) || has(self.initProvider.scope)",message="scope is a required parameter"
 	Spec   SecretScopeSpec   `json:"spec"`
 	Status SecretScopeStatus `json:"status,omitempty"`
 }
diff --git a/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go b/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go
index c8343793..072ec7e3 100755
--- a/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go
+++ b/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go
@@ -13,31 +13,78 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendConfigInitParameters struct {
+
+	// Unique name of the kubernetes backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
+	// Optional disable JWT issuer validation. Allows to skip ISS validation.
+	DisableIssValidation *bool `json:"disableIssValidation,omitempty" tf:"disable_iss_validation,omitempty"`
+
+	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
+	// Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.
+	DisableLocalCAJwt *bool `json:"disableLocalCaJwt,omitempty" tf:"disable_local_ca_jwt,omitempty"`
+
+	// JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
+	// Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
+
+	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
+	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
+	KubernetesCACert *string `json:"kubernetesCaCert,omitempty" tf:"kubernetes_ca_cert,omitempty"`
+
+	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
+	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
+	KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
+	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
+	PemKeys []*string `json:"pemKeys,omitempty" tf:"pem_keys,omitempty"`
+}
+
 type AuthBackendConfigObservation struct {
 
 	// Unique name of the kubernetes backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
 	// Optional disable JWT issuer validation. Allows to skip ISS validation.
 	DisableIssValidation *bool `json:"disableIssValidation,omitempty" tf:"disable_iss_validation,omitempty"`
 
+	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
 	// Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.
 	DisableLocalCAJwt *bool `json:"disableLocalCaJwt,omitempty" tf:"disable_local_ca_jwt,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
 	// Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
 	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
 	KubernetesCACert *string `json:"kubernetesCaCert,omitempty" tf:"kubernetes_ca_cert,omitempty"`
 
+	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
 	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
 	KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
 	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
 	PemKeys []*string `json:"pemKeys,omitempty" tf:"pem_keys,omitempty"`
 }
@@ -48,34 +95,45 @@ type AuthBackendConfigParameters struct {
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
 	// Optional disable JWT issuer validation. Allows to skip ISS validation.
 	// +kubebuilder:validation:Optional
 	DisableIssValidation *bool `json:"disableIssValidation,omitempty" tf:"disable_iss_validation,omitempty"`
 
+	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
 	// Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.
 	// +kubebuilder:validation:Optional
 	DisableLocalCAJwt *bool `json:"disableLocalCaJwt,omitempty" tf:"disable_local_ca_jwt,omitempty"`
 
+	// JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
 	// Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
 	// +kubebuilder:validation:Optional
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
 	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
 	// +kubebuilder:validation:Optional
 	KubernetesCACert *string `json:"kubernetesCaCert,omitempty" tf:"kubernetes_ca_cert,omitempty"`
 
+	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
 	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
 	// +kubebuilder:validation:Optional
 	KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
 	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
 	// +kubebuilder:validation:Optional
 	PemKeys []*string `json:"pemKeys,omitempty" tf:"pem_keys,omitempty"`
 
+	// A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
 	// A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
 	// +kubebuilder:validation:Optional
 	TokenReviewerJwtSecretRef *v1.SecretKeySelector `json:"tokenReviewerJwtSecretRef,omitempty" tf:"-"`
@@ -85,6 +143,18 @@ type AuthBackendConfigParameters struct {
 type AuthBackendConfigSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendConfigParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendConfigInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendConfigStatus defines the observed state of AuthBackendConfig.
@@ -95,7 +165,7 @@ type AuthBackendConfigStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendConfig is the Schema for the AuthBackendConfigs API. <no value>
+// AuthBackendConfig is the Schema for the AuthBackendConfigs API. Manages Kubernetes auth backend configs in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -105,7 +175,7 @@ type AuthBackendConfigStatus struct {
 type AuthBackendConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.kubernetesHost)",message="kubernetesHost is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.kubernetesHost) || has(self.initProvider.kubernetesHost)",message="kubernetesHost is a required parameter"
 	Spec   AuthBackendConfigSpec   `json:"spec"`
 	Status AuthBackendConfigStatus `json:"status,omitempty"`
 }
diff --git a/apis/kubernetes/v1alpha1/zz_authbackendrole_types.go b/apis/kubernetes/v1alpha1/zz_authbackendrole_types.go
index 843ffe5d..641ee907 100755
--- a/apis/kubernetes/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/kubernetes/v1alpha1/zz_authbackendrole_types.go
@@ -13,113 +13,264 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+
+	// Configures how identity aliases are generated.
+	// Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+)
+	// Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name
+	AliasNameSource *string `json:"aliasNameSource,omitempty" tf:"alias_name_source,omitempty"`
+
+	// Audience claim to verify in the JWT.
+	// Optional Audience claim to verify in the JWT.
+	Audience *string `json:"audience,omitempty" tf:"audience,omitempty"`
+
+	// Unique name of the kubernetes backend to configure.
+	// Unique name of the kubernetes backend to configure.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*".
+	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
+	BoundServiceAccountNames []*string `json:"boundServiceAccountNames,omitempty" tf:"bound_service_account_names,omitempty"`
+
+	// List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
+	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
+	BoundServiceAccountNamespaces []*string `json:"boundServiceAccountNamespaces,omitempty" tf:"bound_service_account_namespaces,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Name of the role.
+	// Name of the role.
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 
+	// Configures how identity aliases are generated.
+	// Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+)
 	// Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name
 	AliasNameSource *string `json:"aliasNameSource,omitempty" tf:"alias_name_source,omitempty"`
 
+	// Audience claim to verify in the JWT.
 	// Optional Audience claim to verify in the JWT.
 	Audience *string `json:"audience,omitempty" tf:"audience,omitempty"`
 
+	// Unique name of the kubernetes backend to configure.
 	// Unique name of the kubernetes backend to configure.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*".
 	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
 	BoundServiceAccountNames []*string `json:"boundServiceAccountNames,omitempty" tf:"bound_service_account_names,omitempty"`
 
+	// List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
 	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
 	BoundServiceAccountNamespaces []*string `json:"boundServiceAccountNamespaces,omitempty" tf:"bound_service_account_namespaces,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the role.
 	// Name of the role.
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
 type AuthBackendRoleParameters struct {
 
+	// Configures how identity aliases are generated.
+	// Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+)
 	// Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name
 	// +kubebuilder:validation:Optional
 	AliasNameSource *string `json:"aliasNameSource,omitempty" tf:"alias_name_source,omitempty"`
 
+	// Audience claim to verify in the JWT.
 	// Optional Audience claim to verify in the JWT.
 	// +kubebuilder:validation:Optional
 	Audience *string `json:"audience,omitempty" tf:"audience,omitempty"`
 
+	// Unique name of the kubernetes backend to configure.
 	// Unique name of the kubernetes backend to configure.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*".
 	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
 	// +kubebuilder:validation:Optional
 	BoundServiceAccountNames []*string `json:"boundServiceAccountNames,omitempty" tf:"bound_service_account_names,omitempty"`
 
+	// List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
 	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
 	// +kubebuilder:validation:Optional
 	BoundServiceAccountNamespaces []*string `json:"boundServiceAccountNamespaces,omitempty" tf:"bound_service_account_namespaces,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the role.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
+	// List of policies to encode onto generated tokens. Depending
+	// on the auth method, this list may be supplemented by user/group/other values.
 	// Generated Token's Policies
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
@@ -128,6 +279,11 @@ type AuthBackendRoleParameters struct {
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
@@ -137,6 +293,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -147,7 +315,7 @@ type AuthBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRole is the Schema for the AuthBackendRoles API. <no value>
+// AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Kubernetes auth backend roles in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -157,9 +325,9 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.boundServiceAccountNames)",message="boundServiceAccountNames is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.boundServiceAccountNamespaces)",message="boundServiceAccountNamespaces is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)",message="roleName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNames) || has(self.initProvider.boundServiceAccountNames)",message="boundServiceAccountNames is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNamespaces) || has(self.initProvider.boundServiceAccountNamespaces)",message="boundServiceAccountNamespaces is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go b/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go
index edb74e97..d78ed8c4 100644
--- a/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,67 @@ func (in *AuthBackendConfig) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendConfigInitParameters) DeepCopyInto(out *AuthBackendConfigInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableIssValidation != nil {
+		in, out := &in.DisableIssValidation, &out.DisableIssValidation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DisableLocalCAJwt != nil {
+		in, out := &in.DisableLocalCAJwt, &out.DisableLocalCAJwt
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.KubernetesCACert != nil {
+		in, out := &in.KubernetesCACert, &out.KubernetesCACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.KubernetesHost != nil {
+		in, out := &in.KubernetesHost, &out.KubernetesHost
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PemKeys != nil {
+		in, out := &in.PemKeys, &out.PemKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigInitParameters.
+func (in *AuthBackendConfigInitParameters) DeepCopy() *AuthBackendConfigInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendConfigInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendConfigList) DeepCopyInto(out *AuthBackendConfigList) {
 	*out = *in
@@ -210,6 +271,7 @@ func (in *AuthBackendConfigSpec) DeepCopyInto(out *AuthBackendConfigSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigSpec.
@@ -266,6 +328,125 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
+	*out = *in
+	if in.AliasNameSource != nil {
+		in, out := &in.AliasNameSource, &out.AliasNameSource
+		*out = new(string)
+		**out = **in
+	}
+	if in.Audience != nil {
+		in, out := &in.Audience, &out.Audience
+		*out = new(string)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.BoundServiceAccountNames != nil {
+		in, out := &in.BoundServiceAccountNames, &out.BoundServiceAccountNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BoundServiceAccountNamespaces != nil {
+		in, out := &in.BoundServiceAccountNamespaces, &out.BoundServiceAccountNamespaces
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
 	*out = *in
@@ -546,6 +727,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
@@ -602,6 +784,124 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.AllowedManagedKeys != nil {
+		in, out := &in.AllowedManagedKeys, &out.AllowedManagedKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACRequestKeys != nil {
+		in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACResponseKeys != nil {
+		in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableLocalCAJwt != nil {
+		in, out := &in.DisableLocalCAJwt, &out.DisableLocalCAJwt
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExternalEntropyAccess != nil {
+		in, out := &in.ExternalEntropyAccess, &out.ExternalEntropyAccess
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KubernetesCACert != nil {
+		in, out := &in.KubernetesCACert, &out.KubernetesCACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.KubernetesHost != nil {
+		in, out := &in.KubernetesHost, &out.KubernetesHost
+		*out = new(string)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.SealWrap != nil {
+		in, out := &in.SealWrap, &out.SealWrap
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -912,6 +1212,112 @@ func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) {
+	*out = *in
+	if in.AllowedKubernetesNamespaces != nil {
+		in, out := &in.AllowedKubernetesNamespaces, &out.AllowedKubernetesNamespaces
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExtraAnnotations != nil {
+		in, out := &in.ExtraAnnotations, &out.ExtraAnnotations
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ExtraLabels != nil {
+		in, out := &in.ExtraLabels, &out.ExtraLabels
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.GeneratedRoleRules != nil {
+		in, out := &in.GeneratedRoleRules, &out.GeneratedRoleRules
+		*out = new(string)
+		**out = **in
+	}
+	if in.KubernetesRoleName != nil {
+		in, out := &in.KubernetesRoleName, &out.KubernetesRoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.KubernetesRoleType != nil {
+		in, out := &in.KubernetesRoleType, &out.KubernetesRoleType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NameTemplate != nil {
+		in, out := &in.NameTemplate, &out.NameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceAccountName != nil {
+		in, out := &in.ServiceAccountName, &out.ServiceAccountName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenDefaultTTL != nil {
+		in, out := &in.TokenDefaultTTL, &out.TokenDefaultTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters.
+func (in *SecretBackendRoleInitParameters) DeepCopy() *SecretBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
 	*out = *in
@@ -1166,6 +1572,7 @@ func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
@@ -1200,6 +1607,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
diff --git a/apis/kubernetes/v1alpha1/zz_generated.managed.go b/apis/kubernetes/v1alpha1/zz_generated.managed.go
index 35d7b9e6..84919699 100644
--- a/apis/kubernetes/v1alpha1/zz_generated.managed.go
+++ b/apis/kubernetes/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackendConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendConfig.
-func (mg *AuthBackendConfig) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendConfig.
+func (mg *AuthBackendConfig) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendConfig.
@@ -55,9 +55,9 @@ func (mg *AuthBackendConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendConfig.
-func (mg *AuthBackendConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendConfig.
+func (mg *AuthBackendConfig) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendConfig.
@@ -93,9 +93,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -131,9 +131,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
@@ -169,9 +169,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -207,9 +207,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -245,9 +245,9 @@ func (mg *SecretBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRole.
@@ -283,9 +283,9 @@ func (mg *SecretBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRole.
diff --git a/apis/kubernetes/v1alpha1/zz_generated_terraformed.go b/apis/kubernetes/v1alpha1/zz_generated_terraformed.go
index 6d6037e1..4cba97ff 100755
--- a/apis/kubernetes/v1alpha1/zz_generated_terraformed.go
+++ b/apis/kubernetes/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackendConfig) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendConfig
+func (tr *AuthBackendConfig) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendConfig using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendConfig) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *SecretBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRole
+func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/kubernetes/v1alpha1/zz_secretbackend_types.go b/apis/kubernetes/v1alpha1/zz_secretbackend_types.go
index 422cb19b..5f324a0a 100755
--- a/apis/kubernetes/v1alpha1/zz_secretbackend_types.go
+++ b/apis/kubernetes/v1alpha1/zz_secretbackend_types.go
@@ -13,6 +13,67 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// List of managed key registry entry names that the mount in question is allowed to access
+	AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"`
+
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
+
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
+
+	// Default lease duration for tokens and secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// Human-friendly description of the mount
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Disable defaulting to the local CA certificate and
+	// service account JWT when Vault is running in a Kubernetes pod.
+	// Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.
+	DisableLocalCAJwt *bool `json:"disableLocalCaJwt,omitempty" tf:"disable_local_ca_jwt,omitempty"`
+
+	// Enable the secrets engine to access Vault's external entropy source
+	ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"`
+
+	// A PEM-encoded CA certificate used by the
+	// secrets engine to verify the Kubernetes API server certificate. Defaults to the local
+	// pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
+	// Vault is running.
+	// A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.
+	KubernetesCACert *string `json:"kubernetesCaCert,omitempty" tf:"kubernetes_ca_cert,omitempty"`
+
+	// The Kubernetes API URL to connect to. Required if the
+	// standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT
+	// are not set on the host that Vault is running on.
+	// The Kubernetes API URL to connect to.
+	KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"`
+
+	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// Maximum possible lease duration for tokens and secrets in seconds
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies mount type specific options that are passed to the backend
+	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
+
+	// Where the secret backend will be mounted
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+	SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
 	// Accessor of the mount
@@ -33,6 +94,8 @@ type SecretBackendObservation struct {
 	// Human-friendly description of the mount
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// Disable defaulting to the local CA certificate and
+	// service account JWT when Vault is running in a Kubernetes pod.
 	// Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.
 	DisableLocalCAJwt *bool `json:"disableLocalCaJwt,omitempty" tf:"disable_local_ca_jwt,omitempty"`
 
@@ -41,9 +104,16 @@ type SecretBackendObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A PEM-encoded CA certificate used by the
+	// secrets engine to verify the Kubernetes API server certificate. Defaults to the local
+	// pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
+	// Vault is running.
 	// A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.
 	KubernetesCACert *string `json:"kubernetesCaCert,omitempty" tf:"kubernetes_ca_cert,omitempty"`
 
+	// The Kubernetes API URL to connect to. Required if the
+	// standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT
+	// are not set on the host that Vault is running on.
 	// The Kubernetes API URL to connect to.
 	KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"`
 
@@ -53,6 +123,10 @@ type SecretBackendObservation struct {
 	// Maximum possible lease duration for tokens and secrets in seconds
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
@@ -88,6 +162,8 @@ type SecretBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// Disable defaulting to the local CA certificate and
+	// service account JWT when Vault is running in a Kubernetes pod.
 	// Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.
 	// +kubebuilder:validation:Optional
 	DisableLocalCAJwt *bool `json:"disableLocalCaJwt,omitempty" tf:"disable_local_ca_jwt,omitempty"`
@@ -96,10 +172,17 @@ type SecretBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"`
 
+	// A PEM-encoded CA certificate used by the
+	// secrets engine to verify the Kubernetes API server certificate. Defaults to the local
+	// pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
+	// Vault is running.
 	// A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.
 	// +kubebuilder:validation:Optional
 	KubernetesCACert *string `json:"kubernetesCaCert,omitempty" tf:"kubernetes_ca_cert,omitempty"`
 
+	// The Kubernetes API URL to connect to. Required if the
+	// standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT
+	// are not set on the host that Vault is running on.
 	// The Kubernetes API URL to connect to.
 	// +kubebuilder:validation:Optional
 	KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"`
@@ -112,6 +195,10 @@ type SecretBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -128,6 +215,9 @@ type SecretBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"`
 
+	// The JSON web token of the service account used by the
+	// secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
+	// is running in Kubernetes.
 	// The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found.
 	// +kubebuilder:validation:Optional
 	ServiceAccountJwtSecretRef *v1.SecretKeySelector `json:"serviceAccountJwtSecretRef,omitempty" tf:"-"`
@@ -137,6 +227,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -147,7 +249,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates a Kubernetes Secrets Engine in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -157,7 +259,7 @@ type SecretBackendStatus struct {
 type SecretBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   SecretBackendSpec   `json:"spec"`
 	Status SecretBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go b/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go
index 4971a251..452145b4 100755
--- a/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go
+++ b/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go
@@ -13,100 +13,232 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendRoleInitParameters struct {
+
+	// The list of Kubernetes namespaces this role
+	// can generate credentials for. If set to * all namespaces are allowed.
+	// The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed.
+	AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"`
+
+	// The path of the Kubernetes Secrets Engine backend mount to create
+	// the role in.
+	// The mount path for the Kubernetes secrets engine.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Additional annotations to apply to all generated
+	// Kubernetes objects.
+	// Additional annotations to apply to all generated Kubernetes objects.
+	ExtraAnnotations map[string]*string `json:"extraAnnotations,omitempty" tf:"extra_annotations,omitempty"`
+
+	// Additional labels to apply to all generated Kubernetes
+	// objects.
+	// Additional labels to apply to all generated Kubernetes objects.
+	ExtraLabels map[string]*string `json:"extraLabels,omitempty" tf:"extra_labels,omitempty"`
+
+	// The Role or ClusterRole rules to use when generating
+	// a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name
+	// and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated
+	// when credentials are requested.
+	// The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
+	GeneratedRoleRules *string `json:"generatedRoleRules,omitempty" tf:"generated_role_rules,omitempty"`
+
+	// The pre-existing Role or ClusterRole to bind a
+	// generated service account to. Mutually exclusive with service_account_name and
+	// generated_role_rules. If set, Kubernetes token, service account, and role
+	// binding objects will be created when credentials are requested.
+	// The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
+	KubernetesRoleName *string `json:"kubernetesRoleName,omitempty" tf:"kubernetes_role_name,omitempty"`
+
+	// Specifies whether the Kubernetes role is a Role or
+	// ClusterRole.
+	// Specifies whether the Kubernetes role is a Role or ClusterRole.
+	KubernetesRoleType *string `json:"kubernetesRoleType,omitempty" tf:"kubernetes_role_type,omitempty"`
+
+	// The name of the role.
+	// The name of the role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The name template to use when generating service accounts,
+	// roles and role bindings. If unset, a default template is used.
+	// The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
+	NameTemplate *string `json:"nameTemplate,omitempty" tf:"name_template,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The pre-existing service account to generate tokens for.
+	// Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a
+	// Kubernetes token will be created when credentials are requested.
+	// The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.
+	ServiceAccountName *string `json:"serviceAccountName,omitempty" tf:"service_account_name,omitempty"`
+
+	// The default TTL for generated Kubernetes tokens in seconds.
+	// The default TTL for generated Kubernetes tokens in seconds.
+	TokenDefaultTTL *float64 `json:"tokenDefaultTtl,omitempty" tf:"token_default_ttl,omitempty"`
+
+	// The maximum TTL for generated Kubernetes tokens in seconds.
+	// The maximum TTL for generated Kubernetes tokens in seconds.
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+}
+
 type SecretBackendRoleObservation struct {
 
+	// The list of Kubernetes namespaces this role
+	// can generate credentials for. If set to * all namespaces are allowed.
 	// The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed.
 	AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"`
 
+	// The path of the Kubernetes Secrets Engine backend mount to create
+	// the role in.
 	// The mount path for the Kubernetes secrets engine.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Additional annotations to apply to all generated
+	// Kubernetes objects.
 	// Additional annotations to apply to all generated Kubernetes objects.
 	ExtraAnnotations map[string]*string `json:"extraAnnotations,omitempty" tf:"extra_annotations,omitempty"`
 
+	// Additional labels to apply to all generated Kubernetes
+	// objects.
 	// Additional labels to apply to all generated Kubernetes objects.
 	ExtraLabels map[string]*string `json:"extraLabels,omitempty" tf:"extra_labels,omitempty"`
 
+	// The Role or ClusterRole rules to use when generating
+	// a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name
+	// and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated
+	// when credentials are requested.
 	// The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
 	GeneratedRoleRules *string `json:"generatedRoleRules,omitempty" tf:"generated_role_rules,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The pre-existing Role or ClusterRole to bind a
+	// generated service account to. Mutually exclusive with service_account_name and
+	// generated_role_rules. If set, Kubernetes token, service account, and role
+	// binding objects will be created when credentials are requested.
 	// The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
 	KubernetesRoleName *string `json:"kubernetesRoleName,omitempty" tf:"kubernetes_role_name,omitempty"`
 
+	// Specifies whether the Kubernetes role is a Role or
+	// ClusterRole.
 	// Specifies whether the Kubernetes role is a Role or ClusterRole.
 	KubernetesRoleType *string `json:"kubernetesRoleType,omitempty" tf:"kubernetes_role_type,omitempty"`
 
+	// The name of the role.
 	// The name of the role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The name template to use when generating service accounts,
+	// roles and role bindings. If unset, a default template is used.
 	// The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
 	NameTemplate *string `json:"nameTemplate,omitempty" tf:"name_template,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The pre-existing service account to generate tokens for.
+	// Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a
+	// Kubernetes token will be created when credentials are requested.
 	// The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.
 	ServiceAccountName *string `json:"serviceAccountName,omitempty" tf:"service_account_name,omitempty"`
 
+	// The default TTL for generated Kubernetes tokens in seconds.
 	// The default TTL for generated Kubernetes tokens in seconds.
 	TokenDefaultTTL *float64 `json:"tokenDefaultTtl,omitempty" tf:"token_default_ttl,omitempty"`
 
+	// The maximum TTL for generated Kubernetes tokens in seconds.
 	// The maximum TTL for generated Kubernetes tokens in seconds.
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 }
 
 type SecretBackendRoleParameters struct {
 
+	// The list of Kubernetes namespaces this role
+	// can generate credentials for. If set to * all namespaces are allowed.
 	// The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed.
 	// +kubebuilder:validation:Optional
 	AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"`
 
+	// The path of the Kubernetes Secrets Engine backend mount to create
+	// the role in.
 	// The mount path for the Kubernetes secrets engine.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Additional annotations to apply to all generated
+	// Kubernetes objects.
 	// Additional annotations to apply to all generated Kubernetes objects.
 	// +kubebuilder:validation:Optional
 	ExtraAnnotations map[string]*string `json:"extraAnnotations,omitempty" tf:"extra_annotations,omitempty"`
 
+	// Additional labels to apply to all generated Kubernetes
+	// objects.
 	// Additional labels to apply to all generated Kubernetes objects.
 	// +kubebuilder:validation:Optional
 	ExtraLabels map[string]*string `json:"extraLabels,omitempty" tf:"extra_labels,omitempty"`
 
+	// The Role or ClusterRole rules to use when generating
+	// a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name
+	// and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated
+	// when credentials are requested.
 	// The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
 	// +kubebuilder:validation:Optional
 	GeneratedRoleRules *string `json:"generatedRoleRules,omitempty" tf:"generated_role_rules,omitempty"`
 
+	// The pre-existing Role or ClusterRole to bind a
+	// generated service account to. Mutually exclusive with service_account_name and
+	// generated_role_rules. If set, Kubernetes token, service account, and role
+	// binding objects will be created when credentials are requested.
 	// The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
 	// +kubebuilder:validation:Optional
 	KubernetesRoleName *string `json:"kubernetesRoleName,omitempty" tf:"kubernetes_role_name,omitempty"`
 
+	// Specifies whether the Kubernetes role is a Role or
+	// ClusterRole.
 	// Specifies whether the Kubernetes role is a Role or ClusterRole.
 	// +kubebuilder:validation:Optional
 	KubernetesRoleType *string `json:"kubernetesRoleType,omitempty" tf:"kubernetes_role_type,omitempty"`
 
+	// The name of the role.
 	// The name of the role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The name template to use when generating service accounts,
+	// roles and role bindings. If unset, a default template is used.
 	// The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
 	// +kubebuilder:validation:Optional
 	NameTemplate *string `json:"nameTemplate,omitempty" tf:"name_template,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The pre-existing service account to generate tokens for.
+	// Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a
+	// Kubernetes token will be created when credentials are requested.
 	// The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.
 	// +kubebuilder:validation:Optional
 	ServiceAccountName *string `json:"serviceAccountName,omitempty" tf:"service_account_name,omitempty"`
 
+	// The default TTL for generated Kubernetes tokens in seconds.
 	// The default TTL for generated Kubernetes tokens in seconds.
 	// +kubebuilder:validation:Optional
 	TokenDefaultTTL *float64 `json:"tokenDefaultTtl,omitempty" tf:"token_default_ttl,omitempty"`
 
+	// The maximum TTL for generated Kubernetes tokens in seconds.
 	// The maximum TTL for generated Kubernetes tokens in seconds.
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
@@ -116,6 +248,18 @@ type SecretBackendRoleParameters struct {
 type SecretBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRoleStatus defines the observed state of SecretBackendRole.
@@ -126,7 +270,7 @@ type SecretBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRole is the Schema for the SecretBackendRoles API. <no value>
+// SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role for the Kubernetes Secrets Engine in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -136,9 +280,9 @@ type SecretBackendRoleStatus struct {
 type SecretBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.allowedKubernetesNamespaces)",message="allowedKubernetesNamespaces is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.allowedKubernetesNamespaces) || has(self.initProvider.allowedKubernetesNamespaces)",message="allowedKubernetesNamespaces is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendRoleSpec   `json:"spec"`
 	Status SecretBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/kv/v1alpha1/zz_generated.deepcopy.go b/apis/kv/v1alpha1/zz_generated.deepcopy.go
index 52cda5ee..e2e213f5 100644
--- a/apis/kv/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/kv/v1alpha1/zz_generated.deepcopy.go
@@ -13,6 +13,51 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomMetadataInitParameters) DeepCopyInto(out *CustomMetadataInitParameters) {
+	*out = *in
+	if in.CasRequired != nil {
+		in, out := &in.CasRequired, &out.CasRequired
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.DeleteVersionAfter != nil {
+		in, out := &in.DeleteVersionAfter, &out.DeleteVersionAfter
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxVersions != nil {
+		in, out := &in.MaxVersions, &out.MaxVersions
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomMetadataInitParameters.
+func (in *CustomMetadataInitParameters) DeepCopy() *CustomMetadataInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomMetadataInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomMetadataObservation) DeepCopyInto(out *CustomMetadataObservation) {
 	*out = *in
@@ -157,6 +202,46 @@ func (in *SecretBackendV2) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendV2InitParameters) DeepCopyInto(out *SecretBackendV2InitParameters) {
+	*out = *in
+	if in.CasRequired != nil {
+		in, out := &in.CasRequired, &out.CasRequired
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeleteVersionAfter != nil {
+		in, out := &in.DeleteVersionAfter, &out.DeleteVersionAfter
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxVersions != nil {
+		in, out := &in.MaxVersions, &out.MaxVersions
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Mount != nil {
+		in, out := &in.Mount, &out.Mount
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendV2InitParameters.
+func (in *SecretBackendV2InitParameters) DeepCopy() *SecretBackendV2InitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendV2InitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendV2List) DeepCopyInto(out *SecretBackendV2List) {
 	*out = *in
@@ -279,6 +364,7 @@ func (in *SecretBackendV2Spec) DeepCopyInto(out *SecretBackendV2Spec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendV2Spec.
@@ -308,6 +394,31 @@ func (in *SecretBackendV2Status) DeepCopy() *SecretBackendV2Status {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretInitParameters) DeepCopyInto(out *SecretInitParameters) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretInitParameters.
+func (in *SecretInitParameters) DeepCopy() *SecretInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretList) DeepCopyInto(out *SecretList) {
 	*out = *in
@@ -401,6 +512,7 @@ func (in *SecretSpec) DeepCopyInto(out *SecretSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretSpec.
@@ -457,6 +569,73 @@ func (in *SecretV2) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretV2InitParameters) DeepCopyInto(out *SecretV2InitParameters) {
+	*out = *in
+	if in.Cas != nil {
+		in, out := &in.Cas, &out.Cas
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CustomMetadata != nil {
+		in, out := &in.CustomMetadata, &out.CustomMetadata
+		*out = make([]CustomMetadataInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeleteAllVersions != nil {
+		in, out := &in.DeleteAllVersions, &out.DeleteAllVersions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DisableRead != nil {
+		in, out := &in.DisableRead, &out.DisableRead
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Mount != nil {
+		in, out := &in.Mount, &out.Mount
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretV2InitParameters.
+func (in *SecretV2InitParameters) DeepCopy() *SecretV2InitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretV2InitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretV2List) DeepCopyInto(out *SecretV2List) {
 	*out = *in
@@ -654,6 +833,7 @@ func (in *SecretV2Spec) DeepCopyInto(out *SecretV2Spec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretV2Spec.
diff --git a/apis/kv/v1alpha1/zz_generated.managed.go b/apis/kv/v1alpha1/zz_generated.managed.go
index b3b7663c..95e2488e 100644
--- a/apis/kv/v1alpha1/zz_generated.managed.go
+++ b/apis/kv/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Secret) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Secret.
-func (mg *Secret) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Secret.
+func (mg *Secret) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Secret.
@@ -55,9 +55,9 @@ func (mg *Secret) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Secret.
-func (mg *Secret) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Secret.
+func (mg *Secret) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Secret.
@@ -93,9 +93,9 @@ func (mg *SecretBackendV2) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendV2.
-func (mg *SecretBackendV2) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendV2.
+func (mg *SecretBackendV2) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendV2.
@@ -131,9 +131,9 @@ func (mg *SecretBackendV2) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendV2.
-func (mg *SecretBackendV2) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendV2.
+func (mg *SecretBackendV2) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendV2.
@@ -169,9 +169,9 @@ func (mg *SecretV2) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretV2.
-func (mg *SecretV2) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretV2.
+func (mg *SecretV2) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretV2.
@@ -207,9 +207,9 @@ func (mg *SecretV2) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretV2.
-func (mg *SecretV2) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretV2.
+func (mg *SecretV2) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretV2.
diff --git a/apis/kv/v1alpha1/zz_generated_terraformed.go b/apis/kv/v1alpha1/zz_generated_terraformed.go
index 670fee69..c3c99575 100755
--- a/apis/kv/v1alpha1/zz_generated_terraformed.go
+++ b/apis/kv/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Secret) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Secret
+func (tr *Secret) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Secret using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Secret) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretBackendV2) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendV2
+func (tr *SecretBackendV2) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendV2 using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendV2) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *SecretV2) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretV2
+func (tr *SecretV2) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretV2 using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretV2) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/kv/v1alpha1/zz_secret_types.go b/apis/kv/v1alpha1/zz_secret_types.go
index 7219524f..16a94d9b 100755
--- a/apis/kv/v1alpha1/zz_secret_types.go
+++ b/apis/kv/v1alpha1/zz_secret_types.go
@@ -13,26 +13,52 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretInitParameters struct {
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Full path of the KV-V1 secret.
+	// Full path of the KV-V1 secret.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+}
+
 type SecretObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Full path of the KV-V1 secret.
 	// Full path of the KV-V1 secret.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type SecretParameters struct {
 
+	// JSON-encoded string that will be
+	// written as the secret data at the given path.
 	// JSON-encoded secret data to write.
 	// +kubebuilder:validation:Optional
 	DataJSONSecretRef v1.SecretKeySelector `json:"dataJsonSecretRef" tf:"-"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Full path of the KV-V1 secret.
 	// Full path of the KV-V1 secret.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
@@ -42,6 +68,18 @@ type SecretParameters struct {
 type SecretSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretStatus defines the observed state of Secret.
@@ -52,7 +90,7 @@ type SecretStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Secret is the Schema for the Secrets API. <no value>
+// Secret is the Schema for the Secrets API. Writes a KV-V1 secret to a given path in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -62,8 +100,8 @@ type SecretStatus struct {
 type Secret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   SecretSpec   `json:"spec"`
 	Status SecretStatus `json:"status,omitempty"`
 }
diff --git a/apis/kv/v1alpha1/zz_secretbackendv2_types.go b/apis/kv/v1alpha1/zz_secretbackendv2_types.go
index 7cd0d957..ea406af2 100755
--- a/apis/kv/v1alpha1/zz_secretbackendv2_types.go
+++ b/apis/kv/v1alpha1/zz_secretbackendv2_types.go
@@ -13,44 +13,92 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendV2InitParameters struct {
+
+	// If true, all keys will require the cas
+	// parameter to be set on all write requests.
+	// If true, all keys will require the cas parameter to be set on all write requests.
+	CasRequired *bool `json:"casRequired,omitempty" tf:"cas_required,omitempty"`
+
+	// If set, specifies the length of time before
+	// a version is deleted. Accepts duration in integer seconds.
+	// If set, specifies the length of time before a version is deleted
+	DeleteVersionAfter *float64 `json:"deleteVersionAfter,omitempty" tf:"delete_version_after,omitempty"`
+
+	// The number of versions to keep per key.
+	// The number of versions to keep per key.
+	MaxVersions *float64 `json:"maxVersions,omitempty" tf:"max_versions,omitempty"`
+
+	// Path where KV-V2 engine is mounted.
+	// Path where KV-V2 engine is mounted.
+	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type SecretBackendV2Observation struct {
 
+	// If true, all keys will require the cas
+	// parameter to be set on all write requests.
 	// If true, all keys will require the cas parameter to be set on all write requests.
 	CasRequired *bool `json:"casRequired,omitempty" tf:"cas_required,omitempty"`
 
+	// If set, specifies the length of time before
+	// a version is deleted. Accepts duration in integer seconds.
 	// If set, specifies the length of time before a version is deleted
 	DeleteVersionAfter *float64 `json:"deleteVersionAfter,omitempty" tf:"delete_version_after,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The number of versions to keep per key.
 	// The number of versions to keep per key.
 	MaxVersions *float64 `json:"maxVersions,omitempty" tf:"max_versions,omitempty"`
 
+	// Path where KV-V2 engine is mounted.
 	// Path where KV-V2 engine is mounted.
 	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type SecretBackendV2Parameters struct {
 
+	// If true, all keys will require the cas
+	// parameter to be set on all write requests.
 	// If true, all keys will require the cas parameter to be set on all write requests.
 	// +kubebuilder:validation:Optional
 	CasRequired *bool `json:"casRequired,omitempty" tf:"cas_required,omitempty"`
 
+	// If set, specifies the length of time before
+	// a version is deleted. Accepts duration in integer seconds.
 	// If set, specifies the length of time before a version is deleted
 	// +kubebuilder:validation:Optional
 	DeleteVersionAfter *float64 `json:"deleteVersionAfter,omitempty" tf:"delete_version_after,omitempty"`
 
+	// The number of versions to keep per key.
 	// The number of versions to keep per key.
 	// +kubebuilder:validation:Optional
 	MaxVersions *float64 `json:"maxVersions,omitempty" tf:"max_versions,omitempty"`
 
+	// Path where KV-V2 engine is mounted.
 	// Path where KV-V2 engine is mounted.
 	// +kubebuilder:validation:Optional
 	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -60,6 +108,18 @@ type SecretBackendV2Parameters struct {
 type SecretBackendV2Spec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendV2Parameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendV2InitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendV2Status defines the observed state of SecretBackendV2.
@@ -70,7 +130,7 @@ type SecretBackendV2Status struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendV2 is the Schema for the SecretBackendV2s API. <no value>
+// SecretBackendV2 is the Schema for the SecretBackendV2s API. Configures KV-V2 backend level settings that are applied to every key in the key-value store.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -80,7 +140,7 @@ type SecretBackendV2Status struct {
 type SecretBackendV2 struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mount)",message="mount is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mount) || has(self.initProvider.mount)",message="mount is a required parameter"
 	Spec   SecretBackendV2Spec   `json:"spec"`
 	Status SecretBackendV2Status `json:"status,omitempty"`
 }
diff --git a/apis/kv/v1alpha1/zz_secretv2_types.go b/apis/kv/v1alpha1/zz_secretv2_types.go
index 1448668e..8e76708c 100755
--- a/apis/kv/v1alpha1/zz_secretv2_types.go
+++ b/apis/kv/v1alpha1/zz_secretv2_types.go
@@ -13,109 +13,236 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type CustomMetadataInitParameters struct {
+
+	// If true, all keys will require the cas
+	// parameter to be set on all write requests.
+	// If true, all keys will require the cas parameter to be set on all write requests.
+	CasRequired *bool `json:"casRequired,omitempty" tf:"cas_required,omitempty"`
+
+	// A string to string map describing the secret.
+	// A map of arbitrary string to string valued user-provided metadata meant to describe the secret.
+	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// If set, specifies the length of time before
+	// a version is deleted. Accepts duration in integer seconds.
+	// If set, specifies the length of time before a version is deleted.
+	DeleteVersionAfter *float64 `json:"deleteVersionAfter,omitempty" tf:"delete_version_after,omitempty"`
+
+	// The number of versions to keep per key.
+	// The number of versions to keep per key.
+	MaxVersions *float64 `json:"maxVersions,omitempty" tf:"max_versions,omitempty"`
+}
+
 type CustomMetadataObservation struct {
 
+	// If true, all keys will require the cas
+	// parameter to be set on all write requests.
 	// If true, all keys will require the cas parameter to be set on all write requests.
 	CasRequired *bool `json:"casRequired,omitempty" tf:"cas_required,omitempty"`
 
+	// A string to string map describing the secret.
 	// A map of arbitrary string to string valued user-provided metadata meant to describe the secret.
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// If set, specifies the length of time before
+	// a version is deleted. Accepts duration in integer seconds.
 	// If set, specifies the length of time before a version is deleted.
 	DeleteVersionAfter *float64 `json:"deleteVersionAfter,omitempty" tf:"delete_version_after,omitempty"`
 
+	// The number of versions to keep per key.
 	// The number of versions to keep per key.
 	MaxVersions *float64 `json:"maxVersions,omitempty" tf:"max_versions,omitempty"`
 }
 
 type CustomMetadataParameters struct {
 
+	// If true, all keys will require the cas
+	// parameter to be set on all write requests.
 	// If true, all keys will require the cas parameter to be set on all write requests.
 	// +kubebuilder:validation:Optional
 	CasRequired *bool `json:"casRequired,omitempty" tf:"cas_required,omitempty"`
 
+	// A string to string map describing the secret.
 	// A map of arbitrary string to string valued user-provided metadata meant to describe the secret.
 	// +kubebuilder:validation:Optional
 	Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"`
 
+	// If set, specifies the length of time before
+	// a version is deleted. Accepts duration in integer seconds.
 	// If set, specifies the length of time before a version is deleted.
 	// +kubebuilder:validation:Optional
 	DeleteVersionAfter *float64 `json:"deleteVersionAfter,omitempty" tf:"delete_version_after,omitempty"`
 
+	// The number of versions to keep per key.
 	// The number of versions to keep per key.
 	// +kubebuilder:validation:Optional
 	MaxVersions *float64 `json:"maxVersions,omitempty" tf:"max_versions,omitempty"`
 }
 
+type SecretV2InitParameters struct {
+
+	// This flag is required if cas_required is set to true
+	// on either the secret or the engine's config. In order for a
+	// write operation to be successful, cas must be set to the current version
+	// of the secret.
+	// This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.
+	Cas *float64 `json:"cas,omitempty" tf:"cas,omitempty"`
+
+	// A nested block that allows configuring metadata for the
+	// KV secret. Refer to the
+	// Configuration Options for more info.
+	// Custom metadata to be set for the secret.
+	CustomMetadata []CustomMetadataInitParameters `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"`
+
+	// If set to true, permanently deletes all
+	// versions for the specified key.
+	// If set to true, permanently deletes all versions for the specified key.
+	DeleteAllVersions *bool `json:"deleteAllVersions,omitempty" tf:"delete_all_versions,omitempty"`
+
+	// If set to true, disables reading secret from Vault;
+	// note: drift won't be detected.
+	// If set to true, disables reading secret from Vault; note: drift won't be detected.
+	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
+
+	// Path where KV-V2 engine is mounted.
+	// Path where KV-V2 engine is mounted.
+	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
+
+	// Full name of the secret. For a nested secret
+	// the name is the nested path excluding the mount and data
+	// prefix. For example, for a secret at kvv2/data/foo/bar/baz
+	// the name is foo/bar/baz.
+	// Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// An object that holds option settings.
+	// An object that holds option settings.
+	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
+}
+
 type SecretV2Observation struct {
 
+	// This flag is required if cas_required is set to true
+	// on either the secret or the engine's config. In order for a
+	// write operation to be successful, cas must be set to the current version
+	// of the secret.
 	// This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.
 	Cas *float64 `json:"cas,omitempty" tf:"cas,omitempty"`
 
+	// A nested block that allows configuring metadata for the
+	// KV secret. Refer to the
+	// Configuration Options for more info.
 	// Custom metadata to be set for the secret.
 	CustomMetadata []CustomMetadataObservation `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"`
 
+	// If set to true, permanently deletes all
+	// versions for the specified key.
 	// If set to true, permanently deletes all versions for the specified key.
 	DeleteAllVersions *bool `json:"deleteAllVersions,omitempty" tf:"delete_all_versions,omitempty"`
 
+	// If set to true, disables reading secret from Vault;
+	// note: drift won't be detected.
 	// If set to true, disables reading secret from Vault; note: drift won't be detected.
 	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Metadata associated with this secret read from Vault.
 	// Metadata associated with this secret read from Vault.
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// Path where KV-V2 engine is mounted.
 	// Path where KV-V2 engine is mounted.
 	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
 
+	// Full name of the secret. For a nested secret
+	// the name is the nested path excluding the mount and data
+	// prefix. For example, for a secret at kvv2/data/foo/bar/baz
+	// the name is foo/bar/baz.
 	// Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// An object that holds option settings.
 	// An object that holds option settings.
 	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
 
+	// Full path where the KV-V2 secret will be written.
 	// Full path where the KV-V2 secret will be written.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type SecretV2Parameters struct {
 
+	// This flag is required if cas_required is set to true
+	// on either the secret or the engine's config. In order for a
+	// write operation to be successful, cas must be set to the current version
+	// of the secret.
 	// This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.
 	// +kubebuilder:validation:Optional
 	Cas *float64 `json:"cas,omitempty" tf:"cas,omitempty"`
 
+	// A nested block that allows configuring metadata for the
+	// KV secret. Refer to the
+	// Configuration Options for more info.
 	// Custom metadata to be set for the secret.
 	// +kubebuilder:validation:Optional
 	CustomMetadata []CustomMetadataParameters `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"`
 
+	// JSON-encoded string that will be
+	// written as the secret data at the given path.
 	// JSON-encoded secret data to write.
 	// +kubebuilder:validation:Optional
 	DataJSONSecretRef v1.SecretKeySelector `json:"dataJsonSecretRef" tf:"-"`
 
+	// If set to true, permanently deletes all
+	// versions for the specified key.
 	// If set to true, permanently deletes all versions for the specified key.
 	// +kubebuilder:validation:Optional
 	DeleteAllVersions *bool `json:"deleteAllVersions,omitempty" tf:"delete_all_versions,omitempty"`
 
+	// If set to true, disables reading secret from Vault;
+	// note: drift won't be detected.
 	// If set to true, disables reading secret from Vault; note: drift won't be detected.
 	// +kubebuilder:validation:Optional
 	DisableRead *bool `json:"disableRead,omitempty" tf:"disable_read,omitempty"`
 
+	// Path where KV-V2 engine is mounted.
 	// Path where KV-V2 engine is mounted.
 	// +kubebuilder:validation:Optional
 	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
 
+	// Full name of the secret. For a nested secret
+	// the name is the nested path excluding the mount and data
+	// prefix. For example, for a secret at kvv2/data/foo/bar/baz
+	// the name is foo/bar/baz.
 	// Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// An object that holds option settings.
 	// An object that holds option settings.
 	// +kubebuilder:validation:Optional
 	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
@@ -125,6 +252,18 @@ type SecretV2Parameters struct {
 type SecretV2Spec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretV2Parameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretV2InitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretV2Status defines the observed state of SecretV2.
@@ -135,7 +274,7 @@ type SecretV2Status struct {
 
 // +kubebuilder:object:root=true
 
-// SecretV2 is the Schema for the SecretV2s API. <no value>
+// SecretV2 is the Schema for the SecretV2s API. Writes a KV-V2 secret to a given path in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -145,9 +284,9 @@ type SecretV2Status struct {
 type SecretV2 struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mount)",message="mount is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mount) || has(self.initProvider.mount)",message="mount is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretV2Spec   `json:"spec"`
 	Status SecretV2Status `json:"status,omitempty"`
 }
diff --git a/apis/ldap/v1alpha1/zz_authbackend_types.go b/apis/ldap/v1alpha1/zz_authbackend_types.go
index 91d1d09b..689c7b42 100755
--- a/apis/ldap/v1alpha1/zz_authbackend_types.go
+++ b/apis/ldap/v1alpha1/zz_authbackend_types.go
@@ -13,6 +13,89 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendInitParameters struct {
+	Binddn *string `json:"binddn,omitempty" tf:"binddn,omitempty"`
+
+	CaseSensitiveNames *bool `json:"caseSensitiveNames,omitempty" tf:"case_sensitive_names,omitempty"`
+
+	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	ClientTLSCert *string `json:"clientTlsCert,omitempty" tf:"client_tls_cert,omitempty"`
+
+	DenyNullBind *bool `json:"denyNullBind,omitempty" tf:"deny_null_bind,omitempty"`
+
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"`
+
+	Groupattr *string `json:"groupattr,omitempty" tf:"groupattr,omitempty"`
+
+	Groupdn *string `json:"groupdn,omitempty" tf:"groupdn,omitempty"`
+
+	Groupfilter *string `json:"groupfilter,omitempty" tf:"groupfilter,omitempty"`
+
+	InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"`
+
+	// Specifies if the auth method is local only
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	Starttls *bool `json:"starttls,omitempty" tf:"starttls,omitempty"`
+
+	TLSMaxVersion *string `json:"tlsMaxVersion,omitempty" tf:"tls_max_version,omitempty"`
+
+	TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"`
+
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	Upndomain *string `json:"upndomain,omitempty" tf:"upndomain,omitempty"`
+
+	UseTokenGroups *bool `json:"useTokenGroups,omitempty" tf:"use_token_groups,omitempty"`
+
+	Userattr *string `json:"userattr,omitempty" tf:"userattr,omitempty"`
+
+	Userdn *string `json:"userdn,omitempty" tf:"userdn,omitempty"`
+
+	Userfilter *string `json:"userfilter,omitempty" tf:"userfilter,omitempty"`
+
+	// Force the auth method to use the username passed by the user as the alias name.
+	UsernameAsAlias *bool `json:"usernameAsAlias,omitempty" tf:"username_as_alias,omitempty"`
+}
+
 type AuthBackendObservation struct {
 
 	// The accessor of the LDAP auth backend
@@ -230,6 +313,18 @@ type AuthBackendParameters struct {
 type AuthBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendStatus defines the observed state of AuthBackend.
@@ -250,7 +345,7 @@ type AuthBackendStatus struct {
 type AuthBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.url)",message="url is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.url) || has(self.initProvider.url)",message="url is a required parameter"
 	Spec   AuthBackendSpec   `json:"spec"`
 	Status AuthBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/ldap/v1alpha1/zz_authbackendgroup_types.go b/apis/ldap/v1alpha1/zz_authbackendgroup_types.go
index c272d84e..143bdbc1 100755
--- a/apis/ldap/v1alpha1/zz_authbackendgroup_types.go
+++ b/apis/ldap/v1alpha1/zz_authbackendgroup_types.go
@@ -13,6 +13,17 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendGroupInitParameters struct {
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	Groupname *string `json:"groupname,omitempty" tf:"groupname,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+}
+
 type AuthBackendGroupObservation struct {
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
@@ -46,6 +57,18 @@ type AuthBackendGroupParameters struct {
 type AuthBackendGroupSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendGroupParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendGroupInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendGroupStatus defines the observed state of AuthBackendGroup.
@@ -66,7 +89,7 @@ type AuthBackendGroupStatus struct {
 type AuthBackendGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupname)",message="groupname is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupname) || has(self.initProvider.groupname)",message="groupname is a required parameter"
 	Spec   AuthBackendGroupSpec   `json:"spec"`
 	Status AuthBackendGroupStatus `json:"status,omitempty"`
 }
diff --git a/apis/ldap/v1alpha1/zz_authbackenduser_types.go b/apis/ldap/v1alpha1/zz_authbackenduser_types.go
index f5b26b3c..7015ba6e 100755
--- a/apis/ldap/v1alpha1/zz_authbackenduser_types.go
+++ b/apis/ldap/v1alpha1/zz_authbackenduser_types.go
@@ -13,6 +13,19 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendUserInitParameters struct {
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+}
+
 type AuthBackendUserObservation struct {
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
@@ -51,6 +64,18 @@ type AuthBackendUserParameters struct {
 type AuthBackendUserSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendUserParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendUserInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendUserStatus defines the observed state of AuthBackendUser.
@@ -71,7 +96,7 @@ type AuthBackendUserStatus struct {
 type AuthBackendUser struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.username)",message="username is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || has(self.initProvider.username)",message="username is a required parameter"
 	Spec   AuthBackendUserSpec   `json:"spec"`
 	Status AuthBackendUserStatus `json:"status,omitempty"`
 }
diff --git a/apis/ldap/v1alpha1/zz_generated.deepcopy.go b/apis/ldap/v1alpha1/zz_generated.deepcopy.go
index 895109ac..e15fad00 100644
--- a/apis/ldap/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/ldap/v1alpha1/zz_generated.deepcopy.go
@@ -68,6 +68,47 @@ func (in *AuthBackendGroup) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendGroupInitParameters) DeepCopyInto(out *AuthBackendGroupInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Groupname != nil {
+		in, out := &in.Groupname, &out.Groupname
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendGroupInitParameters.
+func (in *AuthBackendGroupInitParameters) DeepCopy() *AuthBackendGroupInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendGroupInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendGroupList) DeepCopyInto(out *AuthBackendGroupList) {
 	*out = *in
@@ -192,6 +233,7 @@ func (in *AuthBackendGroupSpec) DeepCopyInto(out *AuthBackendGroupSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendGroupSpec.
@@ -221,6 +263,203 @@ func (in *AuthBackendGroupStatus) DeepCopy() *AuthBackendGroupStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters) {
+	*out = *in
+	if in.Binddn != nil {
+		in, out := &in.Binddn, &out.Binddn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CaseSensitiveNames != nil {
+		in, out := &in.CaseSensitiveNames, &out.CaseSensitiveNames
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientTLSCert != nil {
+		in, out := &in.ClientTLSCert, &out.ClientTLSCert
+		*out = new(string)
+		**out = **in
+	}
+	if in.DenyNullBind != nil {
+		in, out := &in.DenyNullBind, &out.DenyNullBind
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Discoverdn != nil {
+		in, out := &in.Discoverdn, &out.Discoverdn
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Groupattr != nil {
+		in, out := &in.Groupattr, &out.Groupattr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Groupdn != nil {
+		in, out := &in.Groupdn, &out.Groupdn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Groupfilter != nil {
+		in, out := &in.Groupfilter, &out.Groupfilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.InsecureTLS != nil {
+		in, out := &in.InsecureTLS, &out.InsecureTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Starttls != nil {
+		in, out := &in.Starttls, &out.Starttls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TLSMaxVersion != nil {
+		in, out := &in.TLSMaxVersion, &out.TLSMaxVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSMinVersion != nil {
+		in, out := &in.TLSMinVersion, &out.TLSMinVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Upndomain != nil {
+		in, out := &in.Upndomain, &out.Upndomain
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseTokenGroups != nil {
+		in, out := &in.UseTokenGroups, &out.UseTokenGroups
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Userattr != nil {
+		in, out := &in.Userattr, &out.Userattr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Userdn != nil {
+		in, out := &in.Userdn, &out.Userdn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Userfilter != nil {
+		in, out := &in.Userfilter, &out.Userfilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameAsAlias != nil {
+		in, out := &in.UsernameAsAlias, &out.UsernameAsAlias
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendInitParameters.
+func (in *AuthBackendInitParameters) DeepCopy() *AuthBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendList) DeepCopyInto(out *AuthBackendList) {
 	*out = *in
@@ -672,6 +911,7 @@ func (in *AuthBackendSpec) DeepCopyInto(out *AuthBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendSpec.
@@ -728,6 +968,58 @@ func (in *AuthBackendUser) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendUserInitParameters) DeepCopyInto(out *AuthBackendUserInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendUserInitParameters.
+func (in *AuthBackendUserInitParameters) DeepCopy() *AuthBackendUserInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendUserInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendUserList) DeepCopyInto(out *AuthBackendUserList) {
 	*out = *in
@@ -874,6 +1166,7 @@ func (in *AuthBackendUserSpec) DeepCopyInto(out *AuthBackendUserSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendUserSpec.
diff --git a/apis/ldap/v1alpha1/zz_generated.managed.go b/apis/ldap/v1alpha1/zz_generated.managed.go
index c0981ce1..ae342697 100644
--- a/apis/ldap/v1alpha1/zz_generated.managed.go
+++ b/apis/ldap/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackend.
@@ -55,9 +55,9 @@ func (mg *AuthBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackend.
@@ -93,9 +93,9 @@ func (mg *AuthBackendGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendGroup.
-func (mg *AuthBackendGroup) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendGroup.
+func (mg *AuthBackendGroup) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendGroup.
@@ -131,9 +131,9 @@ func (mg *AuthBackendGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendGroup.
-func (mg *AuthBackendGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendGroup.
+func (mg *AuthBackendGroup) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendGroup.
@@ -169,9 +169,9 @@ func (mg *AuthBackendUser) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendUser.
-func (mg *AuthBackendUser) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendUser.
+func (mg *AuthBackendUser) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendUser.
@@ -207,9 +207,9 @@ func (mg *AuthBackendUser) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendUser.
-func (mg *AuthBackendUser) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendUser.
+func (mg *AuthBackendUser) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendUser.
diff --git a/apis/ldap/v1alpha1/zz_generated_terraformed.go b/apis/ldap/v1alpha1/zz_generated_terraformed.go
index e00b499e..0af04f21 100755
--- a/apis/ldap/v1alpha1/zz_generated_terraformed.go
+++ b/apis/ldap/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackend
+func (tr *AuthBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *AuthBackendGroup) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendGroup
+func (tr *AuthBackendGroup) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendGroup using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendGroup) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *AuthBackendUser) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendUser
+func (tr *AuthBackendUser) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendUser using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendUser) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/managed/v1alpha1/zz_generated.deepcopy.go b/apis/managed/v1alpha1/zz_generated.deepcopy.go
index a9088b54..25e6da5c 100644
--- a/apis/managed/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/managed/v1alpha1/zz_generated.deepcopy.go
@@ -13,6 +13,86 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AwsInitParameters) DeepCopyInto(out *AwsInitParameters) {
+	*out = *in
+	if in.AccessKey != nil {
+		in, out := &in.AccessKey, &out.AccessKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowGenerateKey != nil {
+		in, out := &in.AllowGenerateKey, &out.AllowGenerateKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowReplaceKey != nil {
+		in, out := &in.AllowReplaceKey, &out.AllowReplaceKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowStoreKey != nil {
+		in, out := &in.AllowStoreKey, &out.AllowStoreKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AnyMount != nil {
+		in, out := &in.AnyMount, &out.AnyMount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Curve != nil {
+		in, out := &in.Curve, &out.Curve
+		*out = new(string)
+		**out = **in
+	}
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKey != nil {
+		in, out := &in.KMSKey, &out.KMSKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyBits != nil {
+		in, out := &in.KeyBits, &out.KeyBits
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyType != nil {
+		in, out := &in.KeyType, &out.KeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretKey != nil {
+		in, out := &in.SecretKey, &out.SecretKey
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsInitParameters.
+func (in *AwsInitParameters) DeepCopy() *AwsInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AwsInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AwsObservation) DeepCopyInto(out *AwsObservation) {
 	*out = *in
@@ -178,6 +258,91 @@ func (in *AwsParameters) DeepCopy() *AwsParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureInitParameters) DeepCopyInto(out *AzureInitParameters) {
+	*out = *in
+	if in.AllowGenerateKey != nil {
+		in, out := &in.AllowGenerateKey, &out.AllowGenerateKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowReplaceKey != nil {
+		in, out := &in.AllowReplaceKey, &out.AllowReplaceKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowStoreKey != nil {
+		in, out := &in.AllowStoreKey, &out.AllowStoreKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AnyMount != nil {
+		in, out := &in.AnyMount, &out.AnyMount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientSecret != nil {
+		in, out := &in.ClientSecret, &out.ClientSecret
+		*out = new(string)
+		**out = **in
+	}
+	if in.Environment != nil {
+		in, out := &in.Environment, &out.Environment
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyBits != nil {
+		in, out := &in.KeyBits, &out.KeyBits
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyName != nil {
+		in, out := &in.KeyName, &out.KeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyType != nil {
+		in, out := &in.KeyType, &out.KeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		*out = new(string)
+		**out = **in
+	}
+	if in.TenantID != nil {
+		in, out := &in.TenantID, &out.TenantID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VaultName != nil {
+		in, out := &in.VaultName, &out.VaultName
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureInitParameters.
+func (in *AzureInitParameters) DeepCopy() *AzureInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AzureObservation) DeepCopyInto(out *AzureObservation) {
 	*out = *in
@@ -380,6 +545,47 @@ func (in *Keys) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KeysInitParameters) DeepCopyInto(out *KeysInitParameters) {
+	*out = *in
+	if in.Aws != nil {
+		in, out := &in.Aws, &out.Aws
+		*out = make([]AwsInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Azure != nil {
+		in, out := &in.Azure, &out.Azure
+		*out = make([]AzureInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pkcs != nil {
+		in, out := &in.Pkcs, &out.Pkcs
+		*out = make([]PkcsInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeysInitParameters.
+func (in *KeysInitParameters) DeepCopy() *KeysInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(KeysInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KeysList) DeepCopyInto(out *KeysList) {
 	*out = *in
@@ -504,6 +710,7 @@ func (in *KeysSpec) DeepCopyInto(out *KeysSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeysSpec.
@@ -533,6 +740,96 @@ func (in *KeysStatus) DeepCopy() *KeysStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PkcsInitParameters) DeepCopyInto(out *PkcsInitParameters) {
+	*out = *in
+	if in.AllowGenerateKey != nil {
+		in, out := &in.AllowGenerateKey, &out.AllowGenerateKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowReplaceKey != nil {
+		in, out := &in.AllowReplaceKey, &out.AllowReplaceKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowStoreKey != nil {
+		in, out := &in.AllowStoreKey, &out.AllowStoreKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AnyMount != nil {
+		in, out := &in.AnyMount, &out.AnyMount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Curve != nil {
+		in, out := &in.Curve, &out.Curve
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceRwSession != nil {
+		in, out := &in.ForceRwSession, &out.ForceRwSession
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyBits != nil {
+		in, out := &in.KeyBits, &out.KeyBits
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyLabel != nil {
+		in, out := &in.KeyLabel, &out.KeyLabel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Library != nil {
+		in, out := &in.Library, &out.Library
+		*out = new(string)
+		**out = **in
+	}
+	if in.Mechanism != nil {
+		in, out := &in.Mechanism, &out.Mechanism
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pin != nil {
+		in, out := &in.Pin, &out.Pin
+		*out = new(string)
+		**out = **in
+	}
+	if in.Slot != nil {
+		in, out := &in.Slot, &out.Slot
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenLabel != nil {
+		in, out := &in.TokenLabel, &out.TokenLabel
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PkcsInitParameters.
+func (in *PkcsInitParameters) DeepCopy() *PkcsInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(PkcsInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PkcsObservation) DeepCopyInto(out *PkcsObservation) {
 	*out = *in
diff --git a/apis/managed/v1alpha1/zz_generated.managed.go b/apis/managed/v1alpha1/zz_generated.managed.go
index a69f240b..8c52fe3a 100644
--- a/apis/managed/v1alpha1/zz_generated.managed.go
+++ b/apis/managed/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Keys) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Keys.
-func (mg *Keys) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Keys.
+func (mg *Keys) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Keys.
@@ -55,9 +55,9 @@ func (mg *Keys) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Keys.
-func (mg *Keys) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Keys.
+func (mg *Keys) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Keys.
diff --git a/apis/managed/v1alpha1/zz_generated_terraformed.go b/apis/managed/v1alpha1/zz_generated_terraformed.go
index eb097b55..97517724 100755
--- a/apis/managed/v1alpha1/zz_generated_terraformed.go
+++ b/apis/managed/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Keys) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Keys
+func (tr *Keys) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Keys using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Keys) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/managed/v1alpha1/zz_keys_types.go b/apis/managed/v1alpha1/zz_keys_types.go
index 237a0e9d..731a7ff4 100755
--- a/apis/managed/v1alpha1/zz_keys_types.go
+++ b/apis/managed/v1alpha1/zz_keys_types.go
@@ -13,44 +13,126 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AwsInitParameters struct {
+
+	// The AWS access key to use.
+	// The AWS access key to use
+	AccessKey *string `json:"accessKey,omitempty" tf:"access_key,omitempty"`
+
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
+	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
+	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
+
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
+	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
+	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
+
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
+	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
+	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
+
+	// If true, allows usage from any mount point within the
+	// namespace.
+	// Allow usage from any mount point within the namespace if 'true'
+	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
+
+	// The curve to use for an ECDSA key. Used when key_type
+	// is ECDSA. Required if allow_generate_key is true.
+	// The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
+	Curve *string `json:"curve,omitempty" tf:"curve,omitempty"`
+
+	// Used to specify a custom AWS endpoint.
+	// Used to specify a custom AWS endpoint
+	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
+
+	// An identifier for the key.
+	// An identifier for the key
+	KMSKey *string `json:"kmsKey,omitempty" tf:"kms_key,omitempty"`
+
+	// The size in bits for an RSA key.
+	// The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
+	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
+
+	// The type of key to use.
+	// The type of key to use
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
+
+	// A unique lowercase name that serves as identifying the key.
+	// A unique lowercase name that serves as identifying the key
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The AWS region where the keys are stored (or will be stored).
+	// The AWS region where the keys are stored (or will be stored)
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// The AWS access key to use.
+	// The AWS secret key to use
+	SecretKey *string `json:"secretKey,omitempty" tf:"secret_key,omitempty"`
+}
+
 type AwsObservation struct {
 
+	// The AWS access key to use.
 	// The AWS access key to use
 	AccessKey *string `json:"accessKey,omitempty" tf:"access_key,omitempty"`
 
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
 	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
 	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
 
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
 	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
 	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
 
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
 	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
 	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
 
+	// If true, allows usage from any mount point within the
+	// namespace.
 	// Allow usage from any mount point within the namespace if 'true'
 	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
 
+	// The curve to use for an ECDSA key. Used when key_type
+	// is ECDSA. Required if allow_generate_key is true.
 	// The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
 	Curve *string `json:"curve,omitempty" tf:"curve,omitempty"`
 
+	// Used to specify a custom AWS endpoint.
 	// Used to specify a custom AWS endpoint
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// An identifier for the key.
 	// An identifier for the key
 	KMSKey *string `json:"kmsKey,omitempty" tf:"kms_key,omitempty"`
 
+	// The size in bits for an RSA key.
 	// The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
 	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The type of key to use.
 	// The type of key to use
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// A unique lowercase name that serves as identifying the key.
 	// A unique lowercase name that serves as identifying the key
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The AWS region where the keys are stored (or will be stored).
 	// The AWS region where the keys are stored (or will be stored)
 	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 
+	// The AWS access key to use.
 	// The AWS secret key to use
 	SecretKey *string `json:"secretKey,omitempty" tf:"secret_key,omitempty"`
 
@@ -60,164 +142,308 @@ type AwsObservation struct {
 
 type AwsParameters struct {
 
+	// The AWS access key to use.
 	// The AWS access key to use
-	// +kubebuilder:validation:Required
-	AccessKey *string `json:"accessKey" tf:"access_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccessKey *string `json:"accessKey,omitempty" tf:"access_key,omitempty"`
 
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
 	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
 	// +kubebuilder:validation:Optional
 	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
 
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
 	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
 	// +kubebuilder:validation:Optional
 	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
 
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
 	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
 	// +kubebuilder:validation:Optional
 	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
 
+	// If true, allows usage from any mount point within the
+	// namespace.
 	// Allow usage from any mount point within the namespace if 'true'
 	// +kubebuilder:validation:Optional
 	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
 
+	// The curve to use for an ECDSA key. Used when key_type
+	// is ECDSA. Required if allow_generate_key is true.
 	// The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
 	// +kubebuilder:validation:Optional
 	Curve *string `json:"curve,omitempty" tf:"curve,omitempty"`
 
+	// Used to specify a custom AWS endpoint.
 	// Used to specify a custom AWS endpoint
 	// +kubebuilder:validation:Optional
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// An identifier for the key.
 	// An identifier for the key
-	// +kubebuilder:validation:Required
-	KMSKey *string `json:"kmsKey" tf:"kms_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	KMSKey *string `json:"kmsKey,omitempty" tf:"kms_key,omitempty"`
 
+	// The size in bits for an RSA key.
 	// The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
-	// +kubebuilder:validation:Required
-	KeyBits *string `json:"keyBits" tf:"key_bits,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The type of key to use.
 	// The type of key to use
-	// +kubebuilder:validation:Required
-	KeyType *string `json:"keyType" tf:"key_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// A unique lowercase name that serves as identifying the key.
 	// A unique lowercase name that serves as identifying the key
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The AWS region where the keys are stored (or will be stored).
 	// The AWS region where the keys are stored (or will be stored)
 	// +kubebuilder:validation:Optional
 	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 
+	// The AWS access key to use.
 	// The AWS secret key to use
-	// +kubebuilder:validation:Required
-	SecretKey *string `json:"secretKey" tf:"secret_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	SecretKey *string `json:"secretKey,omitempty" tf:"secret_key,omitempty"`
+}
+
+type AzureInitParameters struct {
+
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
+	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
+	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
+
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
+	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
+	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
+
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
+	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
+	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
+
+	// If true, allows usage from any mount point within the
+	// namespace.
+	// Allow usage from any mount point within the namespace if 'true'
+	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
+
+	// The client id for credentials to query the Azure APIs.
+	// The client id for credentials to query the Azure APIs
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// The client secret for credentials to query the Azure APIs.
+	// The client secret for credentials to query the Azure APIs
+	ClientSecret *string `json:"clientSecret,omitempty" tf:"client_secret,omitempty"`
+
+	// The Azure Cloud environment API endpoints to use.
+	// The Azure Cloud environment API endpoints to use
+	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
+
+	// The size in bits for an RSA key.
+	// The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
+	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
+
+	// The Key Vault key to use for encryption and decryption.
+	// The Key Vault key to use for encryption and decryption
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
+
+	// The type of key to use.
+	// The type of key to use
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
+
+	// A unique lowercase name that serves as identifying the key.
+	// A unique lowercase name that serves as identifying the key
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The Azure Key Vault resource's DNS Suffix to connect to.
+	// The Azure Key Vault resource's DNS Suffix to connect to
+	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
+
+	// The tenant id for the Azure Active Directory organization.
+	// The tenant id for the Azure Active Directory organization
+	TenantID *string `json:"tenantId,omitempty" tf:"tenant_id,omitempty"`
+
+	// The Key Vault vault to use for encryption and decryption.
+	// The Key Vault vault to use the encryption keys for encryption and decryption
+	VaultName *string `json:"vaultName,omitempty" tf:"vault_name,omitempty"`
 }
 
 type AzureObservation struct {
 
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
 	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
 	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
 
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
 	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
 	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
 
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
 	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
 	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
 
+	// If true, allows usage from any mount point within the
+	// namespace.
 	// Allow usage from any mount point within the namespace if 'true'
 	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
 
+	// The client id for credentials to query the Azure APIs.
 	// The client id for credentials to query the Azure APIs
 	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
 
+	// The client secret for credentials to query the Azure APIs.
 	// The client secret for credentials to query the Azure APIs
 	ClientSecret *string `json:"clientSecret,omitempty" tf:"client_secret,omitempty"`
 
+	// The Azure Cloud environment API endpoints to use.
 	// The Azure Cloud environment API endpoints to use
 	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
 
+	// The size in bits for an RSA key.
 	// The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
 	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The Key Vault key to use for encryption and decryption.
 	// The Key Vault key to use for encryption and decryption
 	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
 
+	// The type of key to use.
 	// The type of key to use
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// A unique lowercase name that serves as identifying the key.
 	// A unique lowercase name that serves as identifying the key
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The Azure Key Vault resource's DNS Suffix to connect to.
 	// The Azure Key Vault resource's DNS Suffix to connect to
 	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
 
+	// The tenant id for the Azure Active Directory organization.
 	// The tenant id for the Azure Active Directory organization
 	TenantID *string `json:"tenantId,omitempty" tf:"tenant_id,omitempty"`
 
 	// ID of the managed key read from Vault
 	UUID *string `json:"uuid,omitempty" tf:"uuid,omitempty"`
 
+	// The Key Vault vault to use for encryption and decryption.
 	// The Key Vault vault to use the encryption keys for encryption and decryption
 	VaultName *string `json:"vaultName,omitempty" tf:"vault_name,omitempty"`
 }
 
 type AzureParameters struct {
 
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
 	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
 	// +kubebuilder:validation:Optional
 	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
 
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
 	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
 	// +kubebuilder:validation:Optional
 	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
 
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
 	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
 	// +kubebuilder:validation:Optional
 	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
 
+	// If true, allows usage from any mount point within the
+	// namespace.
 	// Allow usage from any mount point within the namespace if 'true'
 	// +kubebuilder:validation:Optional
 	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
 
+	// The client id for credentials to query the Azure APIs.
 	// The client id for credentials to query the Azure APIs
-	// +kubebuilder:validation:Required
-	ClientID *string `json:"clientId" tf:"client_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
 
+	// The client secret for credentials to query the Azure APIs.
 	// The client secret for credentials to query the Azure APIs
-	// +kubebuilder:validation:Required
-	ClientSecret *string `json:"clientSecret" tf:"client_secret,omitempty"`
+	// +kubebuilder:validation:Optional
+	ClientSecret *string `json:"clientSecret,omitempty" tf:"client_secret,omitempty"`
 
+	// The Azure Cloud environment API endpoints to use.
 	// The Azure Cloud environment API endpoints to use
 	// +kubebuilder:validation:Optional
 	Environment *string `json:"environment,omitempty" tf:"environment,omitempty"`
 
+	// The size in bits for an RSA key.
 	// The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
 	// +kubebuilder:validation:Optional
 	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The Key Vault key to use for encryption and decryption.
 	// The Key Vault key to use for encryption and decryption
-	// +kubebuilder:validation:Required
-	KeyName *string `json:"keyName" tf:"key_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
 
+	// The type of key to use.
 	// The type of key to use
-	// +kubebuilder:validation:Required
-	KeyType *string `json:"keyType" tf:"key_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// A unique lowercase name that serves as identifying the key.
 	// A unique lowercase name that serves as identifying the key
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The Azure Key Vault resource's DNS Suffix to connect to.
 	// The Azure Key Vault resource's DNS Suffix to connect to
 	// +kubebuilder:validation:Optional
 	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
 
+	// The tenant id for the Azure Active Directory organization.
 	// The tenant id for the Azure Active Directory organization
-	// +kubebuilder:validation:Required
-	TenantID *string `json:"tenantId" tf:"tenant_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	TenantID *string `json:"tenantId,omitempty" tf:"tenant_id,omitempty"`
 
+	// The Key Vault vault to use for encryption and decryption.
 	// The Key Vault vault to use the encryption keys for encryption and decryption
-	// +kubebuilder:validation:Required
-	VaultName *string `json:"vaultName" tf:"vault_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	VaultName *string `json:"vaultName,omitempty" tf:"vault_name,omitempty"`
+}
+
+type KeysInitParameters struct {
+
+	// Configuration block for AWS Managed Keys
+	Aws []AwsInitParameters `json:"aws,omitempty" tf:"aws,omitempty"`
+
+	// Configuration block for Azure Managed Keys
+	Azure []AzureInitParameters `json:"azure,omitempty" tf:"azure,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Configuration block for PKCS Managed Keys
+	Pkcs []PkcsInitParameters `json:"pkcs,omitempty" tf:"pkcs,omitempty"`
 }
 
 type KeysObservation struct {
@@ -230,6 +456,10 @@ type KeysObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
@@ -247,6 +477,10 @@ type KeysParameters struct {
 	// +kubebuilder:validation:Optional
 	Azure []AzureParameters `json:"azure,omitempty" tf:"azure,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -256,50 +490,150 @@ type KeysParameters struct {
 	Pkcs []PkcsParameters `json:"pkcs,omitempty" tf:"pkcs,omitempty"`
 }
 
+type PkcsInitParameters struct {
+
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
+	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
+	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
+
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
+	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
+	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
+
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
+	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
+	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
+
+	// If true, allows usage from any mount point within the
+	// namespace.
+	// Allow usage from any mount point within the namespace if 'true'
+	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
+
+	// The curve to use for an ECDSA key. Used when key_type
+	// is ECDSA. Required if allow_generate_key is true.
+	// Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
+	Curve *string `json:"curve,omitempty" tf:"curve,omitempty"`
+
+	// Force all operations to open up a read-write session to
+	// the HSM.
+	// Force all operations to open up a read-write session to the HSM
+	ForceRwSession *string `json:"forceRwSession,omitempty" tf:"force_rw_session,omitempty"`
+
+	// The size in bits for an RSA key.
+	// Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
+	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
+
+	// The id of a PKCS#11 key to use.
+	// The id of a PKCS#11 key to use
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
+
+	// The label of the key to use.
+	// The label of the key to use
+	KeyLabel *string `json:"keyLabel,omitempty" tf:"key_label,omitempty"`
+
+	// The name of the kms_library stanza to use from Vault's config
+	// to lookup the local library path.
+	// The name of the kms_library stanza to use from Vault's config to lookup the local library path
+	Library *string `json:"library,omitempty" tf:"library,omitempty"`
+
+	// The encryption/decryption mechanism to use, specified as a
+	// hexadecimal (prefixed by 0x) string.
+	// The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
+	Mechanism *string `json:"mechanism,omitempty" tf:"mechanism,omitempty"`
+
+	// A unique lowercase name that serves as identifying the key.
+	// A unique lowercase name that serves as identifying the key
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The PIN for login.
+	// The PIN for login
+	Pin *string `json:"pin,omitempty" tf:"pin,omitempty"`
+
+	// The slot number to use, specified as a string in a decimal format
+	// (e.g. 2305843009213693953).
+	// The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
+	Slot *string `json:"slot,omitempty" tf:"slot,omitempty"`
+
+	// The slot token label to use.
+	// The slot token label to use
+	TokenLabel *string `json:"tokenLabel,omitempty" tf:"token_label,omitempty"`
+}
+
 type PkcsObservation struct {
 
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
 	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
 	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
 
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
 	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
 	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
 
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
 	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
 	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
 
+	// If true, allows usage from any mount point within the
+	// namespace.
 	// Allow usage from any mount point within the namespace if 'true'
 	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
 
+	// The curve to use for an ECDSA key. Used when key_type
+	// is ECDSA. Required if allow_generate_key is true.
 	// Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
 	Curve *string `json:"curve,omitempty" tf:"curve,omitempty"`
 
+	// Force all operations to open up a read-write session to
+	// the HSM.
 	// Force all operations to open up a read-write session to the HSM
 	ForceRwSession *string `json:"forceRwSession,omitempty" tf:"force_rw_session,omitempty"`
 
+	// The size in bits for an RSA key.
 	// Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
 	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The id of a PKCS#11 key to use.
 	// The id of a PKCS#11 key to use
 	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
 
+	// The label of the key to use.
 	// The label of the key to use
 	KeyLabel *string `json:"keyLabel,omitempty" tf:"key_label,omitempty"`
 
+	// The name of the kms_library stanza to use from Vault's config
+	// to lookup the local library path.
 	// The name of the kms_library stanza to use from Vault's config to lookup the local library path
 	Library *string `json:"library,omitempty" tf:"library,omitempty"`
 
+	// The encryption/decryption mechanism to use, specified as a
+	// hexadecimal (prefixed by 0x) string.
 	// The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
 	Mechanism *string `json:"mechanism,omitempty" tf:"mechanism,omitempty"`
 
+	// A unique lowercase name that serves as identifying the key.
 	// A unique lowercase name that serves as identifying the key
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The PIN for login.
 	// The PIN for login
 	Pin *string `json:"pin,omitempty" tf:"pin,omitempty"`
 
+	// The slot number to use, specified as a string in a decimal format
+	// (e.g. 2305843009213693953).
 	// The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
 	Slot *string `json:"slot,omitempty" tf:"slot,omitempty"`
 
+	// The slot token label to use.
 	// The slot token label to use
 	TokenLabel *string `json:"tokenLabel,omitempty" tf:"token_label,omitempty"`
 
@@ -309,62 +643,88 @@ type PkcsObservation struct {
 
 type PkcsParameters struct {
 
+	// If no existing key can be found in
+	// the referenced backend, instructs Vault to generate a key within the backend.
 	// If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
 	// +kubebuilder:validation:Optional
 	AllowGenerateKey *bool `json:"allowGenerateKey,omitempty" tf:"allow_generate_key,omitempty"`
 
+	// Controls the ability for Vault to replace through
+	// generation or importing a key into the configured backend even
+	// if a key is present, if set to false those operations are forbidden
+	// if a key exists.
 	// Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
 	// +kubebuilder:validation:Optional
 	AllowReplaceKey *bool `json:"allowReplaceKey,omitempty" tf:"allow_replace_key,omitempty"`
 
+	// Controls the ability for Vault to import a key to the
+	// configured backend, if false, those operations will be forbidden.
 	// Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
 	// +kubebuilder:validation:Optional
 	AllowStoreKey *bool `json:"allowStoreKey,omitempty" tf:"allow_store_key,omitempty"`
 
+	// If true, allows usage from any mount point within the
+	// namespace.
 	// Allow usage from any mount point within the namespace if 'true'
 	// +kubebuilder:validation:Optional
 	AnyMount *bool `json:"anyMount,omitempty" tf:"any_mount,omitempty"`
 
+	// The curve to use for an ECDSA key. Used when key_type
+	// is ECDSA. Required if allow_generate_key is true.
 	// Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
 	// +kubebuilder:validation:Optional
 	Curve *string `json:"curve,omitempty" tf:"curve,omitempty"`
 
+	// Force all operations to open up a read-write session to
+	// the HSM.
 	// Force all operations to open up a read-write session to the HSM
 	// +kubebuilder:validation:Optional
 	ForceRwSession *string `json:"forceRwSession,omitempty" tf:"force_rw_session,omitempty"`
 
+	// The size in bits for an RSA key.
 	// Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
 	// +kubebuilder:validation:Optional
 	KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The id of a PKCS#11 key to use.
 	// The id of a PKCS#11 key to use
-	// +kubebuilder:validation:Required
-	KeyID *string `json:"keyId" tf:"key_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
 
+	// The label of the key to use.
 	// The label of the key to use
-	// +kubebuilder:validation:Required
-	KeyLabel *string `json:"keyLabel" tf:"key_label,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyLabel *string `json:"keyLabel,omitempty" tf:"key_label,omitempty"`
 
+	// The name of the kms_library stanza to use from Vault's config
+	// to lookup the local library path.
 	// The name of the kms_library stanza to use from Vault's config to lookup the local library path
-	// +kubebuilder:validation:Required
-	Library *string `json:"library" tf:"library,omitempty"`
+	// +kubebuilder:validation:Optional
+	Library *string `json:"library,omitempty" tf:"library,omitempty"`
 
+	// The encryption/decryption mechanism to use, specified as a
+	// hexadecimal (prefixed by 0x) string.
 	// The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
-	// +kubebuilder:validation:Required
-	Mechanism *string `json:"mechanism" tf:"mechanism,omitempty"`
+	// +kubebuilder:validation:Optional
+	Mechanism *string `json:"mechanism,omitempty" tf:"mechanism,omitempty"`
 
+	// A unique lowercase name that serves as identifying the key.
 	// A unique lowercase name that serves as identifying the key
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The PIN for login.
 	// The PIN for login
-	// +kubebuilder:validation:Required
-	Pin *string `json:"pin" tf:"pin,omitempty"`
+	// +kubebuilder:validation:Optional
+	Pin *string `json:"pin,omitempty" tf:"pin,omitempty"`
 
+	// The slot number to use, specified as a string in a decimal format
+	// (e.g. 2305843009213693953).
 	// The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
 	// +kubebuilder:validation:Optional
 	Slot *string `json:"slot,omitempty" tf:"slot,omitempty"`
 
+	// The slot token label to use.
 	// The slot token label to use
 	// +kubebuilder:validation:Optional
 	TokenLabel *string `json:"tokenLabel,omitempty" tf:"token_label,omitempty"`
@@ -374,6 +734,18 @@ type PkcsParameters struct {
 type KeysSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     KeysParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider KeysInitParameters `json:"initProvider,omitempty"`
 }
 
 // KeysStatus defines the observed state of Keys.
@@ -384,7 +756,7 @@ type KeysStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Keys is the Schema for the Keyss API. <no value>
+// Keys is the Schema for the Keyss API. Configures Managed Keys in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/mfa/v1alpha1/zz_duo_types.go b/apis/mfa/v1alpha1/zz_duo_types.go
index 3a578e67..6622fb53 100755
--- a/apis/mfa/v1alpha1/zz_duo_types.go
+++ b/apis/mfa/v1alpha1/zz_duo_types.go
@@ -13,59 +13,109 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type DuoInitParameters struct {
+
+	// API hostname for Duo.
+	// API hostname for Duo.
+	APIHostname *string `json:"apiHostname,omitempty" tf:"api_hostname,omitempty"`
+
+	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
+
+	// (string: <required>) – Name of the MFA method.
+	// Name of the MFA method.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Push information for Duo.
+	// Push information for Duo.
+	PushInfo *string `json:"pushInfo,omitempty" tf:"push_info,omitempty"`
+
+	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
+	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
+	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
+}
+
 type DuoObservation struct {
 
+	// API hostname for Duo.
 	// API hostname for Duo.
 	APIHostname *string `json:"apiHostname,omitempty" tf:"api_hostname,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// (string: <required>) – Name of the MFA method.
 	// Name of the MFA method.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Push information for Duo.
 	// Push information for Duo.
 	PushInfo *string `json:"pushInfo,omitempty" tf:"push_info,omitempty"`
 
+	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
 	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
 }
 
 type DuoParameters struct {
 
+	// API hostname for Duo.
 	// API hostname for Duo.
 	// +kubebuilder:validation:Optional
 	APIHostname *string `json:"apiHostname,omitempty" tf:"api_hostname,omitempty"`
 
+	// Integration key for Duo.
 	// Integration key for Duo.
 	// +kubebuilder:validation:Optional
 	IntegrationKeySecretRef v1.SecretKeySelector `json:"integrationKeySecretRef" tf:"-"`
 
+	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// +kubebuilder:validation:Optional
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// (string: <required>) – Name of the MFA method.
 	// Name of the MFA method.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Push information for Duo.
 	// Push information for Duo.
 	// +kubebuilder:validation:Optional
 	PushInfo *string `json:"pushInfo,omitempty" tf:"push_info,omitempty"`
 
+	// Secret key for Duo.
 	// Secret key for Duo.
 	// +kubebuilder:validation:Optional
 	SecretKeySecretRef v1.SecretKeySelector `json:"secretKeySecretRef" tf:"-"`
 
+	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
 	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
 	// +kubebuilder:validation:Optional
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
@@ -75,6 +125,18 @@ type DuoParameters struct {
 type DuoSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     DuoParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider DuoInitParameters `json:"initProvider,omitempty"`
 }
 
 // DuoStatus defines the observed state of Duo.
@@ -85,7 +147,7 @@ type DuoStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Duo is the Schema for the Duos API. <no value>
+// Duo is the Schema for the Duos API. Managing the MFA Duo method configuration
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -95,11 +157,11 @@ type DuoStatus struct {
 type Duo struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiHostname)",message="apiHostname is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.integrationKeySecretRef)",message="integrationKeySecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)",message="mountAccessor is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.secretKeySecretRef)",message="secretKeySecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiHostname) || has(self.initProvider.apiHostname)",message="apiHostname is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)",message="integrationKeySecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)",message="secretKeySecretRef is a required parameter"
 	Spec   DuoSpec   `json:"spec"`
 	Status DuoStatus `json:"status,omitempty"`
 }
diff --git a/apis/mfa/v1alpha1/zz_generated.deepcopy.go b/apis/mfa/v1alpha1/zz_generated.deepcopy.go
index 2106117c..48961054 100644
--- a/apis/mfa/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/mfa/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,51 @@ func (in *Duo) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DuoInitParameters) DeepCopyInto(out *DuoInitParameters) {
+	*out = *in
+	if in.APIHostname != nil {
+		in, out := &in.APIHostname, &out.APIHostname
+		*out = new(string)
+		**out = **in
+	}
+	if in.MountAccessor != nil {
+		in, out := &in.MountAccessor, &out.MountAccessor
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PushInfo != nil {
+		in, out := &in.PushInfo, &out.PushInfo
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameFormat != nil {
+		in, out := &in.UsernameFormat, &out.UsernameFormat
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DuoInitParameters.
+func (in *DuoInitParameters) DeepCopy() *DuoInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(DuoInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DuoList) DeepCopyInto(out *DuoList) {
 	*out = *in
@@ -174,6 +219,7 @@ func (in *DuoSpec) DeepCopyInto(out *DuoSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DuoSpec.
@@ -230,6 +276,56 @@ func (in *Okta) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OktaInitParameters) DeepCopyInto(out *OktaInitParameters) {
+	*out = *in
+	if in.BaseURL != nil {
+		in, out := &in.BaseURL, &out.BaseURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.MountAccessor != nil {
+		in, out := &in.MountAccessor, &out.MountAccessor
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrgName != nil {
+		in, out := &in.OrgName, &out.OrgName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrimaryEmail != nil {
+		in, out := &in.PrimaryEmail, &out.PrimaryEmail
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UsernameFormat != nil {
+		in, out := &in.UsernameFormat, &out.UsernameFormat
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OktaInitParameters.
+func (in *OktaInitParameters) DeepCopy() *OktaInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OktaInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OktaList) DeepCopyInto(out *OktaList) {
 	*out = *in
@@ -373,6 +469,7 @@ func (in *OktaSpec) DeepCopyInto(out *OktaSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OktaSpec.
@@ -429,6 +526,46 @@ func (in *Pingid) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PingidInitParameters) DeepCopyInto(out *PingidInitParameters) {
+	*out = *in
+	if in.MountAccessor != nil {
+		in, out := &in.MountAccessor, &out.MountAccessor
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.SettingsFileBase64 != nil {
+		in, out := &in.SettingsFileBase64, &out.SettingsFileBase64
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameFormat != nil {
+		in, out := &in.UsernameFormat, &out.UsernameFormat
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PingidInitParameters.
+func (in *PingidInitParameters) DeepCopy() *PingidInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(PingidInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PingidList) DeepCopyInto(out *PingidList) {
 	*out = *in
@@ -586,6 +723,7 @@ func (in *PingidSpec) DeepCopyInto(out *PingidSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PingidSpec.
@@ -642,6 +780,66 @@ func (in *Totp) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TotpInitParameters) DeepCopyInto(out *TotpInitParameters) {
+	*out = *in
+	if in.Algorithm != nil {
+		in, out := &in.Algorithm, &out.Algorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.Digits != nil {
+		in, out := &in.Digits, &out.Digits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeySize != nil {
+		in, out := &in.KeySize, &out.KeySize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Period != nil {
+		in, out := &in.Period, &out.Period
+		*out = new(float64)
+		**out = **in
+	}
+	if in.QrSize != nil {
+		in, out := &in.QrSize, &out.QrSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Skew != nil {
+		in, out := &in.Skew, &out.Skew
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TotpInitParameters.
+func (in *TotpInitParameters) DeepCopy() *TotpInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(TotpInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TotpList) DeepCopyInto(out *TotpList) {
 	*out = *in
@@ -804,6 +1002,7 @@ func (in *TotpSpec) DeepCopyInto(out *TotpSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TotpSpec.
diff --git a/apis/mfa/v1alpha1/zz_generated.managed.go b/apis/mfa/v1alpha1/zz_generated.managed.go
index fb81d4fc..feb9c049 100644
--- a/apis/mfa/v1alpha1/zz_generated.managed.go
+++ b/apis/mfa/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Duo) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Duo.
-func (mg *Duo) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Duo.
+func (mg *Duo) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Duo.
@@ -55,9 +55,9 @@ func (mg *Duo) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Duo.
-func (mg *Duo) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Duo.
+func (mg *Duo) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Duo.
@@ -93,9 +93,9 @@ func (mg *Okta) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Okta.
-func (mg *Okta) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Okta.
+func (mg *Okta) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Okta.
@@ -131,9 +131,9 @@ func (mg *Okta) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Okta.
-func (mg *Okta) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Okta.
+func (mg *Okta) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Okta.
@@ -169,9 +169,9 @@ func (mg *Pingid) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Pingid.
-func (mg *Pingid) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Pingid.
+func (mg *Pingid) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Pingid.
@@ -207,9 +207,9 @@ func (mg *Pingid) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Pingid.
-func (mg *Pingid) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Pingid.
+func (mg *Pingid) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Pingid.
@@ -245,9 +245,9 @@ func (mg *Totp) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Totp.
-func (mg *Totp) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Totp.
+func (mg *Totp) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Totp.
@@ -283,9 +283,9 @@ func (mg *Totp) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Totp.
-func (mg *Totp) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Totp.
+func (mg *Totp) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Totp.
diff --git a/apis/mfa/v1alpha1/zz_generated_terraformed.go b/apis/mfa/v1alpha1/zz_generated_terraformed.go
index 1b8b946b..750bed18 100755
--- a/apis/mfa/v1alpha1/zz_generated_terraformed.go
+++ b/apis/mfa/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Duo) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Duo
+func (tr *Duo) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Duo using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Duo) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *Okta) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Okta
+func (tr *Okta) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Okta using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Okta) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *Pingid) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Pingid
+func (tr *Pingid) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Pingid using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Pingid) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *Totp) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Totp
+func (tr *Totp) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Totp using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Totp) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/mfa/v1alpha1/zz_okta_types.go b/apis/mfa/v1alpha1/zz_okta_types.go
index 31729bd3..611ecaaa 100755
--- a/apis/mfa/v1alpha1/zz_okta_types.go
+++ b/apis/mfa/v1alpha1/zz_okta_types.go
@@ -13,62 +13,132 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type OktaInitParameters struct {
+
+	// If set, will be used as the base domain for API requests. Examples are okta.com,
+	// oktapreview.com, and okta-emea.com.
+	// If set, will be used as the base domain for API requests.
+	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
+
+	// The mount to tie this method to for use in automatic mappings.
+	// The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
+
+	// (string: <required>) – Name of the MFA method.
+	// Name of the MFA method.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Name of the organization to be used in the Okta API.
+	// Name of the organization to be used in the Okta API.
+	OrgName *string `json:"orgName,omitempty" tf:"org_name,omitempty"`
+
+	// If set to true, the username will only match the
+	// primary email for the account.
+	// If set to true, the username will only match the primary email for the account.
+	PrimaryEmail *bool `json:"primaryEmail,omitempty" tf:"primary_email,omitempty"`
+
+	// A format string for mapping Identity names to MFA method names.
+	// Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com".
+	// If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
+	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
+	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
+}
+
 type OktaObservation struct {
 
+	// If set, will be used as the base domain for API requests. Examples are okta.com,
+	// oktapreview.com, and okta-emea.com.
 	// If set, will be used as the base domain for API requests.
 	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The mount to tie this method to for use in automatic mappings.
+	// The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// (string: <required>) – Name of the MFA method.
 	// Name of the MFA method.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the organization to be used in the Okta API.
 	// Name of the organization to be used in the Okta API.
 	OrgName *string `json:"orgName,omitempty" tf:"org_name,omitempty"`
 
+	// If set to true, the username will only match the
+	// primary email for the account.
 	// If set to true, the username will only match the primary email for the account.
 	PrimaryEmail *bool `json:"primaryEmail,omitempty" tf:"primary_email,omitempty"`
 
+	// A format string for mapping Identity names to MFA method names.
+	// Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com".
+	// If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
 	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
 }
 
 type OktaParameters struct {
 
+	// Okta API key.
 	// Okta API key.
 	// +kubebuilder:validation:Optional
 	APITokenSecretRef v1.SecretKeySelector `json:"apiTokenSecretRef" tf:"-"`
 
+	// If set, will be used as the base domain for API requests. Examples are okta.com,
+	// oktapreview.com, and okta-emea.com.
 	// If set, will be used as the base domain for API requests.
 	// +kubebuilder:validation:Optional
 	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
 
+	// The mount to tie this method to for use in automatic mappings.
+	// The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// +kubebuilder:validation:Optional
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// (string: <required>) – Name of the MFA method.
 	// Name of the MFA method.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Name of the organization to be used in the Okta API.
 	// Name of the organization to be used in the Okta API.
 	// +kubebuilder:validation:Optional
 	OrgName *string `json:"orgName,omitempty" tf:"org_name,omitempty"`
 
+	// If set to true, the username will only match the
+	// primary email for the account.
 	// If set to true, the username will only match the primary email for the account.
 	// +kubebuilder:validation:Optional
 	PrimaryEmail *bool `json:"primaryEmail,omitempty" tf:"primary_email,omitempty"`
 
+	// A format string for mapping Identity names to MFA method names.
+	// Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com".
+	// If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
 	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
 	// +kubebuilder:validation:Optional
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
@@ -78,6 +148,18 @@ type OktaParameters struct {
 type OktaSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     OktaParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider OktaInitParameters `json:"initProvider,omitempty"`
 }
 
 // OktaStatus defines the observed state of Okta.
@@ -88,7 +170,7 @@ type OktaStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Okta is the Schema for the Oktas API. <no value>
+// Okta is the Schema for the Oktas API. Managing the MFA Okta method configuration
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -98,10 +180,10 @@ type OktaStatus struct {
 type Okta struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiTokenSecretRef)",message="apiTokenSecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)",message="mountAccessor is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.orgName)",message="orgName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)",message="apiTokenSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.orgName) || has(self.initProvider.orgName)",message="orgName is a required parameter"
 	Spec   OktaSpec   `json:"spec"`
 	Status OktaStatus `json:"status,omitempty"`
 }
diff --git a/apis/mfa/v1alpha1/zz_pingid_types.go b/apis/mfa/v1alpha1/zz_pingid_types.go
index 9f1f995a..2d45eb64 100755
--- a/apis/mfa/v1alpha1/zz_pingid_types.go
+++ b/apis/mfa/v1alpha1/zz_pingid_types.go
@@ -13,65 +13,127 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type PingidInitParameters struct {
+
+	// The mount to tie this method to for use in automatic mappings.
+	// The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
+	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
+
+	// (string: <required>) – Name of the MFA method.
+	// Name of the MFA method.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// A base64-encoded third-party settings file retrieved
+	// from PingID's configuration page.
+	// A base64-encoded third-party settings file retrieved from PingID's configuration page.
+	SettingsFileBase64 *string `json:"settingsFileBase64,omitempty" tf:"settings_file_base64,omitempty"`
+
+	// A format string for mapping Identity names to MFA method names.
+	// Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com".
+	// If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
+	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
+	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
+}
+
 type PingidObservation struct {
 
+	// (string) – Admin URL computed by Vault
 	// Admin URL computed by Vault.
 	AdminURL *string `json:"adminUrl,omitempty" tf:"admin_url,omitempty"`
 
+	// (string) – Authenticator URL computed by Vault
 	// Authenticator URL computed by Vault.
 	AuthenticatorURL *string `json:"authenticatorUrl,omitempty" tf:"authenticator_url,omitempty"`
 
+	// (string) – ID computed by Vault
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// (string) – IDP URL computed by Vault
 	// IDP URL computed by Vault.
 	IdpURL *string `json:"idpUrl,omitempty" tf:"idp_url,omitempty"`
 
+	// The mount to tie this method to for use in automatic mappings.
+	// The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// (string: <required>) – Name of the MFA method.
 	// Name of the MFA method.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// (string) – Namespace ID computed by Vault
 	// Namespace ID computed by Vault.
 	NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"`
 
+	// (string) – Org Alias computed by Vault
 	// Org Alias computed by Vault.
 	OrgAlias *string `json:"orgAlias,omitempty" tf:"org_alias,omitempty"`
 
+	// A base64-encoded third-party settings file retrieved
+	// from PingID's configuration page.
 	// A base64-encoded third-party settings file retrieved from PingID's configuration page.
 	SettingsFileBase64 *string `json:"settingsFileBase64,omitempty" tf:"settings_file_base64,omitempty"`
 
+	// (string) – Type of configuration computed by Vault
 	// Type of configuration computed by Vault.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
+	// (string) – If set to true, enables use of PingID signature. Computed by Vault
 	// If set, enables use of PingID signature. Computed by Vault
 	UseSignature *bool `json:"useSignature,omitempty" tf:"use_signature,omitempty"`
 
+	// A format string for mapping Identity names to MFA method names.
+	// Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com".
+	// If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
 	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
 }
 
 type PingidParameters struct {
 
+	// The mount to tie this method to for use in automatic mappings.
+	// The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.
 	// +kubebuilder:validation:Optional
 	MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"`
 
+	// (string: <required>) – Name of the MFA method.
 	// Name of the MFA method.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// A base64-encoded third-party settings file retrieved
+	// from PingID's configuration page.
 	// A base64-encoded third-party settings file retrieved from PingID's configuration page.
 	// +kubebuilder:validation:Optional
 	SettingsFileBase64 *string `json:"settingsFileBase64,omitempty" tf:"settings_file_base64,omitempty"`
 
+	// A format string for mapping Identity names to MFA method names.
+	// Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com".
+	// If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
 	// A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.
 	// +kubebuilder:validation:Optional
 	UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"`
@@ -81,6 +143,18 @@ type PingidParameters struct {
 type PingidSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     PingidParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider PingidInitParameters `json:"initProvider,omitempty"`
 }
 
 // PingidStatus defines the observed state of Pingid.
@@ -91,7 +165,7 @@ type PingidStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Pingid is the Schema for the Pingids API. <no value>
+// Pingid is the Schema for the Pingids API. Managing the MFA PingID method configuration
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -101,9 +175,9 @@ type PingidStatus struct {
 type Pingid struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)",message="mountAccessor is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settingsFileBase64)",message="settingsFileBase64 is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.settingsFileBase64) || has(self.initProvider.settingsFileBase64)",message="settingsFileBase64 is a required parameter"
 	Spec   PingidSpec   `json:"spec"`
 	Status PingidStatus `json:"status,omitempty"`
 }
diff --git a/apis/mfa/v1alpha1/zz_totp_types.go b/apis/mfa/v1alpha1/zz_totp_types.go
index 993907e9..2b251855 100755
--- a/apis/mfa/v1alpha1/zz_totp_types.go
+++ b/apis/mfa/v1alpha1/zz_totp_types.go
@@ -13,72 +13,147 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type TotpInitParameters struct {
+
+	// Specifies the hashing algorithm used to generate the TOTP code.
+	// Options include SHA1, SHA256 and SHA512
+	// Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.
+	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
+
+	// The number of digits in the generated TOTP token.
+	// This value can either be 6 or 8.
+	// The number of digits in the generated TOTP token. This value can either be 6 or 8.
+	Digits *float64 `json:"digits,omitempty" tf:"digits,omitempty"`
+
+	// The name of the key's issuing organization.
+	// The name of the key's issuing organization.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
+
+	// Specifies the size in bytes of the generated key.
+	// Specifies the size in bytes of the generated key.
+	KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"`
+
+	// (string: <required>) – Name of the MFA method.
+	// Name of the MFA method.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The length of time used to generate a counter for the TOTP token calculation.
+	// The length of time used to generate a counter for the TOTP token calculation.
+	Period *float64 `json:"period,omitempty" tf:"period,omitempty"`
+
+	// The pixel size of the generated square QR code.
+	// The pixel size of the generated square QR code.
+	QrSize *float64 `json:"qrSize,omitempty" tf:"qr_size,omitempty"`
+
+	// The number of delay periods that are allowed when validating a TOTP token.
+	// This value can either be 0 or 1.
+	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
+	Skew *float64 `json:"skew,omitempty" tf:"skew,omitempty"`
+}
+
 type TotpObservation struct {
 
+	// Specifies the hashing algorithm used to generate the TOTP code.
+	// Options include SHA1, SHA256 and SHA512
 	// Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.
 	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
 
+	// The number of digits in the generated TOTP token.
+	// This value can either be 6 or 8.
 	// The number of digits in the generated TOTP token. This value can either be 6 or 8.
 	Digits *float64 `json:"digits,omitempty" tf:"digits,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the key's issuing organization.
 	// The name of the key's issuing organization.
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// Specifies the size in bytes of the generated key.
 	// Specifies the size in bytes of the generated key.
 	KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"`
 
+	// (string: <required>) – Name of the MFA method.
 	// Name of the MFA method.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The length of time used to generate a counter for the TOTP token calculation.
 	// The length of time used to generate a counter for the TOTP token calculation.
 	Period *float64 `json:"period,omitempty" tf:"period,omitempty"`
 
+	// The pixel size of the generated square QR code.
 	// The pixel size of the generated square QR code.
 	QrSize *float64 `json:"qrSize,omitempty" tf:"qr_size,omitempty"`
 
+	// The number of delay periods that are allowed when validating a TOTP token.
+	// This value can either be 0 or 1.
 	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
 	Skew *float64 `json:"skew,omitempty" tf:"skew,omitempty"`
 }
 
 type TotpParameters struct {
 
+	// Specifies the hashing algorithm used to generate the TOTP code.
+	// Options include SHA1, SHA256 and SHA512
 	// Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.
 	// +kubebuilder:validation:Optional
 	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
 
+	// The number of digits in the generated TOTP token.
+	// This value can either be 6 or 8.
 	// The number of digits in the generated TOTP token. This value can either be 6 or 8.
 	// +kubebuilder:validation:Optional
 	Digits *float64 `json:"digits,omitempty" tf:"digits,omitempty"`
 
+	// The name of the key's issuing organization.
 	// The name of the key's issuing organization.
 	// +kubebuilder:validation:Optional
 	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 
+	// Specifies the size in bytes of the generated key.
 	// Specifies the size in bytes of the generated key.
 	// +kubebuilder:validation:Optional
 	KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"`
 
+	// (string: <required>) – Name of the MFA method.
 	// Name of the MFA method.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The length of time used to generate a counter for the TOTP token calculation.
 	// The length of time used to generate a counter for the TOTP token calculation.
 	// +kubebuilder:validation:Optional
 	Period *float64 `json:"period,omitempty" tf:"period,omitempty"`
 
+	// The pixel size of the generated square QR code.
 	// The pixel size of the generated square QR code.
 	// +kubebuilder:validation:Optional
 	QrSize *float64 `json:"qrSize,omitempty" tf:"qr_size,omitempty"`
 
+	// The number of delay periods that are allowed when validating a TOTP token.
+	// This value can either be 0 or 1.
 	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
 	// +kubebuilder:validation:Optional
 	Skew *float64 `json:"skew,omitempty" tf:"skew,omitempty"`
@@ -88,6 +163,18 @@ type TotpParameters struct {
 type TotpSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     TotpParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider TotpInitParameters `json:"initProvider,omitempty"`
 }
 
 // TotpStatus defines the observed state of Totp.
@@ -98,7 +185,7 @@ type TotpStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Totp is the Schema for the Totps API. <no value>
+// Totp is the Schema for the Totps API. Managing the MFA TOTP method configuration
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -108,8 +195,8 @@ type TotpStatus struct {
 type Totp struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.issuer)",message="issuer is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.issuer) || has(self.initProvider.issuer)",message="issuer is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   TotpSpec   `json:"spec"`
 	Status TotpStatus `json:"status,omitempty"`
 }
diff --git a/apis/mongodbatlas/v1alpha1/zz_generated.deepcopy.go b/apis/mongodbatlas/v1alpha1/zz_generated.deepcopy.go
index a75327e2..71f2aaf2 100644
--- a/apis/mongodbatlas/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/mongodbatlas/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,41 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.Mount != nil {
+		in, out := &in.Mount, &out.Mount
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKey != nil {
+		in, out := &in.PrivateKey, &out.PrivateKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -157,6 +192,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
@@ -213,6 +249,100 @@ func (in *SecretRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) {
+	*out = *in
+	if in.CidrBlocks != nil {
+		in, out := &in.CidrBlocks, &out.CidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IPAddresses != nil {
+		in, out := &in.IPAddresses, &out.IPAddresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Mount != nil {
+		in, out := &in.Mount, &out.Mount
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationID != nil {
+		in, out := &in.OrganizationID, &out.OrganizationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProjectID != nil {
+		in, out := &in.ProjectID, &out.ProjectID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProjectRoles != nil {
+		in, out := &in.ProjectRoles, &out.ProjectRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Roles != nil {
+		in, out := &in.Roles, &out.Roles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRoleInitParameters.
+func (in *SecretRoleInitParameters) DeepCopy() *SecretRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretRoleList) DeepCopyInto(out *SecretRoleList) {
 	*out = *in
@@ -443,6 +573,7 @@ func (in *SecretRoleSpec) DeepCopyInto(out *SecretRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRoleSpec.
diff --git a/apis/mongodbatlas/v1alpha1/zz_generated.managed.go b/apis/mongodbatlas/v1alpha1/zz_generated.managed.go
index c8296112..3577b829 100644
--- a/apis/mongodbatlas/v1alpha1/zz_generated.managed.go
+++ b/apis/mongodbatlas/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -55,9 +55,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -93,9 +93,9 @@ func (mg *SecretRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretRole.
-func (mg *SecretRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretRole.
+func (mg *SecretRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretRole.
@@ -131,9 +131,9 @@ func (mg *SecretRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretRole.
-func (mg *SecretRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretRole.
+func (mg *SecretRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretRole.
diff --git a/apis/mongodbatlas/v1alpha1/zz_generated_terraformed.go b/apis/mongodbatlas/v1alpha1/zz_generated_terraformed.go
index 27b68bf9..afab1b81 100755
--- a/apis/mongodbatlas/v1alpha1/zz_generated_terraformed.go
+++ b/apis/mongodbatlas/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretRole
+func (tr *SecretRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/mongodbatlas/v1alpha1/zz_secretbackend_types.go b/apis/mongodbatlas/v1alpha1/zz_secretbackend_types.go
index 35a2a5ae..d4c1e62b 100755
--- a/apis/mongodbatlas/v1alpha1/zz_secretbackend_types.go
+++ b/apis/mongodbatlas/v1alpha1/zz_secretbackend_types.go
@@ -13,39 +13,75 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// Path where the MongoDB Atlas Secrets Engine is mounted.
+	// Path where MongoDB Atlas secret backend is mounted
+	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies the Private API Key used to authenticate with the MongoDB Atlas API.
+	// The Private Programmatic API Key used to connect with MongoDB Atlas API
+	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
+
+	// Specifies the Public API Key used to authenticate with the MongoDB Atlas API.
+	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+}
+
 type SecretBackendObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Path where the MongoDB Atlas Secrets Engine is mounted.
 	// Path where MongoDB Atlas secret backend is mounted
 	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
 	// Path where MongoDB Atlas configuration is located
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Specifies the Private API Key used to authenticate with the MongoDB Atlas API.
 	// The Private Programmatic API Key used to connect with MongoDB Atlas API
 	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
 
+	// Specifies the Public API Key used to authenticate with the MongoDB Atlas API.
 	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API
 	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// Path where the MongoDB Atlas Secrets Engine is mounted.
 	// Path where MongoDB Atlas secret backend is mounted
 	// +kubebuilder:validation:Optional
 	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies the Private API Key used to authenticate with the MongoDB Atlas API.
 	// The Private Programmatic API Key used to connect with MongoDB Atlas API
 	// +kubebuilder:validation:Optional
 	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
 
+	// Specifies the Public API Key used to authenticate with the MongoDB Atlas API.
 	// The Public Programmatic API Key used to authenticate with the MongoDB Atlas API
 	// +kubebuilder:validation:Optional
 	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
@@ -55,6 +91,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -65,7 +113,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates a MongoDB Atlas secret backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -75,9 +123,9 @@ type SecretBackendStatus struct {
 type SecretBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mount)",message="mount is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.privateKey)",message="privateKey is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.publicKey)",message="publicKey is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mount) || has(self.initProvider.mount)",message="mount is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.privateKey) || has(self.initProvider.privateKey)",message="privateKey is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.publicKey) || has(self.initProvider.publicKey)",message="publicKey is a required parameter"
 	Spec   SecretBackendSpec   `json:"spec"`
 	Status SecretBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go b/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go
index 0566ec10..959859b4 100755
--- a/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go
+++ b/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go
@@ -13,86 +13,170 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretRoleInitParameters struct {
+
+	// Whitelist entry in CIDR notation to be added for the API key.
+	// Whitelist entry in CIDR notation to be added for the API key
+	CidrBlocks []*string `json:"cidrBlocks,omitempty" tf:"cidr_blocks,omitempty"`
+
+	// IP address to be added to the whitelist for the API key.
+	// IP address to be added to the whitelist for the API key
+	IPAddresses []*string `json:"ipAddresses,omitempty" tf:"ip_addresses,omitempty"`
+
+	// The maximum allowed lifetime of credentials issued using this role.
+	// The maximum allowed lifetime of credentials issued using this role
+	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// Path where the MongoDB Atlas Secrets Engine is mounted.
+	// Path where MongoDB Atlas secret backend is mounted
+	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
+
+	// The name of the role.
+	// Name of the role
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Unique identifier for the organization to which the target API Key belongs.
+	// Required if project_id is not set.
+	// ID for the organization to which the target API Key belongs
+	OrganizationID *string `json:"organizationId,omitempty" tf:"organization_id,omitempty"`
+
+	// Unique identifier for the project to which the target API Key belongs.
+	// Required if organization_id is not set.
+	// ID for the project to which the target API Key belongs
+	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
+
+	// Roles assigned when an org API key is assigned to a project API key.
+	// Roles assigned when an org API key is assigned to a project API key
+	ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"`
+
+	// List of roles that the API Key needs to have.
+	// List of roles that the API Key needs to have
+	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
+
+	// Duration in seconds after which the issued credential should expire.
+	// Duration in seconds after which the issued credential should expire
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+}
+
 type SecretRoleObservation struct {
 
+	// Whitelist entry in CIDR notation to be added for the API key.
 	// Whitelist entry in CIDR notation to be added for the API key
 	CidrBlocks []*string `json:"cidrBlocks,omitempty" tf:"cidr_blocks,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// IP address to be added to the whitelist for the API key.
 	// IP address to be added to the whitelist for the API key
 	IPAddresses []*string `json:"ipAddresses,omitempty" tf:"ip_addresses,omitempty"`
 
+	// The maximum allowed lifetime of credentials issued using this role.
 	// The maximum allowed lifetime of credentials issued using this role
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// Path where the MongoDB Atlas Secrets Engine is mounted.
 	// Path where MongoDB Atlas secret backend is mounted
 	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
 
+	// The name of the role.
 	// Name of the role
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Unique identifier for the organization to which the target API Key belongs.
+	// Required if project_id is not set.
 	// ID for the organization to which the target API Key belongs
 	OrganizationID *string `json:"organizationId,omitempty" tf:"organization_id,omitempty"`
 
+	// Unique identifier for the project to which the target API Key belongs.
+	// Required if organization_id is not set.
 	// ID for the project to which the target API Key belongs
 	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
 
+	// Roles assigned when an org API key is assigned to a project API key.
 	// Roles assigned when an org API key is assigned to a project API key
 	ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"`
 
+	// List of roles that the API Key needs to have.
 	// List of roles that the API Key needs to have
 	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
 
+	// Duration in seconds after which the issued credential should expire.
 	// Duration in seconds after which the issued credential should expire
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
 
 type SecretRoleParameters struct {
 
+	// Whitelist entry in CIDR notation to be added for the API key.
 	// Whitelist entry in CIDR notation to be added for the API key
 	// +kubebuilder:validation:Optional
 	CidrBlocks []*string `json:"cidrBlocks,omitempty" tf:"cidr_blocks,omitempty"`
 
+	// IP address to be added to the whitelist for the API key.
 	// IP address to be added to the whitelist for the API key
 	// +kubebuilder:validation:Optional
 	IPAddresses []*string `json:"ipAddresses,omitempty" tf:"ip_addresses,omitempty"`
 
+	// The maximum allowed lifetime of credentials issued using this role.
 	// The maximum allowed lifetime of credentials issued using this role
 	// +kubebuilder:validation:Optional
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// Path where the MongoDB Atlas Secrets Engine is mounted.
 	// Path where MongoDB Atlas secret backend is mounted
 	// +kubebuilder:validation:Optional
 	Mount *string `json:"mount,omitempty" tf:"mount,omitempty"`
 
+	// The name of the role.
 	// Name of the role
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Unique identifier for the organization to which the target API Key belongs.
+	// Required if project_id is not set.
 	// ID for the organization to which the target API Key belongs
 	// +kubebuilder:validation:Optional
 	OrganizationID *string `json:"organizationId,omitempty" tf:"organization_id,omitempty"`
 
+	// Unique identifier for the project to which the target API Key belongs.
+	// Required if organization_id is not set.
 	// ID for the project to which the target API Key belongs
 	// +kubebuilder:validation:Optional
 	ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"`
 
+	// Roles assigned when an org API key is assigned to a project API key.
 	// Roles assigned when an org API key is assigned to a project API key
 	// +kubebuilder:validation:Optional
 	ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"`
 
+	// List of roles that the API Key needs to have.
 	// List of roles that the API Key needs to have
 	// +kubebuilder:validation:Optional
 	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
 
+	// Duration in seconds after which the issued credential should expire.
 	// Duration in seconds after which the issued credential should expire
 	// +kubebuilder:validation:Optional
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
@@ -102,6 +186,18 @@ type SecretRoleParameters struct {
 type SecretRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretRoleStatus defines the observed state of SecretRole.
@@ -112,7 +208,7 @@ type SecretRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretRole is the Schema for the SecretRoles API. <no value>
+// SecretRole is the Schema for the SecretRoles API. Creates a role for the MongoDB Atlas Secret Engine in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -122,9 +218,9 @@ type SecretRoleStatus struct {
 type SecretRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mount)",message="mount is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roles)",message="roles is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mount) || has(self.initProvider.mount)",message="mount is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roles) || has(self.initProvider.roles)",message="roles is a required parameter"
 	Spec   SecretRoleSpec   `json:"spec"`
 	Status SecretRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/nomad/v1alpha1/zz_generated.deepcopy.go b/apis/nomad/v1alpha1/zz_generated.deepcopy.go
index a44297b0..f7f3f7bf 100644
--- a/apis/nomad/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/nomad/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,81 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.Address != nil {
+		in, out := &in.Address, &out.Address
+		*out = new(string)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CACert != nil {
+		in, out := &in.CACert, &out.CACert
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxTokenNameLength != nil {
+		in, out := &in.MaxTokenNameLength, &out.MaxTokenNameLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -248,6 +323,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
@@ -304,6 +380,57 @@ func (in *SecretRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Global != nil {
+		in, out := &in.Global, &out.Global
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRoleInitParameters.
+func (in *SecretRoleInitParameters) DeepCopy() *SecretRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretRoleList) DeepCopyInto(out *SecretRoleList) {
 	*out = *in
@@ -448,6 +575,7 @@ func (in *SecretRoleSpec) DeepCopyInto(out *SecretRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRoleSpec.
diff --git a/apis/nomad/v1alpha1/zz_generated.managed.go b/apis/nomad/v1alpha1/zz_generated.managed.go
index c8296112..3577b829 100644
--- a/apis/nomad/v1alpha1/zz_generated.managed.go
+++ b/apis/nomad/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -55,9 +55,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -93,9 +93,9 @@ func (mg *SecretRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretRole.
-func (mg *SecretRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretRole.
+func (mg *SecretRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretRole.
@@ -131,9 +131,9 @@ func (mg *SecretRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretRole.
-func (mg *SecretRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretRole.
+func (mg *SecretRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretRole.
diff --git a/apis/nomad/v1alpha1/zz_generated_terraformed.go b/apis/nomad/v1alpha1/zz_generated_terraformed.go
index 37c56e80..be34595b 100755
--- a/apis/nomad/v1alpha1/zz_generated_terraformed.go
+++ b/apis/nomad/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretRole
+func (tr *SecretRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/nomad/v1alpha1/zz_secretbackend_types.go b/apis/nomad/v1alpha1/zz_secretbackend_types.go
index 821b1fa4..aa83f649 100755
--- a/apis/nomad/v1alpha1/zz_secretbackend_types.go
+++ b/apis/nomad/v1alpha1/zz_secretbackend_types.go
@@ -13,81 +13,176 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// Specifies the address of the Nomad instance, provided
+	// as "protocol://host:port" like "http://127.0.0.1:4646".
+	// Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646".
+	Address *string `json:"address,omitempty" tf:"address,omitempty"`
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to nomad.
+	// The mount path for the Nomad backend.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// CA certificate to use when verifying the Nomad server certificate, must be
+	// x509 PEM encoded.
+	// CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.
+	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
+
+	// Default lease duration for secrets in seconds.
+	// Default lease duration for secrets in seconds.
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// Human-friendly description of the mount for the Active Directory backend.
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// Mark the secrets engine as local-only. Local engines are not replicated or removed by
+	// replication.Tolerance duration to use when checking the last rotation time.
+	// Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// Maximum possible lease duration for secrets in seconds.
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// Maximum possible lease duration for secrets in seconds.
+	// Maximum possible lease duration for secrets in seconds.
+	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// Specifies the maximum length to use for the name of the Nomad token
+	// generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed
+	// by the Nomad version.
+	// Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.
+	MaxTokenNameLength *float64 `json:"maxTokenNameLength,omitempty" tf:"max_token_name_length,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies the ttl of the lease for the generated token.
+	// Maximum possible lease duration for secrets in seconds.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
+	// Specifies the address of the Nomad instance, provided
+	// as "protocol://host:port" like "http://127.0.0.1:4646".
 	// Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646".
 	Address *string `json:"address,omitempty" tf:"address,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to nomad.
 	// The mount path for the Nomad backend.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// CA certificate to use when verifying the Nomad server certificate, must be
+	// x509 PEM encoded.
 	// CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// Default lease duration for secrets in seconds.
 	// Default lease duration for secrets in seconds.
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// Human-friendly description of the mount for the Active Directory backend.
 	// Human-friendly description of the mount for the backend.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Mark the secrets engine as local-only. Local engines are not replicated or removed by
+	// replication.Tolerance duration to use when checking the last rotation time.
 	// Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
 	// Maximum possible lease duration for secrets in seconds.
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// Maximum possible lease duration for secrets in seconds.
 	// Maximum possible lease duration for secrets in seconds.
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// Specifies the maximum length to use for the name of the Nomad token
+	// generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed
+	// by the Nomad version.
 	// Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.
 	MaxTokenNameLength *float64 `json:"maxTokenNameLength,omitempty" tf:"max_token_name_length,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies the ttl of the lease for the generated token.
 	// Maximum possible lease duration for secrets in seconds.
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// Specifies the address of the Nomad instance, provided
+	// as "protocol://host:port" like "http://127.0.0.1:4646".
 	// Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646".
 	// +kubebuilder:validation:Optional
 	Address *string `json:"address,omitempty" tf:"address,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to nomad.
 	// The mount path for the Nomad backend.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// CA certificate to use when verifying the Nomad server certificate, must be
+	// x509 PEM encoded.
 	// CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.
 	// +kubebuilder:validation:Optional
 	CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"`
 
+	// Client certificate to provide to the Nomad server, must be x509 PEM encoded.
 	// Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.
 	// +kubebuilder:validation:Optional
 	ClientCertSecretRef *v1.SecretKeySelector `json:"clientCertSecretRef,omitempty" tf:"-"`
 
+	// Client certificate key to provide to the Nomad server, must be x509 PEM encoded.
 	// Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.
 	// +kubebuilder:validation:Optional
 	ClientKeySecretRef *v1.SecretKeySelector `json:"clientKeySecretRef,omitempty" tf:"-"`
 
+	// Default lease duration for secrets in seconds.
 	// Default lease duration for secrets in seconds.
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// Human-friendly description of the mount for the Active Directory backend.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// Mark the secrets engine as local-only. Local engines are not replicated or removed by
+	// replication.Tolerance duration to use when checking the last rotation time.
 	// Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
@@ -96,22 +191,32 @@ type SecretBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// Maximum possible lease duration for secrets in seconds.
 	// Maximum possible lease duration for secrets in seconds.
 	// +kubebuilder:validation:Optional
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// Specifies the maximum length to use for the name of the Nomad token
+	// generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed
+	// by the Nomad version.
 	// Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.
 	// +kubebuilder:validation:Optional
 	MaxTokenNameLength *float64 `json:"maxTokenNameLength,omitempty" tf:"max_token_name_length,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies the ttl of the lease for the generated token.
 	// Maximum possible lease duration for secrets in seconds.
 	// +kubebuilder:validation:Optional
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// Specifies the Nomad Management token to use.
 	// Specifies the Nomad Management token to use.
 	// +kubebuilder:validation:Optional
 	TokenSecretRef *v1.SecretKeySelector `json:"tokenSecretRef,omitempty" tf:"-"`
@@ -121,6 +226,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -131,7 +248,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates a Nomad secret backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/nomad/v1alpha1/zz_secretrole_types.go b/apis/nomad/v1alpha1/zz_secretrole_types.go
index 470e0e8b..38a04367 100755
--- a/apis/nomad/v1alpha1/zz_secretrole_types.go
+++ b/apis/nomad/v1alpha1/zz_secretrole_types.go
@@ -13,51 +13,114 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretRoleInitParameters struct {
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to nomad.
+	// The mount path for the Nomad backend.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Specifies if the generated token should be global. Defaults to
+	// false.
+	// Specifies if the token should be global.
+	Global *bool `json:"global,omitempty" tf:"global,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// List of policies attached to the generated token. This setting is only used
+	// when type is 'client'.
+	// Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
+	// Name of the role.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// Specifies the type of token to create when using this role. Valid
+	// settings are 'client' and 'management'. Defaults to 'client'.
+	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type SecretRoleObservation struct {
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to nomad.
 	// The mount path for the Nomad backend.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Specifies if the generated token should be global. Defaults to
+	// false.
 	// Specifies if the token should be global.
 	Global *bool `json:"global,omitempty" tf:"global,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of policies attached to the generated token. This setting is only used
+	// when type is 'client'.
 	// Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
 	// Name of the role.
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// Specifies the type of token to create when using this role. Valid
+	// settings are 'client' and 'management'. Defaults to 'client'.
 	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type SecretRoleParameters struct {
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to nomad.
 	// The mount path for the Nomad backend.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Specifies if the generated token should be global. Defaults to
+	// false.
 	// Specifies if the token should be global.
 	// +kubebuilder:validation:Optional
 	Global *bool `json:"global,omitempty" tf:"global,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of policies attached to the generated token. This setting is only used
+	// when type is 'client'.
 	// Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
+	// Specifies the type of token to create when using this role. Valid
+	// settings are 'client' and 'management'. Defaults to 'client'.
 	// Specifies the type of token to create when using this role. Valid values are "client" or "management".
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -67,6 +130,18 @@ type SecretRoleParameters struct {
 type SecretRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretRoleStatus defines the observed state of SecretRole.
@@ -77,7 +152,7 @@ type SecretRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretRole is the Schema for the SecretRoles API. <no value>
+// SecretRole is the Schema for the SecretRoles API. Creates a Nomad role.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -87,8 +162,8 @@ type SecretRoleStatus struct {
 type SecretRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
 	Spec   SecretRoleSpec   `json:"spec"`
 	Status SecretRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/okta/v1alpha1/zz_authbackend_types.go b/apis/okta/v1alpha1/zz_authbackend_types.go
index 53567783..a1f777cc 100755
--- a/apis/okta/v1alpha1/zz_authbackend_types.go
+++ b/apis/okta/v1alpha1/zz_authbackend_types.go
@@ -13,6 +13,40 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendInitParameters struct {
+
+	// The Okta url. Examples: oktapreview.com, okta.com (default)
+	BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"`
+
+	// When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.
+	BypassOktaMfa *bool `json:"bypassOktaMfa,omitempty" tf:"bypass_okta_mfa,omitempty"`
+
+	// The description of the auth backend
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	Group []GroupInitParameters `json:"group,omitempty" tf:"group,omitempty"`
+
+	// Maximum duration after which authentication will be expired
+	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The Okta organization. This will be the first part of the url https://XXX.okta.com.
+	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
+
+	// path to mount the backend
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Duration after which authentication will be expired
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	User []UserInitParameters `json:"user,omitempty" tf:"user,omitempty"`
+}
+
 type AuthBackendObservation struct {
 
 	// The mount accessor related to the auth mount.
@@ -101,6 +135,12 @@ type AuthBackendParameters struct {
 	User []UserParameters `json:"user,omitempty" tf:"user,omitempty"`
 }
 
+type GroupInitParameters struct {
+	GroupName *string `json:"groupName,omitempty" tf:"group_name"`
+
+	Policies []*string `json:"policies,omitempty" tf:"policies"`
+}
+
 type GroupObservation struct {
 	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
 
@@ -116,6 +156,14 @@ type GroupParameters struct {
 	Policies []*string `json:"policies,omitempty" tf:"policies"`
 }
 
+type UserInitParameters struct {
+	Groups []*string `json:"groups,omitempty" tf:"groups"`
+
+	Policies []*string `json:"policies,omitempty" tf:"policies"`
+
+	Username *string `json:"username,omitempty" tf:"username"`
+}
+
 type UserObservation struct {
 	Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"`
 
@@ -140,6 +188,18 @@ type UserParameters struct {
 type AuthBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendStatus defines the observed state of AuthBackend.
@@ -160,7 +220,7 @@ type AuthBackendStatus struct {
 type AuthBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.organization)",message="organization is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.organization) || has(self.initProvider.organization)",message="organization is a required parameter"
 	Spec   AuthBackendSpec   `json:"spec"`
 	Status AuthBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/okta/v1alpha1/zz_authbackendgroup_types.go b/apis/okta/v1alpha1/zz_authbackendgroup_types.go
index cdcba514..0866d233 100755
--- a/apis/okta/v1alpha1/zz_authbackendgroup_types.go
+++ b/apis/okta/v1alpha1/zz_authbackendgroup_types.go
@@ -13,6 +13,21 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendGroupInitParameters struct {
+
+	// Name of the Okta group
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Path to the Okta auth backend
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Policies to associate with this group
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+}
+
 type AuthBackendGroupObservation struct {
 
 	// Name of the Okta group
@@ -53,6 +68,18 @@ type AuthBackendGroupParameters struct {
 type AuthBackendGroupSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendGroupParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendGroupInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendGroupStatus defines the observed state of AuthBackendGroup.
@@ -73,8 +100,8 @@ type AuthBackendGroupStatus struct {
 type AuthBackendGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupName)",message="groupName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupName) || has(self.initProvider.groupName)",message="groupName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   AuthBackendGroupSpec   `json:"spec"`
 	Status AuthBackendGroupStatus `json:"status,omitempty"`
 }
diff --git a/apis/okta/v1alpha1/zz_authbackenduser_types.go b/apis/okta/v1alpha1/zz_authbackenduser_types.go
index 5f8daceb..243dc53b 100755
--- a/apis/okta/v1alpha1/zz_authbackenduser_types.go
+++ b/apis/okta/v1alpha1/zz_authbackenduser_types.go
@@ -13,6 +13,24 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendUserInitParameters struct {
+
+	// Groups within the Okta auth backend to associate with this user
+	Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Path to the Okta auth backend
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Policies to associate with this user
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	// Name of the user within Okta
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+}
+
 type AuthBackendUserObservation struct {
 
 	// Groups within the Okta auth backend to associate with this user
@@ -60,6 +78,18 @@ type AuthBackendUserParameters struct {
 type AuthBackendUserSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendUserParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendUserInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendUserStatus defines the observed state of AuthBackendUser.
@@ -80,8 +110,8 @@ type AuthBackendUserStatus struct {
 type AuthBackendUser struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.username)",message="username is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || has(self.initProvider.username)",message="username is a required parameter"
 	Spec   AuthBackendUserSpec   `json:"spec"`
 	Status AuthBackendUserStatus `json:"status,omitempty"`
 }
diff --git a/apis/okta/v1alpha1/zz_generated.deepcopy.go b/apis/okta/v1alpha1/zz_generated.deepcopy.go
index 4f9dd22b..bafc3955 100644
--- a/apis/okta/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/okta/v1alpha1/zz_generated.deepcopy.go
@@ -68,6 +68,47 @@ func (in *AuthBackendGroup) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendGroupInitParameters) DeepCopyInto(out *AuthBackendGroupInitParameters) {
+	*out = *in
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendGroupInitParameters.
+func (in *AuthBackendGroupInitParameters) DeepCopy() *AuthBackendGroupInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendGroupInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendGroupList) DeepCopyInto(out *AuthBackendGroupList) {
 	*out = *in
@@ -192,6 +233,7 @@ func (in *AuthBackendGroupSpec) DeepCopyInto(out *AuthBackendGroupSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendGroupSpec.
@@ -221,6 +263,80 @@ func (in *AuthBackendGroupStatus) DeepCopy() *AuthBackendGroupStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters) {
+	*out = *in
+	if in.BaseURL != nil {
+		in, out := &in.BaseURL, &out.BaseURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.BypassOktaMfa != nil {
+		in, out := &in.BypassOktaMfa, &out.BypassOktaMfa
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Group != nil {
+		in, out := &in.Group, &out.Group
+		*out = make([]GroupInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Organization != nil {
+		in, out := &in.Organization, &out.Organization
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.User != nil {
+		in, out := &in.User, &out.User
+		*out = make([]UserInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendInitParameters.
+func (in *AuthBackendInitParameters) DeepCopy() *AuthBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendList) DeepCopyInto(out *AuthBackendList) {
 	*out = *in
@@ -421,6 +537,7 @@ func (in *AuthBackendSpec) DeepCopyInto(out *AuthBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendSpec.
@@ -477,6 +594,58 @@ func (in *AuthBackendUser) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendUserInitParameters) DeepCopyInto(out *AuthBackendUserInitParameters) {
+	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendUserInitParameters.
+func (in *AuthBackendUserInitParameters) DeepCopy() *AuthBackendUserInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendUserInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendUserList) DeepCopyInto(out *AuthBackendUserList) {
 	*out = *in
@@ -623,6 +792,7 @@ func (in *AuthBackendUserSpec) DeepCopyInto(out *AuthBackendUserSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendUserSpec.
@@ -652,6 +822,37 @@ func (in *AuthBackendUserStatus) DeepCopy() *AuthBackendUserStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupInitParameters) DeepCopyInto(out *GroupInitParameters) {
+	*out = *in
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupInitParameters.
+func (in *GroupInitParameters) DeepCopy() *GroupInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupObservation) DeepCopyInto(out *GroupObservation) {
 	*out = *in
@@ -714,6 +915,48 @@ func (in *GroupParameters) DeepCopy() *GroupParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserInitParameters) DeepCopyInto(out *UserInitParameters) {
+	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInitParameters.
+func (in *UserInitParameters) DeepCopy() *UserInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(UserInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 	*out = *in
diff --git a/apis/okta/v1alpha1/zz_generated.managed.go b/apis/okta/v1alpha1/zz_generated.managed.go
index c0981ce1..ae342697 100644
--- a/apis/okta/v1alpha1/zz_generated.managed.go
+++ b/apis/okta/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackend.
@@ -55,9 +55,9 @@ func (mg *AuthBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackend.
-func (mg *AuthBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackend.
+func (mg *AuthBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackend.
@@ -93,9 +93,9 @@ func (mg *AuthBackendGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendGroup.
-func (mg *AuthBackendGroup) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendGroup.
+func (mg *AuthBackendGroup) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendGroup.
@@ -131,9 +131,9 @@ func (mg *AuthBackendGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendGroup.
-func (mg *AuthBackendGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendGroup.
+func (mg *AuthBackendGroup) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendGroup.
@@ -169,9 +169,9 @@ func (mg *AuthBackendUser) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendUser.
-func (mg *AuthBackendUser) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendUser.
+func (mg *AuthBackendUser) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendUser.
@@ -207,9 +207,9 @@ func (mg *AuthBackendUser) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendUser.
-func (mg *AuthBackendUser) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendUser.
+func (mg *AuthBackendUser) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendUser.
diff --git a/apis/okta/v1alpha1/zz_generated_terraformed.go b/apis/okta/v1alpha1/zz_generated_terraformed.go
index ccff7e3c..58fff24a 100755
--- a/apis/okta/v1alpha1/zz_generated_terraformed.go
+++ b/apis/okta/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackend
+func (tr *AuthBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *AuthBackendGroup) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendGroup
+func (tr *AuthBackendGroup) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendGroup using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendGroup) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *AuthBackendUser) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendUser
+func (tr *AuthBackendUser) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendUser using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendUser) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/password/v1alpha1/zz_generated.deepcopy.go b/apis/password/v1alpha1/zz_generated.deepcopy.go
index 92f80b37..5ec54fe4 100644
--- a/apis/password/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/password/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,36 @@ func (in *Policy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyInitParameters) DeepCopyInto(out *PolicyInitParameters) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyInitParameters.
+func (in *PolicyInitParameters) DeepCopy() *PolicyInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyList) DeepCopyInto(out *PolicyList) {
 	*out = *in
@@ -142,6 +172,7 @@ func (in *PolicySpec) DeepCopyInto(out *PolicySpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
diff --git a/apis/password/v1alpha1/zz_generated.managed.go b/apis/password/v1alpha1/zz_generated.managed.go
index 51f4cdcf..a29e31ba 100644
--- a/apis/password/v1alpha1/zz_generated.managed.go
+++ b/apis/password/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Policy.
-func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Policy.
+func (mg *Policy) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Policy.
@@ -55,9 +55,9 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Policy.
-func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Policy.
+func (mg *Policy) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Policy.
diff --git a/apis/password/v1alpha1/zz_generated_terraformed.go b/apis/password/v1alpha1/zz_generated_terraformed.go
index 90d5ae89..92a0dc9a 100755
--- a/apis/password/v1alpha1/zz_generated_terraformed.go
+++ b/apis/password/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Policy) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Policy
+func (tr *Policy) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Policy using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Policy) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/password/v1alpha1/zz_policy_types.go b/apis/password/v1alpha1/zz_policy_types.go
index c9a8c9dc..7cb3ccf1 100755
--- a/apis/password/v1alpha1/zz_policy_types.go
+++ b/apis/password/v1alpha1/zz_policy_types.go
@@ -13,29 +13,59 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type PolicyInitParameters struct {
+
+	// The name of the password policy.
+	// Name of the password policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// String containing a password policy.
+	// The password policy document
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+}
+
 type PolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the password policy.
 	// Name of the password policy.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// String containing a password policy.
 	// The password policy document
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type PolicyParameters struct {
 
+	// The name of the password policy.
 	// Name of the password policy.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// String containing a password policy.
 	// The password policy document
 	// +kubebuilder:validation:Optional
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
@@ -45,6 +75,18 @@ type PolicyParameters struct {
 type PolicySpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     PolicyParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider PolicyInitParameters `json:"initProvider,omitempty"`
 }
 
 // PolicyStatus defines the observed state of Policy.
@@ -55,7 +97,7 @@ type PolicyStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Policy is the Schema for the Policys API. <no value>
+// Policy is the Schema for the Policys API. Writes Password policies for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -65,8 +107,8 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || has(self.initProvider.policy)",message="policy is a required parameter"
 	Spec   PolicySpec   `json:"spec"`
 	Status PolicyStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_generated.deepcopy.go b/apis/pki/v1alpha1/zz_generated.deepcopy.go
index 6af161f0..57a79423 100644
--- a/apis/pki/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/pki/v1alpha1/zz_generated.deepcopy.go
@@ -13,6 +13,36 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyIdentifierInitParameters) DeepCopyInto(out *PolicyIdentifierInitParameters) {
+	*out = *in
+	if in.Cps != nil {
+		in, out := &in.Cps, &out.Cps
+		*out = new(string)
+		**out = **in
+	}
+	if in.Notice != nil {
+		in, out := &in.Notice, &out.Notice
+		*out = new(string)
+		**out = **in
+	}
+	if in.Oid != nil {
+		in, out := &in.Oid, &out.Oid
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyIdentifierInitParameters.
+func (in *PolicyIdentifierInitParameters) DeepCopy() *PolicyIdentifierInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyIdentifierInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyIdentifierObservation) DeepCopyInto(out *PolicyIdentifierObservation) {
 	*out = *in
@@ -100,6 +130,120 @@ func (in *SecretBackendCert) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendCertInitParameters) DeepCopyInto(out *SecretBackendCertInitParameters) {
+	*out = *in
+	if in.AltNames != nil {
+		in, out := &in.AltNames, &out.AltNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AutoRenew != nil {
+		in, out := &in.AutoRenew, &out.AutoRenew
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CommonName != nil {
+		in, out := &in.CommonName, &out.CommonName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludeCnFromSans != nil {
+		in, out := &in.ExcludeCnFromSans, &out.ExcludeCnFromSans
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPSans != nil {
+		in, out := &in.IPSans, &out.IPSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MinSecondsRemaining != nil {
+		in, out := &in.MinSecondsRemaining, &out.MinSecondsRemaining
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OtherSans != nil {
+		in, out := &in.OtherSans, &out.OtherSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PrivateKeyFormat != nil {
+		in, out := &in.PrivateKeyFormat, &out.PrivateKeyFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Revoke != nil {
+		in, out := &in.Revoke, &out.Revoke
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.URISans != nil {
+		in, out := &in.URISans, &out.URISans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCertInitParameters.
+func (in *SecretBackendCertInitParameters) DeepCopy() *SecretBackendCertInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendCertInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendCertList) DeepCopyInto(out *SecretBackendCertList) {
 	*out = *in
@@ -405,6 +549,7 @@ func (in *SecretBackendCertSpec) DeepCopyInto(out *SecretBackendCertSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCertSpec.
@@ -461,6 +606,31 @@ func (in *SecretBackendConfigCA) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConfigCAInitParameters) DeepCopyInto(out *SecretBackendConfigCAInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConfigCAInitParameters.
+func (in *SecretBackendConfigCAInitParameters) DeepCopy() *SecretBackendConfigCAInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConfigCAInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendConfigCAList) DeepCopyInto(out *SecretBackendConfigCAList) {
 	*out = *in
@@ -554,6 +724,7 @@ func (in *SecretBackendConfigCASpec) DeepCopyInto(out *SecretBackendConfigCASpec
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConfigCASpec.
@@ -610,6 +781,64 @@ func (in *SecretBackendConfigUrls) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendConfigUrlsInitParameters) DeepCopyInto(out *SecretBackendConfigUrlsInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CrlDistributionPoints != nil {
+		in, out := &in.CrlDistributionPoints, &out.CrlDistributionPoints
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IssuingCertificates != nil {
+		in, out := &in.IssuingCertificates, &out.IssuingCertificates
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OcspServers != nil {
+		in, out := &in.OcspServers, &out.OcspServers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConfigUrlsInitParameters.
+func (in *SecretBackendConfigUrlsInitParameters) DeepCopy() *SecretBackendConfigUrlsInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendConfigUrlsInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendConfigUrlsList) DeepCopyInto(out *SecretBackendConfigUrlsList) {
 	*out = *in
@@ -768,6 +997,7 @@ func (in *SecretBackendConfigUrlsSpec) DeepCopyInto(out *SecretBackendConfigUrls
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConfigUrlsSpec.
@@ -825,39 +1055,7 @@ func (in *SecretBackendCrlConfig) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendCrlConfigList) DeepCopyInto(out *SecretBackendCrlConfigList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]SecretBackendCrlConfig, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCrlConfigList.
-func (in *SecretBackendCrlConfigList) DeepCopy() *SecretBackendCrlConfigList {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretBackendCrlConfigList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendCrlConfigList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendCrlConfigObservation) DeepCopyInto(out *SecretBackendCrlConfigObservation) {
+func (in *SecretBackendCrlConfigInitParameters) DeepCopyInto(out *SecretBackendCrlConfigInitParameters) {
 	*out = *in
 	if in.AutoRebuild != nil {
 		in, out := &in.AutoRebuild, &out.AutoRebuild
@@ -899,11 +1097,6 @@ func (in *SecretBackendCrlConfigObservation) DeepCopyInto(out *SecretBackendCrlC
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
 	if in.Namespace != nil {
 		in, out := &in.Namespace, &out.Namespace
 		*out = new(string)
@@ -931,21 +1124,138 @@ func (in *SecretBackendCrlConfigObservation) DeepCopyInto(out *SecretBackendCrlC
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCrlConfigObservation.
-func (in *SecretBackendCrlConfigObservation) DeepCopy() *SecretBackendCrlConfigObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCrlConfigInitParameters.
+func (in *SecretBackendCrlConfigInitParameters) DeepCopy() *SecretBackendCrlConfigInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendCrlConfigObservation)
+	out := new(SecretBackendCrlConfigInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendCrlConfigParameters) DeepCopyInto(out *SecretBackendCrlConfigParameters) {
+func (in *SecretBackendCrlConfigList) DeepCopyInto(out *SecretBackendCrlConfigList) {
 	*out = *in
-	if in.AutoRebuild != nil {
-		in, out := &in.AutoRebuild, &out.AutoRebuild
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecretBackendCrlConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCrlConfigList.
+func (in *SecretBackendCrlConfigList) DeepCopy() *SecretBackendCrlConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendCrlConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendCrlConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendCrlConfigObservation) DeepCopyInto(out *SecretBackendCrlConfigObservation) {
+	*out = *in
+	if in.AutoRebuild != nil {
+		in, out := &in.AutoRebuild, &out.AutoRebuild
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoRebuildGracePeriod != nil {
+		in, out := &in.AutoRebuildGracePeriod, &out.AutoRebuildGracePeriod
+		*out = new(string)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CrossClusterRevocation != nil {
+		in, out := &in.CrossClusterRevocation, &out.CrossClusterRevocation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeltaRebuildInterval != nil {
+		in, out := &in.DeltaRebuildInterval, &out.DeltaRebuildInterval
+		*out = new(string)
+		**out = **in
+	}
+	if in.Disable != nil {
+		in, out := &in.Disable, &out.Disable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableDelta != nil {
+		in, out := &in.EnableDelta, &out.EnableDelta
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Expiry != nil {
+		in, out := &in.Expiry, &out.Expiry
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OcspDisable != nil {
+		in, out := &in.OcspDisable, &out.OcspDisable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OcspExpiry != nil {
+		in, out := &in.OcspExpiry, &out.OcspExpiry
+		*out = new(string)
+		**out = **in
+	}
+	if in.UnifiedCrl != nil {
+		in, out := &in.UnifiedCrl, &out.UnifiedCrl
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UnifiedCrlOnExistingPaths != nil {
+		in, out := &in.UnifiedCrlOnExistingPaths, &out.UnifiedCrlOnExistingPaths
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCrlConfigObservation.
+func (in *SecretBackendCrlConfigObservation) DeepCopy() *SecretBackendCrlConfigObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendCrlConfigObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendCrlConfigParameters) DeepCopyInto(out *SecretBackendCrlConfigParameters) {
+	*out = *in
+	if in.AutoRebuild != nil {
+		in, out := &in.AutoRebuild, &out.AutoRebuild
 		*out = new(bool)
 		**out = **in
 	}
@@ -1026,6 +1336,7 @@ func (in *SecretBackendCrlConfigSpec) DeepCopyInto(out *SecretBackendCrlConfigSp
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCrlConfigSpec.
@@ -1083,39 +1394,7 @@ func (in *SecretBackendIntermediateCertRequest) DeepCopyObject() runtime.Object
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendIntermediateCertRequestList) DeepCopyInto(out *SecretBackendIntermediateCertRequestList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]SecretBackendIntermediateCertRequest, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestList.
-func (in *SecretBackendIntermediateCertRequestList) DeepCopy() *SecretBackendIntermediateCertRequestList {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretBackendIntermediateCertRequestList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendIntermediateCertRequestList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendIntermediateCertRequestObservation) DeepCopyInto(out *SecretBackendIntermediateCertRequestObservation) {
+func (in *SecretBackendIntermediateCertRequestInitParameters) DeepCopyInto(out *SecretBackendIntermediateCertRequestInitParameters) {
 	*out = *in
 	if in.AddBasicConstraints != nil {
 		in, out := &in.AddBasicConstraints, &out.AddBasicConstraints
@@ -1148,11 +1427,6 @@ func (in *SecretBackendIntermediateCertRequestObservation) DeepCopyInto(out *Sec
 		*out = new(string)
 		**out = **in
 	}
-	if in.Csr != nil {
-		in, out := &in.Csr, &out.Csr
-		*out = new(string)
-		**out = **in
-	}
 	if in.ExcludeCnFromSans != nil {
 		in, out := &in.ExcludeCnFromSans, &out.ExcludeCnFromSans
 		*out = new(bool)
@@ -1163,11 +1437,6 @@ func (in *SecretBackendIntermediateCertRequestObservation) DeepCopyInto(out *Sec
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
 	if in.IPSans != nil {
 		in, out := &in.IPSans, &out.IPSans
 		*out = make([]*string, len(*in))
@@ -1240,11 +1509,6 @@ func (in *SecretBackendIntermediateCertRequestObservation) DeepCopyInto(out *Sec
 		*out = new(string)
 		**out = **in
 	}
-	if in.PrivateKeyType != nil {
-		in, out := &in.PrivateKeyType, &out.PrivateKeyType
-		*out = new(string)
-		**out = **in
-	}
 	if in.Province != nil {
 		in, out := &in.Province, &out.Province
 		*out = new(string)
@@ -1273,18 +1537,50 @@ func (in *SecretBackendIntermediateCertRequestObservation) DeepCopyInto(out *Sec
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestObservation.
-func (in *SecretBackendIntermediateCertRequestObservation) DeepCopy() *SecretBackendIntermediateCertRequestObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestInitParameters.
+func (in *SecretBackendIntermediateCertRequestInitParameters) DeepCopy() *SecretBackendIntermediateCertRequestInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendIntermediateCertRequestObservation)
+	out := new(SecretBackendIntermediateCertRequestInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendIntermediateCertRequestParameters) DeepCopyInto(out *SecretBackendIntermediateCertRequestParameters) {
+func (in *SecretBackendIntermediateCertRequestList) DeepCopyInto(out *SecretBackendIntermediateCertRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecretBackendIntermediateCertRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestList.
+func (in *SecretBackendIntermediateCertRequestList) DeepCopy() *SecretBackendIntermediateCertRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendIntermediateCertRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendIntermediateCertRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendIntermediateCertRequestObservation) DeepCopyInto(out *SecretBackendIntermediateCertRequestObservation) {
 	*out = *in
 	if in.AddBasicConstraints != nil {
 		in, out := &in.AddBasicConstraints, &out.AddBasicConstraints
@@ -1317,6 +1613,11 @@ func (in *SecretBackendIntermediateCertRequestParameters) DeepCopyInto(out *Secr
 		*out = new(string)
 		**out = **in
 	}
+	if in.Csr != nil {
+		in, out := &in.Csr, &out.Csr
+		*out = new(string)
+		**out = **in
+	}
 	if in.ExcludeCnFromSans != nil {
 		in, out := &in.ExcludeCnFromSans, &out.ExcludeCnFromSans
 		*out = new(bool)
@@ -1327,6 +1628,11 @@ func (in *SecretBackendIntermediateCertRequestParameters) DeepCopyInto(out *Secr
 		*out = new(string)
 		**out = **in
 	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
 	if in.IPSans != nil {
 		in, out := &in.IPSans, &out.IPSans
 		*out = make([]*string, len(*in))
@@ -1399,6 +1705,11 @@ func (in *SecretBackendIntermediateCertRequestParameters) DeepCopyInto(out *Secr
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrivateKeyType != nil {
+		in, out := &in.PrivateKeyType, &out.PrivateKeyType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Province != nil {
 		in, out := &in.Province, &out.Province
 		*out = new(string)
@@ -1427,44 +1738,199 @@ func (in *SecretBackendIntermediateCertRequestParameters) DeepCopyInto(out *Secr
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestParameters.
-func (in *SecretBackendIntermediateCertRequestParameters) DeepCopy() *SecretBackendIntermediateCertRequestParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretBackendIntermediateCertRequestParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendIntermediateCertRequestSpec) DeepCopyInto(out *SecretBackendIntermediateCertRequestSpec) {
-	*out = *in
-	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
-	in.ForProvider.DeepCopyInto(&out.ForProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestSpec.
-func (in *SecretBackendIntermediateCertRequestSpec) DeepCopy() *SecretBackendIntermediateCertRequestSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestObservation.
+func (in *SecretBackendIntermediateCertRequestObservation) DeepCopy() *SecretBackendIntermediateCertRequestObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendIntermediateCertRequestSpec)
+	out := new(SecretBackendIntermediateCertRequestObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendIntermediateCertRequestStatus) DeepCopyInto(out *SecretBackendIntermediateCertRequestStatus) {
+func (in *SecretBackendIntermediateCertRequestParameters) DeepCopyInto(out *SecretBackendIntermediateCertRequestParameters) {
 	*out = *in
-	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
-	in.AtProvider.DeepCopyInto(&out.AtProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestStatus.
-func (in *SecretBackendIntermediateCertRequestStatus) DeepCopy() *SecretBackendIntermediateCertRequestStatus {
-	if in == nil {
-		return nil
+	if in.AddBasicConstraints != nil {
+		in, out := &in.AddBasicConstraints, &out.AddBasicConstraints
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AltNames != nil {
+		in, out := &in.AltNames, &out.AltNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CommonName != nil {
+		in, out := &in.CommonName, &out.CommonName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Country != nil {
+		in, out := &in.Country, &out.Country
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludeCnFromSans != nil {
+		in, out := &in.ExcludeCnFromSans, &out.ExcludeCnFromSans
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPSans != nil {
+		in, out := &in.IPSans, &out.IPSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.KeyBits != nil {
+		in, out := &in.KeyBits, &out.KeyBits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KeyType != nil {
+		in, out := &in.KeyType, &out.KeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Locality != nil {
+		in, out := &in.Locality, &out.Locality
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManagedKeyID != nil {
+		in, out := &in.ManagedKeyID, &out.ManagedKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManagedKeyName != nil {
+		in, out := &in.ManagedKeyName, &out.ManagedKeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Organization != nil {
+		in, out := &in.Organization, &out.Organization
+		*out = new(string)
+		**out = **in
+	}
+	if in.OtherSans != nil {
+		in, out := &in.OtherSans, &out.OtherSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Ou != nil {
+		in, out := &in.Ou, &out.Ou
+		*out = new(string)
+		**out = **in
+	}
+	if in.PostalCode != nil {
+		in, out := &in.PostalCode, &out.PostalCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKeyFormat != nil {
+		in, out := &in.PrivateKeyFormat, &out.PrivateKeyFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Province != nil {
+		in, out := &in.Province, &out.Province
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreetAddress != nil {
+		in, out := &in.StreetAddress, &out.StreetAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URISans != nil {
+		in, out := &in.URISans, &out.URISans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestParameters.
+func (in *SecretBackendIntermediateCertRequestParameters) DeepCopy() *SecretBackendIntermediateCertRequestParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendIntermediateCertRequestParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendIntermediateCertRequestSpec) DeepCopyInto(out *SecretBackendIntermediateCertRequestSpec) {
+	*out = *in
+	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
+	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestSpec.
+func (in *SecretBackendIntermediateCertRequestSpec) DeepCopy() *SecretBackendIntermediateCertRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendIntermediateCertRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendIntermediateCertRequestStatus) DeepCopyInto(out *SecretBackendIntermediateCertRequestStatus) {
+	*out = *in
+	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
+	in.AtProvider.DeepCopyInto(&out.AtProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateCertRequestStatus.
+func (in *SecretBackendIntermediateCertRequestStatus) DeepCopy() *SecretBackendIntermediateCertRequestStatus {
+	if in == nil {
+		return nil
 	}
 	out := new(SecretBackendIntermediateCertRequestStatus)
 	in.DeepCopyInto(out)
@@ -1498,6 +1964,36 @@ func (in *SecretBackendIntermediateSetSigned) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendIntermediateSetSignedInitParameters) DeepCopyInto(out *SecretBackendIntermediateSetSignedInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateSetSignedInitParameters.
+func (in *SecretBackendIntermediateSetSignedInitParameters) DeepCopy() *SecretBackendIntermediateSetSignedInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendIntermediateSetSignedInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendIntermediateSetSignedList) DeepCopyInto(out *SecretBackendIntermediateSetSignedList) {
 	*out = *in
@@ -1573,89 +2069,396 @@ func (in *SecretBackendIntermediateSetSignedParameters) DeepCopyInto(out *Secret
 		*out = new(string)
 		**out = **in
 	}
-	if in.Certificate != nil {
-		in, out := &in.Certificate, &out.Certificate
-		*out = new(string)
-		**out = **in
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateSetSignedParameters.
+func (in *SecretBackendIntermediateSetSignedParameters) DeepCopy() *SecretBackendIntermediateSetSignedParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendIntermediateSetSignedParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendIntermediateSetSignedSpec) DeepCopyInto(out *SecretBackendIntermediateSetSignedSpec) {
+	*out = *in
+	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
+	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateSetSignedSpec.
+func (in *SecretBackendIntermediateSetSignedSpec) DeepCopy() *SecretBackendIntermediateSetSignedSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendIntermediateSetSignedSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendIntermediateSetSignedStatus) DeepCopyInto(out *SecretBackendIntermediateSetSignedStatus) {
+	*out = *in
+	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
+	in.AtProvider.DeepCopyInto(&out.AtProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateSetSignedStatus.
+func (in *SecretBackendIntermediateSetSignedStatus) DeepCopy() *SecretBackendIntermediateSetSignedStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendIntermediateSetSignedStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRole) DeepCopyInto(out *SecretBackendRole) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRole.
+func (in *SecretBackendRole) DeepCopy() *SecretBackendRole {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) {
+	*out = *in
+	if in.AllowAnyName != nil {
+		in, out := &in.AllowAnyName, &out.AllowAnyName
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowBareDomains != nil {
+		in, out := &in.AllowBareDomains, &out.AllowBareDomains
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowGlobDomains != nil {
+		in, out := &in.AllowGlobDomains, &out.AllowGlobDomains
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowIPSans != nil {
+		in, out := &in.AllowIPSans, &out.AllowIPSans
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowLocalhost != nil {
+		in, out := &in.AllowLocalhost, &out.AllowLocalhost
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowSubdomains != nil {
+		in, out := &in.AllowSubdomains, &out.AllowSubdomains
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowedDomains != nil {
+		in, out := &in.AllowedDomains, &out.AllowedDomains
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedDomainsTemplate != nil {
+		in, out := &in.AllowedDomainsTemplate, &out.AllowedDomainsTemplate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowedOtherSans != nil {
+		in, out := &in.AllowedOtherSans, &out.AllowedOtherSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedSerialNumbers != nil {
+		in, out := &in.AllowedSerialNumbers, &out.AllowedSerialNumbers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedURISans != nil {
+		in, out := &in.AllowedURISans, &out.AllowedURISans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.BasicConstraintsValidForNonCA != nil {
+		in, out := &in.BasicConstraintsValidForNonCA, &out.BasicConstraintsValidForNonCA
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ClientFlag != nil {
+		in, out := &in.ClientFlag, &out.ClientFlag
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CodeSigningFlag != nil {
+		in, out := &in.CodeSigningFlag, &out.CodeSigningFlag
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Country != nil {
+		in, out := &in.Country, &out.Country
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.EmailProtectionFlag != nil {
+		in, out := &in.EmailProtectionFlag, &out.EmailProtectionFlag
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnforceHostnames != nil {
+		in, out := &in.EnforceHostnames, &out.EnforceHostnames
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExtKeyUsage != nil {
+		in, out := &in.ExtKeyUsage, &out.ExtKeyUsage
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.GenerateLease != nil {
+		in, out := &in.GenerateLease, &out.GenerateLease
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KeyBits != nil {
+		in, out := &in.KeyBits, &out.KeyBits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KeyType != nil {
+		in, out := &in.KeyType, &out.KeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyUsage != nil {
+		in, out := &in.KeyUsage, &out.KeyUsage
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Locality != nil {
+		in, out := &in.Locality, &out.Locality
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoStore != nil {
+		in, out := &in.NoStore, &out.NoStore
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NotBeforeDuration != nil {
+		in, out := &in.NotBeforeDuration, &out.NotBeforeDuration
+		*out = new(string)
+		**out = **in
+	}
+	if in.Organization != nil {
+		in, out := &in.Organization, &out.Organization
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Ou != nil {
+		in, out := &in.Ou, &out.Ou
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PolicyIdentifier != nil {
+		in, out := &in.PolicyIdentifier, &out.PolicyIdentifier
+		*out = make([]PolicyIdentifierInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PolicyIdentifiers != nil {
+		in, out := &in.PolicyIdentifiers, &out.PolicyIdentifiers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PostalCode != nil {
+		in, out := &in.PostalCode, &out.PostalCode
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Province != nil {
+		in, out := &in.Province, &out.Province
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RequireCn != nil {
+		in, out := &in.RequireCn, &out.RequireCn
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ServerFlag != nil {
+		in, out := &in.ServerFlag, &out.ServerFlag
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StreetAddress != nil {
+		in, out := &in.StreetAddress, &out.StreetAddress
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateSetSignedParameters.
-func (in *SecretBackendIntermediateSetSignedParameters) DeepCopy() *SecretBackendIntermediateSetSignedParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretBackendIntermediateSetSignedParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendIntermediateSetSignedSpec) DeepCopyInto(out *SecretBackendIntermediateSetSignedSpec) {
-	*out = *in
-	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
-	in.ForProvider.DeepCopyInto(&out.ForProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateSetSignedSpec.
-func (in *SecretBackendIntermediateSetSignedSpec) DeepCopy() *SecretBackendIntermediateSetSignedSpec {
-	if in == nil {
-		return nil
+	if in.UseCsrCommonName != nil {
+		in, out := &in.UseCsrCommonName, &out.UseCsrCommonName
+		*out = new(bool)
+		**out = **in
 	}
-	out := new(SecretBackendIntermediateSetSignedSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendIntermediateSetSignedStatus) DeepCopyInto(out *SecretBackendIntermediateSetSignedStatus) {
-	*out = *in
-	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
-	in.AtProvider.DeepCopyInto(&out.AtProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendIntermediateSetSignedStatus.
-func (in *SecretBackendIntermediateSetSignedStatus) DeepCopy() *SecretBackendIntermediateSetSignedStatus {
-	if in == nil {
-		return nil
+	if in.UseCsrSans != nil {
+		in, out := &in.UseCsrSans, &out.UseCsrSans
+		*out = new(bool)
+		**out = **in
 	}
-	out := new(SecretBackendIntermediateSetSignedStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretBackendRole) DeepCopyInto(out *SecretBackendRole) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRole.
-func (in *SecretBackendRole) DeepCopy() *SecretBackendRole {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters.
+func (in *SecretBackendRoleInitParameters) DeepCopy() *SecretBackendRoleInitParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SecretBackendRole)
+	out := new(SecretBackendRoleInitParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
 	*out = *in
@@ -2310,6 +3113,7 @@ func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
@@ -2366,6 +3170,176 @@ func (in *SecretBackendRootCert) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRootCertInitParameters) DeepCopyInto(out *SecretBackendRootCertInitParameters) {
+	*out = *in
+	if in.AltNames != nil {
+		in, out := &in.AltNames, &out.AltNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CommonName != nil {
+		in, out := &in.CommonName, &out.CommonName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Country != nil {
+		in, out := &in.Country, &out.Country
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludeCnFromSans != nil {
+		in, out := &in.ExcludeCnFromSans, &out.ExcludeCnFromSans
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPSans != nil {
+		in, out := &in.IPSans, &out.IPSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.KeyBits != nil {
+		in, out := &in.KeyBits, &out.KeyBits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KeyType != nil {
+		in, out := &in.KeyType, &out.KeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Locality != nil {
+		in, out := &in.Locality, &out.Locality
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManagedKeyID != nil {
+		in, out := &in.ManagedKeyID, &out.ManagedKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManagedKeyName != nil {
+		in, out := &in.ManagedKeyName, &out.ManagedKeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxPathLength != nil {
+		in, out := &in.MaxPathLength, &out.MaxPathLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Organization != nil {
+		in, out := &in.Organization, &out.Organization
+		*out = new(string)
+		**out = **in
+	}
+	if in.OtherSans != nil {
+		in, out := &in.OtherSans, &out.OtherSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Ou != nil {
+		in, out := &in.Ou, &out.Ou
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermittedDNSDomains != nil {
+		in, out := &in.PermittedDNSDomains, &out.PermittedDNSDomains
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PostalCode != nil {
+		in, out := &in.PostalCode, &out.PostalCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKeyFormat != nil {
+		in, out := &in.PrivateKeyFormat, &out.PrivateKeyFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Province != nil {
+		in, out := &in.Province, &out.Province
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreetAddress != nil {
+		in, out := &in.StreetAddress, &out.StreetAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URISans != nil {
+		in, out := &in.URISans, &out.URISans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRootCertInitParameters.
+func (in *SecretBackendRootCertInitParameters) DeepCopy() *SecretBackendRootCertInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRootCertInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRootCertList) DeepCopyInto(out *SecretBackendRootCertList) {
 	*out = *in
@@ -2768,6 +3742,7 @@ func (in *SecretBackendRootCertSpec) DeepCopyInto(out *SecretBackendRootCertSpec
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRootCertSpec.
@@ -2824,6 +3799,161 @@ func (in *SecretBackendRootSignIntermediate) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRootSignIntermediateInitParameters) DeepCopyInto(out *SecretBackendRootSignIntermediateInitParameters) {
+	*out = *in
+	if in.AltNames != nil {
+		in, out := &in.AltNames, &out.AltNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CommonName != nil {
+		in, out := &in.CommonName, &out.CommonName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Country != nil {
+		in, out := &in.Country, &out.Country
+		*out = new(string)
+		**out = **in
+	}
+	if in.Csr != nil {
+		in, out := &in.Csr, &out.Csr
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludeCnFromSans != nil {
+		in, out := &in.ExcludeCnFromSans, &out.ExcludeCnFromSans
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPSans != nil {
+		in, out := &in.IPSans, &out.IPSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Locality != nil {
+		in, out := &in.Locality, &out.Locality
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxPathLength != nil {
+		in, out := &in.MaxPathLength, &out.MaxPathLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Organization != nil {
+		in, out := &in.Organization, &out.Organization
+		*out = new(string)
+		**out = **in
+	}
+	if in.OtherSans != nil {
+		in, out := &in.OtherSans, &out.OtherSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Ou != nil {
+		in, out := &in.Ou, &out.Ou
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermittedDNSDomains != nil {
+		in, out := &in.PermittedDNSDomains, &out.PermittedDNSDomains
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PostalCode != nil {
+		in, out := &in.PostalCode, &out.PostalCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Province != nil {
+		in, out := &in.Province, &out.Province
+		*out = new(string)
+		**out = **in
+	}
+	if in.Revoke != nil {
+		in, out := &in.Revoke, &out.Revoke
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StreetAddress != nil {
+		in, out := &in.StreetAddress, &out.StreetAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.URISans != nil {
+		in, out := &in.URISans, &out.URISans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.UseCsrValues != nil {
+		in, out := &in.UseCsrValues, &out.UseCsrValues
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRootSignIntermediateInitParameters.
+func (in *SecretBackendRootSignIntermediateInitParameters) DeepCopy() *SecretBackendRootSignIntermediateInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRootSignIntermediateInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRootSignIntermediateList) DeepCopyInto(out *SecretBackendRootSignIntermediateList) {
 	*out = *in
@@ -3212,6 +4342,7 @@ func (in *SecretBackendRootSignIntermediateSpec) DeepCopyInto(out *SecretBackend
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRootSignIntermediateSpec.
@@ -3268,6 +4399,115 @@ func (in *SecretBackendSign) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendSignInitParameters) DeepCopyInto(out *SecretBackendSignInitParameters) {
+	*out = *in
+	if in.AltNames != nil {
+		in, out := &in.AltNames, &out.AltNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AutoRenew != nil {
+		in, out := &in.AutoRenew, &out.AutoRenew
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CommonName != nil {
+		in, out := &in.CommonName, &out.CommonName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Csr != nil {
+		in, out := &in.Csr, &out.Csr
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludeCnFromSans != nil {
+		in, out := &in.ExcludeCnFromSans, &out.ExcludeCnFromSans
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPSans != nil {
+		in, out := &in.IPSans, &out.IPSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MinSecondsRemaining != nil {
+		in, out := &in.MinSecondsRemaining, &out.MinSecondsRemaining
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OtherSans != nil {
+		in, out := &in.OtherSans, &out.OtherSans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.URISans != nil {
+		in, out := &in.URISans, &out.URISans
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSignInitParameters.
+func (in *SecretBackendSignInitParameters) DeepCopy() *SecretBackendSignInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendSignInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendSignList) DeepCopyInto(out *SecretBackendSignList) {
 	*out = *in
@@ -3569,6 +4809,7 @@ func (in *SecretBackendSignSpec) DeepCopyInto(out *SecretBackendSignSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSignSpec.
diff --git a/apis/pki/v1alpha1/zz_generated.managed.go b/apis/pki/v1alpha1/zz_generated.managed.go
index 7a1db9a1..b3b8be72 100644
--- a/apis/pki/v1alpha1/zz_generated.managed.go
+++ b/apis/pki/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackendCert) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendCert.
-func (mg *SecretBackendCert) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendCert.
+func (mg *SecretBackendCert) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendCert.
@@ -55,9 +55,9 @@ func (mg *SecretBackendCert) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendCert.
-func (mg *SecretBackendCert) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendCert.
+func (mg *SecretBackendCert) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendCert.
@@ -93,9 +93,9 @@ func (mg *SecretBackendConfigCA) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendConfigCA.
-func (mg *SecretBackendConfigCA) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendConfigCA.
+func (mg *SecretBackendConfigCA) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendConfigCA.
@@ -131,9 +131,9 @@ func (mg *SecretBackendConfigCA) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendConfigCA.
-func (mg *SecretBackendConfigCA) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendConfigCA.
+func (mg *SecretBackendConfigCA) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendConfigCA.
@@ -169,9 +169,9 @@ func (mg *SecretBackendConfigUrls) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendConfigUrls.
-func (mg *SecretBackendConfigUrls) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendConfigUrls.
+func (mg *SecretBackendConfigUrls) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendConfigUrls.
@@ -207,9 +207,9 @@ func (mg *SecretBackendConfigUrls) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendConfigUrls.
-func (mg *SecretBackendConfigUrls) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendConfigUrls.
+func (mg *SecretBackendConfigUrls) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendConfigUrls.
@@ -245,9 +245,9 @@ func (mg *SecretBackendCrlConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendCrlConfig.
-func (mg *SecretBackendCrlConfig) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendCrlConfig.
+func (mg *SecretBackendCrlConfig) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendCrlConfig.
@@ -283,9 +283,9 @@ func (mg *SecretBackendCrlConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendCrlConfig.
-func (mg *SecretBackendCrlConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendCrlConfig.
+func (mg *SecretBackendCrlConfig) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendCrlConfig.
@@ -321,9 +321,9 @@ func (mg *SecretBackendIntermediateCertRequest) GetDeletionPolicy() xpv1.Deletio
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendIntermediateCertRequest.
-func (mg *SecretBackendIntermediateCertRequest) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendIntermediateCertRequest.
+func (mg *SecretBackendIntermediateCertRequest) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendIntermediateCertRequest.
@@ -359,9 +359,9 @@ func (mg *SecretBackendIntermediateCertRequest) SetDeletionPolicy(r xpv1.Deletio
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendIntermediateCertRequest.
-func (mg *SecretBackendIntermediateCertRequest) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendIntermediateCertRequest.
+func (mg *SecretBackendIntermediateCertRequest) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendIntermediateCertRequest.
@@ -397,9 +397,9 @@ func (mg *SecretBackendIntermediateSetSigned) GetDeletionPolicy() xpv1.DeletionP
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendIntermediateSetSigned.
-func (mg *SecretBackendIntermediateSetSigned) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendIntermediateSetSigned.
+func (mg *SecretBackendIntermediateSetSigned) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendIntermediateSetSigned.
@@ -435,9 +435,9 @@ func (mg *SecretBackendIntermediateSetSigned) SetDeletionPolicy(r xpv1.DeletionP
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendIntermediateSetSigned.
-func (mg *SecretBackendIntermediateSetSigned) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendIntermediateSetSigned.
+func (mg *SecretBackendIntermediateSetSigned) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendIntermediateSetSigned.
@@ -473,9 +473,9 @@ func (mg *SecretBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRole.
@@ -511,9 +511,9 @@ func (mg *SecretBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRole.
@@ -549,9 +549,9 @@ func (mg *SecretBackendRootCert) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRootCert.
-func (mg *SecretBackendRootCert) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRootCert.
+func (mg *SecretBackendRootCert) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRootCert.
@@ -587,9 +587,9 @@ func (mg *SecretBackendRootCert) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRootCert.
-func (mg *SecretBackendRootCert) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRootCert.
+func (mg *SecretBackendRootCert) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRootCert.
@@ -625,9 +625,9 @@ func (mg *SecretBackendRootSignIntermediate) GetDeletionPolicy() xpv1.DeletionPo
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRootSignIntermediate.
-func (mg *SecretBackendRootSignIntermediate) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRootSignIntermediate.
+func (mg *SecretBackendRootSignIntermediate) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRootSignIntermediate.
@@ -663,9 +663,9 @@ func (mg *SecretBackendRootSignIntermediate) SetDeletionPolicy(r xpv1.DeletionPo
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRootSignIntermediate.
-func (mg *SecretBackendRootSignIntermediate) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRootSignIntermediate.
+func (mg *SecretBackendRootSignIntermediate) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRootSignIntermediate.
@@ -701,9 +701,9 @@ func (mg *SecretBackendSign) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendSign.
-func (mg *SecretBackendSign) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendSign.
+func (mg *SecretBackendSign) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendSign.
@@ -739,9 +739,9 @@ func (mg *SecretBackendSign) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendSign.
-func (mg *SecretBackendSign) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendSign.
+func (mg *SecretBackendSign) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendSign.
diff --git a/apis/pki/v1alpha1/zz_generated_terraformed.go b/apis/pki/v1alpha1/zz_generated_terraformed.go
index 699d0436..78116fbd 100755
--- a/apis/pki/v1alpha1/zz_generated_terraformed.go
+++ b/apis/pki/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackendCert) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendCert
+func (tr *SecretBackendCert) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendCert using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendCert) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretBackendConfigCA) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendConfigCA
+func (tr *SecretBackendConfigCA) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendConfigCA using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendConfigCA) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *SecretBackendConfigUrls) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendConfigUrls
+func (tr *SecretBackendConfigUrls) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendConfigUrls using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendConfigUrls) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *SecretBackendCrlConfig) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendCrlConfig
+func (tr *SecretBackendCrlConfig) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendCrlConfig using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendCrlConfig) LateInitialize(attrs []byte) (bool, error) {
@@ -365,6 +405,16 @@ func (tr *SecretBackendIntermediateCertRequest) SetParameters(params map[string]
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendIntermediateCertRequest
+func (tr *SecretBackendIntermediateCertRequest) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendIntermediateCertRequest using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendIntermediateCertRequest) LateInitialize(attrs []byte) (bool, error) {
@@ -439,6 +489,16 @@ func (tr *SecretBackendIntermediateSetSigned) SetParameters(params map[string]an
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendIntermediateSetSigned
+func (tr *SecretBackendIntermediateSetSigned) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendIntermediateSetSigned using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendIntermediateSetSigned) LateInitialize(attrs []byte) (bool, error) {
@@ -513,6 +573,16 @@ func (tr *SecretBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRole
+func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) {
@@ -587,6 +657,16 @@ func (tr *SecretBackendRootCert) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRootCert
+func (tr *SecretBackendRootCert) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRootCert using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRootCert) LateInitialize(attrs []byte) (bool, error) {
@@ -661,6 +741,16 @@ func (tr *SecretBackendRootSignIntermediate) SetParameters(params map[string]any
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRootSignIntermediate
+func (tr *SecretBackendRootSignIntermediate) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRootSignIntermediate using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRootSignIntermediate) LateInitialize(attrs []byte) (bool, error) {
@@ -735,6 +825,16 @@ func (tr *SecretBackendSign) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendSign
+func (tr *SecretBackendSign) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendSign using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendSign) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/pki/v1alpha1/zz_secretbackendcert_types.go b/apis/pki/v1alpha1/zz_secretbackendcert_types.go
index 309afa97..aeb31e2c 100755
--- a/apis/pki/v1alpha1/zz_secretbackendcert_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendcert_types.go
@@ -13,135 +13,244 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendCertInitParameters struct {
+
+	// List of alternative names
+	// List of alternative names.
+	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
+
+	// If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false
+	// If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining
+	AutoRenew *bool `json:"autoRenew,omitempty" tf:"auto_renew,omitempty"`
+
+	// The PKI secret backend the resource belongs to.
+	// The PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// CN of certificate to create
+	// CN of the certificate to create.
+	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
+
+	// Flag to exclude CN from SANs
+	// Flag to exclude CN from SANs.
+	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
+
+	// The format of data
+	// The format of data.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// List of alternative IPs
+	// List of alternative IPs.
+	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
+
+	// Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
+	// Generate a new certificate when the expiration is within this number of seconds
+	MinSecondsRemaining *float64 `json:"minSecondsRemaining,omitempty" tf:"min_seconds_remaining,omitempty"`
+
+	// Name of the role to create the certificate against
+	// Name of the role to create the certificate against.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// List of other SANs
+	// List of other SANs.
+	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
+
+	// The private key format
+	// The private key format.
+	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
+
+	// If set to true, the certificate will be revoked on resource destruction.
+	// Revoke the certificate upon resource destruction.
+	Revoke *bool `json:"revoke,omitempty" tf:"revoke,omitempty"`
+
+	// Time to live
+	// Time to live.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// List of alternative URIs
+	// List of alternative URIs.
+	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
+}
+
 type SecretBackendCertObservation struct {
 
+	// List of alternative names
 	// List of alternative names.
 	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
 
+	// If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false
 	// If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining
 	AutoRenew *bool `json:"autoRenew,omitempty" tf:"auto_renew,omitempty"`
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The CA chain
 	// The CA chain.
 	CAChain *string `json:"caChain,omitempty" tf:"ca_chain,omitempty"`
 
+	// The certificate
 	// The certicate.
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
+	// CN of certificate to create
 	// CN of the certificate to create.
 	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
 
+	// Flag to exclude CN from SANs
 	// Flag to exclude CN from SANs.
 	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
 
+	// The expiration date of the certificate in unix epoch format
 	// The certificate expiration as a Unix-style timestamp.
 	Expiration *float64 `json:"expiration,omitempty" tf:"expiration,omitempty"`
 
+	// The format of data
 	// The format of data.
 	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of alternative IPs
 	// List of alternative IPs.
 	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
 
+	// The issuing CA
 	// The issuing CA.
 	IssuingCA *string `json:"issuingCa,omitempty" tf:"issuing_ca,omitempty"`
 
+	// Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
 	// Generate a new certificate when the expiration is within this number of seconds
 	MinSecondsRemaining *float64 `json:"minSecondsRemaining,omitempty" tf:"min_seconds_remaining,omitempty"`
 
+	// Name of the role to create the certificate against
 	// Name of the role to create the certificate against.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of other SANs
 	// List of other SANs.
 	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
 
+	// The private key format
 	// The private key format.
 	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
 
+	// The private key type
 	// The private key type.
 	PrivateKeyType *string `json:"privateKeyType,omitempty" tf:"private_key_type,omitempty"`
 
+	// true if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining, and false otherwise; if auto_renew is set to true then the provider will plan to replace the certificate once renewal is pending.
 	// Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.
 	RenewPending *bool `json:"renewPending,omitempty" tf:"renew_pending,omitempty"`
 
+	// If set to true, the certificate will be revoked on resource destruction.
 	// Revoke the certificate upon resource destruction.
 	Revoke *bool `json:"revoke,omitempty" tf:"revoke,omitempty"`
 
+	// The serial number
 	// The serial number.
 	SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"`
 
+	// Time to live
 	// Time to live.
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// List of alternative URIs
 	// List of alternative URIs.
 	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
 }
 
 type SecretBackendCertParameters struct {
 
+	// List of alternative names
 	// List of alternative names.
 	// +kubebuilder:validation:Optional
 	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
 
+	// If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false
 	// If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining
 	// +kubebuilder:validation:Optional
 	AutoRenew *bool `json:"autoRenew,omitempty" tf:"auto_renew,omitempty"`
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// CN of certificate to create
 	// CN of the certificate to create.
 	// +kubebuilder:validation:Optional
 	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
 
+	// Flag to exclude CN from SANs
 	// Flag to exclude CN from SANs.
 	// +kubebuilder:validation:Optional
 	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
 
+	// The format of data
 	// The format of data.
 	// +kubebuilder:validation:Optional
 	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
+	// List of alternative IPs
 	// List of alternative IPs.
 	// +kubebuilder:validation:Optional
 	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
 
+	// Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
 	// Generate a new certificate when the expiration is within this number of seconds
 	// +kubebuilder:validation:Optional
 	MinSecondsRemaining *float64 `json:"minSecondsRemaining,omitempty" tf:"min_seconds_remaining,omitempty"`
 
+	// Name of the role to create the certificate against
 	// Name of the role to create the certificate against.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of other SANs
 	// List of other SANs.
 	// +kubebuilder:validation:Optional
 	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
 
+	// The private key format
 	// The private key format.
 	// +kubebuilder:validation:Optional
 	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
 
+	// If set to true, the certificate will be revoked on resource destruction.
 	// Revoke the certificate upon resource destruction.
 	// +kubebuilder:validation:Optional
 	Revoke *bool `json:"revoke,omitempty" tf:"revoke,omitempty"`
 
+	// Time to live
 	// Time to live.
 	// +kubebuilder:validation:Optional
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// List of alternative URIs
 	// List of alternative URIs.
 	// +kubebuilder:validation:Optional
 	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
@@ -151,6 +260,18 @@ type SecretBackendCertParameters struct {
 type SecretBackendCertSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendCertParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendCertInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendCertStatus defines the observed state of SecretBackendCert.
@@ -161,7 +282,7 @@ type SecretBackendCertStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendCert is the Schema for the SecretBackendCerts API. <no value>
+// SecretBackendCert is the Schema for the SecretBackendCerts API. Generate an PKI certificate.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -171,9 +292,9 @@ type SecretBackendCertStatus struct {
 type SecretBackendCert struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)",message="commonName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendCertSpec   `json:"spec"`
 	Status SecretBackendCertStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendconfigca_types.go b/apis/pki/v1alpha1/zz_secretbackendconfigca_types.go
index 148546e1..8bccb755 100755
--- a/apis/pki/v1alpha1/zz_secretbackendconfigca_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendconfigca_types.go
@@ -13,27 +13,52 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendConfigCAInitParameters struct {
+
+	// The PKI secret backend the resource belongs to.
+	// The PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type SecretBackendConfigCAObservation struct {
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type SecretBackendConfigCAParameters struct {
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The key and certificate PEM bundle
 	// The key and certificate PEM bundle.
 	// +kubebuilder:validation:Optional
 	PemBundleSecretRef v1.SecretKeySelector `json:"pemBundleSecretRef" tf:"-"`
@@ -43,6 +68,18 @@ type SecretBackendConfigCAParameters struct {
 type SecretBackendConfigCASpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendConfigCAParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendConfigCAInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendConfigCAStatus defines the observed state of SecretBackendConfigCA.
@@ -53,7 +90,7 @@ type SecretBackendConfigCAStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendConfigCA is the Schema for the SecretBackendConfigCAs API. <no value>
+// SecretBackendConfigCA is the Schema for the SecretBackendConfigCAs API. Submit the CA information to PKI.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -63,8 +100,8 @@ type SecretBackendConfigCAStatus struct {
 type SecretBackendConfigCA struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pemBundleSecretRef)",message="pemBundleSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.pemBundleSecretRef)",message="pemBundleSecretRef is a required parameter"
 	Spec   SecretBackendConfigCASpec   `json:"spec"`
 	Status SecretBackendConfigCAStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go b/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go
index a27c72c2..352b4328 100755
--- a/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go
@@ -13,44 +13,86 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendConfigUrlsInitParameters struct {
+
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
+	// The path of the PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Specifies the URL values for the CRL Distribution Points field.
+	// Specifies the URL values for the CRL Distribution Points field.
+	CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"`
+
+	// Specifies the URL values for the Issuing Certificate field.
+	// Specifies the URL values for the Issuing Certificate field.
+	IssuingCertificates []*string `json:"issuingCertificates,omitempty" tf:"issuing_certificates,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies the URL values for the OCSP Servers field.
+	// Specifies the URL values for the OCSP Servers field.
+	OcspServers []*string `json:"ocspServers,omitempty" tf:"ocsp_servers,omitempty"`
+}
+
 type SecretBackendConfigUrlsObservation struct {
 
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
 	// The path of the PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Specifies the URL values for the CRL Distribution Points field.
 	// Specifies the URL values for the CRL Distribution Points field.
 	CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the URL values for the Issuing Certificate field.
 	// Specifies the URL values for the Issuing Certificate field.
 	IssuingCertificates []*string `json:"issuingCertificates,omitempty" tf:"issuing_certificates,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies the URL values for the OCSP Servers field.
 	// Specifies the URL values for the OCSP Servers field.
 	OcspServers []*string `json:"ocspServers,omitempty" tf:"ocsp_servers,omitempty"`
 }
 
 type SecretBackendConfigUrlsParameters struct {
 
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
 	// The path of the PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Specifies the URL values for the CRL Distribution Points field.
 	// Specifies the URL values for the CRL Distribution Points field.
 	// +kubebuilder:validation:Optional
 	CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"`
 
+	// Specifies the URL values for the Issuing Certificate field.
 	// Specifies the URL values for the Issuing Certificate field.
 	// +kubebuilder:validation:Optional
 	IssuingCertificates []*string `json:"issuingCertificates,omitempty" tf:"issuing_certificates,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies the URL values for the OCSP Servers field.
 	// Specifies the URL values for the OCSP Servers field.
 	// +kubebuilder:validation:Optional
 	OcspServers []*string `json:"ocspServers,omitempty" tf:"ocsp_servers,omitempty"`
@@ -60,6 +102,18 @@ type SecretBackendConfigUrlsParameters struct {
 type SecretBackendConfigUrlsSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendConfigUrlsParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendConfigUrlsInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendConfigUrlsStatus defines the observed state of SecretBackendConfigUrls.
@@ -70,7 +124,7 @@ type SecretBackendConfigUrlsStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendConfigUrls is the Schema for the SecretBackendConfigUrlss API. <no value>
+// SecretBackendConfigUrls is the Schema for the SecretBackendConfigUrlss API. Sets the config URL's on an PKI Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -80,7 +134,7 @@ type SecretBackendConfigUrlsStatus struct {
 type SecretBackendConfigUrls struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
 	Spec   SecretBackendConfigUrlsSpec   `json:"spec"`
 	Status SecretBackendConfigUrlsStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendcrlconfig_types.go b/apis/pki/v1alpha1/zz_secretbackendcrlconfig_types.go
index 14975678..887c5606 100755
--- a/apis/pki/v1alpha1/zz_secretbackendcrlconfig_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendcrlconfig_types.go
@@ -13,100 +13,199 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendCrlConfigInitParameters struct {
+
+	// Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+
+	// Enables or disables periodic rebuilding of the CRL upon expiry.
+	AutoRebuild *bool `json:"autoRebuild,omitempty" tf:"auto_rebuild,omitempty"`
+
+	// Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+
+	// Grace period before CRL expiry to attempt rebuild of CRL.
+	AutoRebuildGracePeriod *string `json:"autoRebuildGracePeriod,omitempty" tf:"auto_rebuild_grace_period,omitempty"`
+
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
+	// The path of the PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Enable cross-cluster revocation request queues. Vault 1.13+
+	// Enable cross-cluster revocation request queues.
+	CrossClusterRevocation *bool `json:"crossClusterRevocation,omitempty" tf:"cross_cluster_revocation,omitempty"`
+
+	// Interval to check for new revocations on, to regenerate the delta CRL.
+	// Interval to check for new revocations on, to regenerate the delta CRL.
+	DeltaRebuildInterval *string `json:"deltaRebuildInterval,omitempty" tf:"delta_rebuild_interval,omitempty"`
+
+	// Disables or enables CRL building.
+	// Disables or enables CRL building
+	Disable *bool `json:"disable,omitempty" tf:"disable,omitempty"`
+
+	// Enables building of delta CRLs with up-to-date revocation information,
+	// augmenting the last complete CRL.  Vault 1.12+
+	// Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.
+	EnableDelta *bool `json:"enableDelta,omitempty" tf:"enable_delta,omitempty"`
+
+	// Specifies the time until expiration.
+	// Specifies the time until expiration.
+	Expiry *string `json:"expiry,omitempty" tf:"expiry,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Disables the OCSP responder in Vault. Vault 1.12+
+	// Disables or enables the OCSP responder in Vault.
+	OcspDisable *bool `json:"ocspDisable,omitempty" tf:"ocsp_disable,omitempty"`
+
+	// The amount of time an OCSP response can be cached for, useful for OCSP stapling
+	// refresh durations. Vault 1.12+
+	// The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.
+	OcspExpiry *string `json:"ocspExpiry,omitempty" tf:"ocsp_expiry,omitempty"`
+
+	// Enables unified CRL and OCSP building. Vault 1.13+
+	// Enables unified CRL and OCSP building.
+	UnifiedCrl *bool `json:"unifiedCrl,omitempty" tf:"unified_crl,omitempty"`
+
+	// Enables serving the unified CRL and OCSP on the existing, previously
+	// cluster-local paths. Vault 1.13+
+	// Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.
+	UnifiedCrlOnExistingPaths *bool `json:"unifiedCrlOnExistingPaths,omitempty" tf:"unified_crl_on_existing_paths,omitempty"`
+}
+
 type SecretBackendCrlConfigObservation struct {
 
+	// Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+
 	// Enables or disables periodic rebuilding of the CRL upon expiry.
 	AutoRebuild *bool `json:"autoRebuild,omitempty" tf:"auto_rebuild,omitempty"`
 
+	// Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+
 	// Grace period before CRL expiry to attempt rebuild of CRL.
 	AutoRebuildGracePeriod *string `json:"autoRebuildGracePeriod,omitempty" tf:"auto_rebuild_grace_period,omitempty"`
 
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
 	// The path of the PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Enable cross-cluster revocation request queues. Vault 1.13+
 	// Enable cross-cluster revocation request queues.
 	CrossClusterRevocation *bool `json:"crossClusterRevocation,omitempty" tf:"cross_cluster_revocation,omitempty"`
 
+	// Interval to check for new revocations on, to regenerate the delta CRL.
 	// Interval to check for new revocations on, to regenerate the delta CRL.
 	DeltaRebuildInterval *string `json:"deltaRebuildInterval,omitempty" tf:"delta_rebuild_interval,omitempty"`
 
+	// Disables or enables CRL building.
 	// Disables or enables CRL building
 	Disable *bool `json:"disable,omitempty" tf:"disable,omitempty"`
 
+	// Enables building of delta CRLs with up-to-date revocation information,
+	// augmenting the last complete CRL.  Vault 1.12+
 	// Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.
 	EnableDelta *bool `json:"enableDelta,omitempty" tf:"enable_delta,omitempty"`
 
+	// Specifies the time until expiration.
 	// Specifies the time until expiration.
 	Expiry *string `json:"expiry,omitempty" tf:"expiry,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Disables the OCSP responder in Vault. Vault 1.12+
 	// Disables or enables the OCSP responder in Vault.
 	OcspDisable *bool `json:"ocspDisable,omitempty" tf:"ocsp_disable,omitempty"`
 
+	// The amount of time an OCSP response can be cached for, useful for OCSP stapling
+	// refresh durations. Vault 1.12+
 	// The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.
 	OcspExpiry *string `json:"ocspExpiry,omitempty" tf:"ocsp_expiry,omitempty"`
 
+	// Enables unified CRL and OCSP building. Vault 1.13+
 	// Enables unified CRL and OCSP building.
 	UnifiedCrl *bool `json:"unifiedCrl,omitempty" tf:"unified_crl,omitempty"`
 
+	// Enables serving the unified CRL and OCSP on the existing, previously
+	// cluster-local paths. Vault 1.13+
 	// Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.
 	UnifiedCrlOnExistingPaths *bool `json:"unifiedCrlOnExistingPaths,omitempty" tf:"unified_crl_on_existing_paths,omitempty"`
 }
 
 type SecretBackendCrlConfigParameters struct {
 
+	// Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+
 	// Enables or disables periodic rebuilding of the CRL upon expiry.
 	// +kubebuilder:validation:Optional
 	AutoRebuild *bool `json:"autoRebuild,omitempty" tf:"auto_rebuild,omitempty"`
 
+	// Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+
 	// Grace period before CRL expiry to attempt rebuild of CRL.
 	// +kubebuilder:validation:Optional
 	AutoRebuildGracePeriod *string `json:"autoRebuildGracePeriod,omitempty" tf:"auto_rebuild_grace_period,omitempty"`
 
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
 	// The path of the PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Enable cross-cluster revocation request queues. Vault 1.13+
 	// Enable cross-cluster revocation request queues.
 	// +kubebuilder:validation:Optional
 	CrossClusterRevocation *bool `json:"crossClusterRevocation,omitempty" tf:"cross_cluster_revocation,omitempty"`
 
+	// Interval to check for new revocations on, to regenerate the delta CRL.
 	// Interval to check for new revocations on, to regenerate the delta CRL.
 	// +kubebuilder:validation:Optional
 	DeltaRebuildInterval *string `json:"deltaRebuildInterval,omitempty" tf:"delta_rebuild_interval,omitempty"`
 
+	// Disables or enables CRL building.
 	// Disables or enables CRL building
 	// +kubebuilder:validation:Optional
 	Disable *bool `json:"disable,omitempty" tf:"disable,omitempty"`
 
+	// Enables building of delta CRLs with up-to-date revocation information,
+	// augmenting the last complete CRL.  Vault 1.12+
 	// Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.
 	// +kubebuilder:validation:Optional
 	EnableDelta *bool `json:"enableDelta,omitempty" tf:"enable_delta,omitempty"`
 
+	// Specifies the time until expiration.
 	// Specifies the time until expiration.
 	// +kubebuilder:validation:Optional
 	Expiry *string `json:"expiry,omitempty" tf:"expiry,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Disables the OCSP responder in Vault. Vault 1.12+
 	// Disables or enables the OCSP responder in Vault.
 	// +kubebuilder:validation:Optional
 	OcspDisable *bool `json:"ocspDisable,omitempty" tf:"ocsp_disable,omitempty"`
 
+	// The amount of time an OCSP response can be cached for, useful for OCSP stapling
+	// refresh durations. Vault 1.12+
 	// The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.
 	// +kubebuilder:validation:Optional
 	OcspExpiry *string `json:"ocspExpiry,omitempty" tf:"ocsp_expiry,omitempty"`
 
+	// Enables unified CRL and OCSP building. Vault 1.13+
 	// Enables unified CRL and OCSP building.
 	// +kubebuilder:validation:Optional
 	UnifiedCrl *bool `json:"unifiedCrl,omitempty" tf:"unified_crl,omitempty"`
 
+	// Enables serving the unified CRL and OCSP on the existing, previously
+	// cluster-local paths. Vault 1.13+
 	// Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.
 	// +kubebuilder:validation:Optional
 	UnifiedCrlOnExistingPaths *bool `json:"unifiedCrlOnExistingPaths,omitempty" tf:"unified_crl_on_existing_paths,omitempty"`
@@ -116,6 +215,18 @@ type SecretBackendCrlConfigParameters struct {
 type SecretBackendCrlConfigSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendCrlConfigParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendCrlConfigInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendCrlConfigStatus defines the observed state of SecretBackendCrlConfig.
@@ -126,7 +237,7 @@ type SecretBackendCrlConfigStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendCrlConfig is the Schema for the SecretBackendCrlConfigs API. <no value>
+// SecretBackendCrlConfig is the Schema for the SecretBackendCrlConfigs API. Sets the CRL config on an PKI Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -136,7 +247,7 @@ type SecretBackendCrlConfigStatus struct {
 type SecretBackendCrlConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
 	Spec   SecretBackendCrlConfigSpec   `json:"spec"`
 	Status SecretBackendCrlConfigStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go b/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go
index d013d510..b1cef114 100755
--- a/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go
@@ -13,178 +13,346 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendIntermediateCertRequestInitParameters struct {
+
+	// Adds a Basic Constraints extension with 'CA: true'.
+	// Only needed as a workaround in some compatibility scenarios with Active Directory
+	// Certificate Services
+	// Set 'CA: true' in a Basic Constraints extension. Only needed as
+	// a workaround in some compatibility scenarios with Active Directory Certificate Services.
+	AddBasicConstraints *bool `json:"addBasicConstraints,omitempty" tf:"add_basic_constraints,omitempty"`
+
+	// List of alternative names
+	// List of alternative names.
+	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
+
+	// The PKI secret backend the resource belongs to.
+	// The PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// CN of intermediate to create
+	// CN of intermediate to create.
+	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
+
+	// The country
+	// The country.
+	Country *string `json:"country,omitempty" tf:"country,omitempty"`
+
+	// Flag to exclude CN from SANs
+	// Flag to exclude CN from SANs.
+	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
+
+	// The format of data
+	// The format of data.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// List of alternative IPs
+	// List of alternative IPs.
+	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
+
+	// The number of bits to use
+	// The number of bits to use.
+	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
+
+	// The desired key type
+	// The desired key type.
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
+
+	// The locality
+	// The locality.
+	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`
+
+	// The ID of the previously configured managed key. This field is
+	// required if type is kms and it conflicts with managed_key_name
+	// The ID of the previously configured managed key.
+	ManagedKeyID *string `json:"managedKeyId,omitempty" tf:"managed_key_id,omitempty"`
+
+	// The name of the previously configured managed key. This field is
+	// required if type is kms  and it conflicts with managed_key_id
+	// The name of the previously configured managed key.
+	ManagedKeyName *string `json:"managedKeyName,omitempty" tf:"managed_key_name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The organization
+	// The organization.
+	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
+
+	// List of other SANs
+	// List of other SANs.
+	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
+
+	// The organization unit
+	// The organization unit.
+	Ou *string `json:"ou,omitempty" tf:"ou,omitempty"`
+
+	// The postal code
+	// The postal code.
+	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
+
+	// The private key format
+	// The private key format.
+	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
+
+	// The province
+	// The province.
+	Province *string `json:"province,omitempty" tf:"province,omitempty"`
+
+	// The street address
+	// The street address.
+	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
+
+	// Type of intermediate to create. Must be either "exported" or "internal"
+	// or "kms"
+	// Type of intermediate to create. Must be either "exported" or "internal".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// List of alternative URIs
+	// List of alternative URIs.
+	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
+}
+
 type SecretBackendIntermediateCertRequestObservation struct {
 
+	// Adds a Basic Constraints extension with 'CA: true'.
+	// Only needed as a workaround in some compatibility scenarios with Active Directory
+	// Certificate Services
 	// Set 'CA: true' in a Basic Constraints extension. Only needed as
 	// a workaround in some compatibility scenarios with Active Directory Certificate Services.
 	AddBasicConstraints *bool `json:"addBasicConstraints,omitempty" tf:"add_basic_constraints,omitempty"`
 
+	// List of alternative names
 	// List of alternative names.
 	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// CN of intermediate to create
 	// CN of intermediate to create.
 	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
 
+	// The country
 	// The country.
 	Country *string `json:"country,omitempty" tf:"country,omitempty"`
 
+	// The CSR
 	// The CSR.
 	Csr *string `json:"csr,omitempty" tf:"csr,omitempty"`
 
+	// Flag to exclude CN from SANs
 	// Flag to exclude CN from SANs.
 	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
 
+	// The format of data
 	// The format of data.
 	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of alternative IPs
 	// List of alternative IPs.
 	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
 
+	// The number of bits to use
 	// The number of bits to use.
 	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The desired key type
 	// The desired key type.
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// The locality
 	// The locality.
 	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`
 
+	// The ID of the previously configured managed key. This field is
+	// required if type is kms and it conflicts with managed_key_name
 	// The ID of the previously configured managed key.
 	ManagedKeyID *string `json:"managedKeyId,omitempty" tf:"managed_key_id,omitempty"`
 
+	// The name of the previously configured managed key. This field is
+	// required if type is kms  and it conflicts with managed_key_id
 	// The name of the previously configured managed key.
 	ManagedKeyName *string `json:"managedKeyName,omitempty" tf:"managed_key_name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The organization
 	// The organization.
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// List of other SANs
 	// List of other SANs.
 	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
 
+	// The organization unit
 	// The organization unit.
 	Ou *string `json:"ou,omitempty" tf:"ou,omitempty"`
 
+	// The postal code
 	// The postal code.
 	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
 
+	// The private key format
 	// The private key format.
 	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
 
+	// The private key type
 	// The private key type.
 	PrivateKeyType *string `json:"privateKeyType,omitempty" tf:"private_key_type,omitempty"`
 
+	// The province
 	// The province.
 	Province *string `json:"province,omitempty" tf:"province,omitempty"`
 
+	// The street address
 	// The street address.
 	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
 
+	// Type of intermediate to create. Must be either "exported" or "internal"
+	// or "kms"
 	// Type of intermediate to create. Must be either "exported" or "internal".
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
+	// List of alternative URIs
 	// List of alternative URIs.
 	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
 }
 
 type SecretBackendIntermediateCertRequestParameters struct {
 
+	// Adds a Basic Constraints extension with 'CA: true'.
+	// Only needed as a workaround in some compatibility scenarios with Active Directory
+	// Certificate Services
 	// Set 'CA: true' in a Basic Constraints extension. Only needed as
 	// a workaround in some compatibility scenarios with Active Directory Certificate Services.
 	// +kubebuilder:validation:Optional
 	AddBasicConstraints *bool `json:"addBasicConstraints,omitempty" tf:"add_basic_constraints,omitempty"`
 
+	// List of alternative names
 	// List of alternative names.
 	// +kubebuilder:validation:Optional
 	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// CN of intermediate to create
 	// CN of intermediate to create.
 	// +kubebuilder:validation:Optional
 	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
 
+	// The country
 	// The country.
 	// +kubebuilder:validation:Optional
 	Country *string `json:"country,omitempty" tf:"country,omitempty"`
 
+	// Flag to exclude CN from SANs
 	// Flag to exclude CN from SANs.
 	// +kubebuilder:validation:Optional
 	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
 
+	// The format of data
 	// The format of data.
 	// +kubebuilder:validation:Optional
 	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
+	// List of alternative IPs
 	// List of alternative IPs.
 	// +kubebuilder:validation:Optional
 	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
 
+	// The number of bits to use
 	// The number of bits to use.
 	// +kubebuilder:validation:Optional
 	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The desired key type
 	// The desired key type.
 	// +kubebuilder:validation:Optional
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// The locality
 	// The locality.
 	// +kubebuilder:validation:Optional
 	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`
 
+	// The ID of the previously configured managed key. This field is
+	// required if type is kms and it conflicts with managed_key_name
 	// The ID of the previously configured managed key.
 	// +kubebuilder:validation:Optional
 	ManagedKeyID *string `json:"managedKeyId,omitempty" tf:"managed_key_id,omitempty"`
 
+	// The name of the previously configured managed key. This field is
+	// required if type is kms  and it conflicts with managed_key_id
 	// The name of the previously configured managed key.
 	// +kubebuilder:validation:Optional
 	ManagedKeyName *string `json:"managedKeyName,omitempty" tf:"managed_key_name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The organization
 	// The organization.
 	// +kubebuilder:validation:Optional
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// List of other SANs
 	// List of other SANs.
 	// +kubebuilder:validation:Optional
 	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
 
+	// The organization unit
 	// The organization unit.
 	// +kubebuilder:validation:Optional
 	Ou *string `json:"ou,omitempty" tf:"ou,omitempty"`
 
+	// The postal code
 	// The postal code.
 	// +kubebuilder:validation:Optional
 	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
 
+	// The private key format
 	// The private key format.
 	// +kubebuilder:validation:Optional
 	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
 
+	// The province
 	// The province.
 	// +kubebuilder:validation:Optional
 	Province *string `json:"province,omitempty" tf:"province,omitempty"`
 
+	// The street address
 	// The street address.
 	// +kubebuilder:validation:Optional
 	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
 
+	// Type of intermediate to create. Must be either "exported" or "internal"
+	// or "kms"
 	// Type of intermediate to create. Must be either "exported" or "internal".
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
+	// List of alternative URIs
 	// List of alternative URIs.
 	// +kubebuilder:validation:Optional
 	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
@@ -194,6 +362,18 @@ type SecretBackendIntermediateCertRequestParameters struct {
 type SecretBackendIntermediateCertRequestSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendIntermediateCertRequestParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendIntermediateCertRequestInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendIntermediateCertRequestStatus defines the observed state of SecretBackendIntermediateCertRequest.
@@ -204,7 +384,7 @@ type SecretBackendIntermediateCertRequestStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendIntermediateCertRequest is the Schema for the SecretBackendIntermediateCertRequests API. <no value>
+// SecretBackendIntermediateCertRequest is the Schema for the SecretBackendIntermediateCertRequests API. Generate a new private key and a CSR for signing the PKI.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -214,9 +394,9 @@ type SecretBackendIntermediateCertRequestStatus struct {
 type SecretBackendIntermediateCertRequest struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)",message="commonName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter"
 	Spec   SecretBackendIntermediateCertRequestSpec   `json:"spec"`
 	Status SecretBackendIntermediateCertRequestStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go b/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go
index aa0768f2..8981580f 100755
--- a/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go
@@ -13,30 +13,66 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendIntermediateSetSignedInitParameters struct {
+
+	// The PKI secret backend the resource belongs to.
+	// The PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Specifies the PEM encoded certificate. May optionally append additional
+	// CA certificates to populate the whole chain, which will then enable returning the full chain from
+	// issue and sign operations.
+	// The certificate.
+	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type SecretBackendIntermediateSetSignedObservation struct {
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Specifies the PEM encoded certificate. May optionally append additional
+	// CA certificates to populate the whole chain, which will then enable returning the full chain from
+	// issue and sign operations.
 	// The certificate.
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type SecretBackendIntermediateSetSignedParameters struct {
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Specifies the PEM encoded certificate. May optionally append additional
+	// CA certificates to populate the whole chain, which will then enable returning the full chain from
+	// issue and sign operations.
 	// The certificate.
 	// +kubebuilder:validation:Optional
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -46,6 +82,18 @@ type SecretBackendIntermediateSetSignedParameters struct {
 type SecretBackendIntermediateSetSignedSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendIntermediateSetSignedParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendIntermediateSetSignedInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendIntermediateSetSignedStatus defines the observed state of SecretBackendIntermediateSetSigned.
@@ -56,7 +104,7 @@ type SecretBackendIntermediateSetSignedStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendIntermediateSetSigned is the Schema for the SecretBackendIntermediateSetSigneds API. <no value>
+// SecretBackendIntermediateSetSigned is the Schema for the SecretBackendIntermediateSetSigneds API. Submit the PKI CA certificate.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -66,8 +114,8 @@ type SecretBackendIntermediateSetSignedStatus struct {
 type SecretBackendIntermediateSetSigned struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificate)",message="certificate is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.certificate) || has(self.initProvider.certificate)",message="certificate is a required parameter"
 	Spec   SecretBackendIntermediateSetSignedSpec   `json:"spec"`
 	Status SecretBackendIntermediateSetSignedStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendrole_types.go b/apis/pki/v1alpha1/zz_secretbackendrole_types.go
index 3be57fbc..9865acb2 100755
--- a/apis/pki/v1alpha1/zz_secretbackendrole_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendrole_types.go
@@ -13,323 +13,605 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type PolicyIdentifierInitParameters struct {
+
+	// The URL of the CPS for the policy identifier
+	// Optional CPS URL
+	Cps *string `json:"cps,omitempty" tf:"cps,omitempty"`
+
+	// A notice for the policy identifier
+	// Optional notice
+	Notice *string `json:"notice,omitempty" tf:"notice,omitempty"`
+
+	// The OID for the policy identifier
+	// OID
+	Oid *string `json:"oid,omitempty" tf:"oid,omitempty"`
+}
+
 type PolicyIdentifierObservation struct {
 
+	// The URL of the CPS for the policy identifier
 	// Optional CPS URL
 	Cps *string `json:"cps,omitempty" tf:"cps,omitempty"`
 
+	// A notice for the policy identifier
 	// Optional notice
 	Notice *string `json:"notice,omitempty" tf:"notice,omitempty"`
 
+	// The OID for the policy identifier
 	// OID
 	Oid *string `json:"oid,omitempty" tf:"oid,omitempty"`
 }
 
 type PolicyIdentifierParameters struct {
 
+	// The URL of the CPS for the policy identifier
 	// Optional CPS URL
 	// +kubebuilder:validation:Optional
 	Cps *string `json:"cps,omitempty" tf:"cps,omitempty"`
 
+	// A notice for the policy identifier
 	// Optional notice
 	// +kubebuilder:validation:Optional
 	Notice *string `json:"notice,omitempty" tf:"notice,omitempty"`
 
+	// The OID for the policy identifier
 	// OID
-	// +kubebuilder:validation:Required
-	Oid *string `json:"oid" tf:"oid,omitempty"`
+	// +kubebuilder:validation:Optional
+	Oid *string `json:"oid,omitempty" tf:"oid,omitempty"`
+}
+
+type SecretBackendRoleInitParameters struct {
+
+	// Flag to allow any name
+	// Flag to allow any name
+	AllowAnyName *bool `json:"allowAnyName,omitempty" tf:"allow_any_name,omitempty"`
+
+	// Flag to allow certificates matching the actual domain
+	// Flag to allow certificates matching the actual domain.
+	AllowBareDomains *bool `json:"allowBareDomains,omitempty" tf:"allow_bare_domains,omitempty"`
+
+	// Flag to allow names containing glob patterns.
+	// Flag to allow names containing glob patterns.
+	AllowGlobDomains *bool `json:"allowGlobDomains,omitempty" tf:"allow_glob_domains,omitempty"`
+
+	// Flag to allow IP SANs
+	// Flag to allow IP SANs
+	AllowIPSans *bool `json:"allowIpSans,omitempty" tf:"allow_ip_sans,omitempty"`
+
+	// Flag to allow certificates for localhost
+	// Flag to allow certificates for localhost.
+	AllowLocalhost *bool `json:"allowLocalhost,omitempty" tf:"allow_localhost,omitempty"`
+
+	// Flag to allow certificates matching subdomains
+	// Flag to allow certificates matching subdomains.
+	AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"`
+
+	// List of allowed domains for certificates
+	// The domains of the role.
+	AllowedDomains []*string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"`
+
+	// Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
+	// Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.<mount accessor>.name}})
+	AllowedDomainsTemplate *bool `json:"allowedDomainsTemplate,omitempty" tf:"allowed_domains_template,omitempty"`
+
+	// Defines allowed custom SANs
+	// Defines allowed custom SANs
+	AllowedOtherSans []*string `json:"allowedOtherSans,omitempty" tf:"allowed_other_sans,omitempty"`
+
+	// An array of allowed serial numbers to put in Subject
+	// Defines allowed Subject serial numbers.
+	AllowedSerialNumbers []*string `json:"allowedSerialNumbers,omitempty" tf:"allowed_serial_numbers,omitempty"`
+
+	// Defines allowed URI SANs
+	// Defines allowed URI SANs
+	AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"`
+
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
+	// The path of the PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Flag to mark basic constraints valid when issuing non-CA certificates
+	// Flag to mark basic constraints valid when issuing non-CA certificates.
+	BasicConstraintsValidForNonCA *bool `json:"basicConstraintsValidForNonCa,omitempty" tf:"basic_constraints_valid_for_non_ca,omitempty"`
+
+	// Flag to specify certificates for client use
+	// Flag to specify certificates for client use.
+	ClientFlag *bool `json:"clientFlag,omitempty" tf:"client_flag,omitempty"`
+
+	// Flag to specify certificates for code signing use
+	// Flag to specify certificates for code signing use.
+	CodeSigningFlag *bool `json:"codeSigningFlag,omitempty" tf:"code_signing_flag,omitempty"`
+
+	// The country of generated certificates
+	// The country of generated certificates.
+	Country []*string `json:"country,omitempty" tf:"country,omitempty"`
+
+	// Flag to specify certificates for email protection use
+	// Flag to specify certificates for email protection use.
+	EmailProtectionFlag *bool `json:"emailProtectionFlag,omitempty" tf:"email_protection_flag,omitempty"`
+
+	// Flag to allow only valid host names
+	// Flag to allow only valid host names
+	EnforceHostnames *bool `json:"enforceHostnames,omitempty" tf:"enforce_hostnames,omitempty"`
+
+	// Specify the allowed extended key usage constraint on issued certificates
+	// Specify the allowed extended key usage constraint on issued certificates.
+	ExtKeyUsage []*string `json:"extKeyUsage,omitempty" tf:"ext_key_usage,omitempty"`
+
+	// Flag to generate leases with certificates
+	// Flag to generate leases with certificates.
+	GenerateLease *bool `json:"generateLease,omitempty" tf:"generate_lease,omitempty"`
+
+	// The number of bits of generated keys
+	// The number of bits of generated keys.
+	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
+
+	// The generated key type, choices: rsa, ec, ed25519, any
+	// Defaults to rsa
+	// The generated key type.
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
+
+	// Specify the allowed key usage constraint on issued certificates
+	// Specify the allowed key usage constraint on issued certificates.
+	KeyUsage []*string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`
+
+	// The locality of generated certificates
+	// The locality of generated certificates.
+	Locality []*string `json:"locality,omitempty" tf:"locality,omitempty"`
+
+	// The maximum lease TTL, in seconds, for the role.
+	// The maximum TTL.
+	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// The name to identify this role within the backend. Must be unique within the backend.
+	// Unique name for the role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Flag to not store certificates in the storage backend
+	// Flag to not store certificates in the storage backend.
+	NoStore *bool `json:"noStore,omitempty" tf:"no_store,omitempty"`
+
+	// Specifies the duration by which to backdate the NotBefore property.
+	// Specifies the duration by which to backdate the NotBefore property.
+	NotBeforeDuration *string `json:"notBeforeDuration,omitempty" tf:"not_before_duration,omitempty"`
+
+	// The organization of generated certificates
+	// The organization of generated certificates.
+	Organization []*string `json:"organization,omitempty" tf:"organization,omitempty"`
+
+	// The organization unit of generated certificates
+	// The organization unit of generated certificates.
+	Ou []*string `json:"ou,omitempty" tf:"ou,omitempty"`
+
+	// (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
+	// Policy identifier block; can only be used with Vault 1.11+
+	PolicyIdentifier []PolicyIdentifierInitParameters `json:"policyIdentifier,omitempty" tf:"policy_identifier,omitempty"`
+
+	// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
+	// Specify the list of allowed policies OIDs.
+	PolicyIdentifiers []*string `json:"policyIdentifiers,omitempty" tf:"policy_identifiers,omitempty"`
+
+	// The postal code of generated certificates
+	// The postal code of generated certificates.
+	PostalCode []*string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
+
+	// The province of generated certificates
+	// The province of generated certificates.
+	Province []*string `json:"province,omitempty" tf:"province,omitempty"`
+
+	// Flag to force CN usage
+	// Flag to force CN usage.
+	RequireCn *bool `json:"requireCn,omitempty" tf:"require_cn,omitempty"`
+
+	// Flag to specify certificates for server use
+	// Flag to specify certificates for server use.
+	ServerFlag *bool `json:"serverFlag,omitempty" tf:"server_flag,omitempty"`
+
+	// The street address of generated certificates
+	// The street address of generated certificates.
+	StreetAddress []*string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
+
+	// The TTL, in seconds, for any certificate issued against this role.
+	// The TTL.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// Flag to use the CN in the CSR
+	// Flag to use the CN in the CSR.
+	UseCsrCommonName *bool `json:"useCsrCommonName,omitempty" tf:"use_csr_common_name,omitempty"`
+
+	// Flag to use the SANs in the CSR
+	// Flag to use the SANs in the CSR.
+	UseCsrSans *bool `json:"useCsrSans,omitempty" tf:"use_csr_sans,omitempty"`
 }
 
 type SecretBackendRoleObservation struct {
 
+	// Flag to allow any name
 	// Flag to allow any name
 	AllowAnyName *bool `json:"allowAnyName,omitempty" tf:"allow_any_name,omitempty"`
 
+	// Flag to allow certificates matching the actual domain
 	// Flag to allow certificates matching the actual domain.
 	AllowBareDomains *bool `json:"allowBareDomains,omitempty" tf:"allow_bare_domains,omitempty"`
 
+	// Flag to allow names containing glob patterns.
 	// Flag to allow names containing glob patterns.
 	AllowGlobDomains *bool `json:"allowGlobDomains,omitempty" tf:"allow_glob_domains,omitempty"`
 
+	// Flag to allow IP SANs
 	// Flag to allow IP SANs
 	AllowIPSans *bool `json:"allowIpSans,omitempty" tf:"allow_ip_sans,omitempty"`
 
+	// Flag to allow certificates for localhost
 	// Flag to allow certificates for localhost.
 	AllowLocalhost *bool `json:"allowLocalhost,omitempty" tf:"allow_localhost,omitempty"`
 
+	// Flag to allow certificates matching subdomains
 	// Flag to allow certificates matching subdomains.
 	AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"`
 
+	// List of allowed domains for certificates
 	// The domains of the role.
 	AllowedDomains []*string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"`
 
+	// Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
 	// Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.<mount accessor>.name}})
 	AllowedDomainsTemplate *bool `json:"allowedDomainsTemplate,omitempty" tf:"allowed_domains_template,omitempty"`
 
+	// Defines allowed custom SANs
 	// Defines allowed custom SANs
 	AllowedOtherSans []*string `json:"allowedOtherSans,omitempty" tf:"allowed_other_sans,omitempty"`
 
+	// An array of allowed serial numbers to put in Subject
 	// Defines allowed Subject serial numbers.
 	AllowedSerialNumbers []*string `json:"allowedSerialNumbers,omitempty" tf:"allowed_serial_numbers,omitempty"`
 
+	// Defines allowed URI SANs
 	// Defines allowed URI SANs
 	AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"`
 
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
 	// The path of the PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Flag to mark basic constraints valid when issuing non-CA certificates
 	// Flag to mark basic constraints valid when issuing non-CA certificates.
 	BasicConstraintsValidForNonCA *bool `json:"basicConstraintsValidForNonCa,omitempty" tf:"basic_constraints_valid_for_non_ca,omitempty"`
 
+	// Flag to specify certificates for client use
 	// Flag to specify certificates for client use.
 	ClientFlag *bool `json:"clientFlag,omitempty" tf:"client_flag,omitempty"`
 
+	// Flag to specify certificates for code signing use
 	// Flag to specify certificates for code signing use.
 	CodeSigningFlag *bool `json:"codeSigningFlag,omitempty" tf:"code_signing_flag,omitempty"`
 
+	// The country of generated certificates
 	// The country of generated certificates.
 	Country []*string `json:"country,omitempty" tf:"country,omitempty"`
 
+	// Flag to specify certificates for email protection use
 	// Flag to specify certificates for email protection use.
 	EmailProtectionFlag *bool `json:"emailProtectionFlag,omitempty" tf:"email_protection_flag,omitempty"`
 
+	// Flag to allow only valid host names
 	// Flag to allow only valid host names
 	EnforceHostnames *bool `json:"enforceHostnames,omitempty" tf:"enforce_hostnames,omitempty"`
 
+	// Specify the allowed extended key usage constraint on issued certificates
 	// Specify the allowed extended key usage constraint on issued certificates.
 	ExtKeyUsage []*string `json:"extKeyUsage,omitempty" tf:"ext_key_usage,omitempty"`
 
+	// Flag to generate leases with certificates
 	// Flag to generate leases with certificates.
 	GenerateLease *bool `json:"generateLease,omitempty" tf:"generate_lease,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The number of bits of generated keys
 	// The number of bits of generated keys.
 	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The generated key type, choices: rsa, ec, ed25519, any
+	// Defaults to rsa
 	// The generated key type.
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// Specify the allowed key usage constraint on issued certificates
 	// Specify the allowed key usage constraint on issued certificates.
 	KeyUsage []*string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`
 
+	// The locality of generated certificates
 	// The locality of generated certificates.
 	Locality []*string `json:"locality,omitempty" tf:"locality,omitempty"`
 
+	// The maximum lease TTL, in seconds, for the role.
 	// The maximum TTL.
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The name to identify this role within the backend. Must be unique within the backend.
 	// Unique name for the role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Flag to not store certificates in the storage backend
 	// Flag to not store certificates in the storage backend.
 	NoStore *bool `json:"noStore,omitempty" tf:"no_store,omitempty"`
 
+	// Specifies the duration by which to backdate the NotBefore property.
 	// Specifies the duration by which to backdate the NotBefore property.
 	NotBeforeDuration *string `json:"notBeforeDuration,omitempty" tf:"not_before_duration,omitempty"`
 
+	// The organization of generated certificates
 	// The organization of generated certificates.
 	Organization []*string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// The organization unit of generated certificates
 	// The organization unit of generated certificates.
 	Ou []*string `json:"ou,omitempty" tf:"ou,omitempty"`
 
+	// (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
 	// Policy identifier block; can only be used with Vault 1.11+
 	PolicyIdentifier []PolicyIdentifierObservation `json:"policyIdentifier,omitempty" tf:"policy_identifier,omitempty"`
 
+	// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
 	// Specify the list of allowed policies OIDs.
 	PolicyIdentifiers []*string `json:"policyIdentifiers,omitempty" tf:"policy_identifiers,omitempty"`
 
+	// The postal code of generated certificates
 	// The postal code of generated certificates.
 	PostalCode []*string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
 
+	// The province of generated certificates
 	// The province of generated certificates.
 	Province []*string `json:"province,omitempty" tf:"province,omitempty"`
 
+	// Flag to force CN usage
 	// Flag to force CN usage.
 	RequireCn *bool `json:"requireCn,omitempty" tf:"require_cn,omitempty"`
 
+	// Flag to specify certificates for server use
 	// Flag to specify certificates for server use.
 	ServerFlag *bool `json:"serverFlag,omitempty" tf:"server_flag,omitempty"`
 
+	// The street address of generated certificates
 	// The street address of generated certificates.
 	StreetAddress []*string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
 
+	// The TTL, in seconds, for any certificate issued against this role.
 	// The TTL.
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// Flag to use the CN in the CSR
 	// Flag to use the CN in the CSR.
 	UseCsrCommonName *bool `json:"useCsrCommonName,omitempty" tf:"use_csr_common_name,omitempty"`
 
+	// Flag to use the SANs in the CSR
 	// Flag to use the SANs in the CSR.
 	UseCsrSans *bool `json:"useCsrSans,omitempty" tf:"use_csr_sans,omitempty"`
 }
 
 type SecretBackendRoleParameters struct {
 
+	// Flag to allow any name
 	// Flag to allow any name
 	// +kubebuilder:validation:Optional
 	AllowAnyName *bool `json:"allowAnyName,omitempty" tf:"allow_any_name,omitempty"`
 
+	// Flag to allow certificates matching the actual domain
 	// Flag to allow certificates matching the actual domain.
 	// +kubebuilder:validation:Optional
 	AllowBareDomains *bool `json:"allowBareDomains,omitempty" tf:"allow_bare_domains,omitempty"`
 
+	// Flag to allow names containing glob patterns.
 	// Flag to allow names containing glob patterns.
 	// +kubebuilder:validation:Optional
 	AllowGlobDomains *bool `json:"allowGlobDomains,omitempty" tf:"allow_glob_domains,omitempty"`
 
+	// Flag to allow IP SANs
 	// Flag to allow IP SANs
 	// +kubebuilder:validation:Optional
 	AllowIPSans *bool `json:"allowIpSans,omitempty" tf:"allow_ip_sans,omitempty"`
 
+	// Flag to allow certificates for localhost
 	// Flag to allow certificates for localhost.
 	// +kubebuilder:validation:Optional
 	AllowLocalhost *bool `json:"allowLocalhost,omitempty" tf:"allow_localhost,omitempty"`
 
+	// Flag to allow certificates matching subdomains
 	// Flag to allow certificates matching subdomains.
 	// +kubebuilder:validation:Optional
 	AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"`
 
+	// List of allowed domains for certificates
 	// The domains of the role.
 	// +kubebuilder:validation:Optional
 	AllowedDomains []*string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"`
 
+	// Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
 	// Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.<mount accessor>.name}})
 	// +kubebuilder:validation:Optional
 	AllowedDomainsTemplate *bool `json:"allowedDomainsTemplate,omitempty" tf:"allowed_domains_template,omitempty"`
 
+	// Defines allowed custom SANs
 	// Defines allowed custom SANs
 	// +kubebuilder:validation:Optional
 	AllowedOtherSans []*string `json:"allowedOtherSans,omitempty" tf:"allowed_other_sans,omitempty"`
 
+	// An array of allowed serial numbers to put in Subject
 	// Defines allowed Subject serial numbers.
 	// +kubebuilder:validation:Optional
 	AllowedSerialNumbers []*string `json:"allowedSerialNumbers,omitempty" tf:"allowed_serial_numbers,omitempty"`
 
+	// Defines allowed URI SANs
 	// Defines allowed URI SANs
 	// +kubebuilder:validation:Optional
 	AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"`
 
+	// The path the PKI secret backend is mounted at, with no leading or trailing /s.
 	// The path of the PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Flag to mark basic constraints valid when issuing non-CA certificates
 	// Flag to mark basic constraints valid when issuing non-CA certificates.
 	// +kubebuilder:validation:Optional
 	BasicConstraintsValidForNonCA *bool `json:"basicConstraintsValidForNonCa,omitempty" tf:"basic_constraints_valid_for_non_ca,omitempty"`
 
+	// Flag to specify certificates for client use
 	// Flag to specify certificates for client use.
 	// +kubebuilder:validation:Optional
 	ClientFlag *bool `json:"clientFlag,omitempty" tf:"client_flag,omitempty"`
 
+	// Flag to specify certificates for code signing use
 	// Flag to specify certificates for code signing use.
 	// +kubebuilder:validation:Optional
 	CodeSigningFlag *bool `json:"codeSigningFlag,omitempty" tf:"code_signing_flag,omitempty"`
 
+	// The country of generated certificates
 	// The country of generated certificates.
 	// +kubebuilder:validation:Optional
 	Country []*string `json:"country,omitempty" tf:"country,omitempty"`
 
+	// Flag to specify certificates for email protection use
 	// Flag to specify certificates for email protection use.
 	// +kubebuilder:validation:Optional
 	EmailProtectionFlag *bool `json:"emailProtectionFlag,omitempty" tf:"email_protection_flag,omitempty"`
 
+	// Flag to allow only valid host names
 	// Flag to allow only valid host names
 	// +kubebuilder:validation:Optional
 	EnforceHostnames *bool `json:"enforceHostnames,omitempty" tf:"enforce_hostnames,omitempty"`
 
+	// Specify the allowed extended key usage constraint on issued certificates
 	// Specify the allowed extended key usage constraint on issued certificates.
 	// +kubebuilder:validation:Optional
 	ExtKeyUsage []*string `json:"extKeyUsage,omitempty" tf:"ext_key_usage,omitempty"`
 
+	// Flag to generate leases with certificates
 	// Flag to generate leases with certificates.
 	// +kubebuilder:validation:Optional
 	GenerateLease *bool `json:"generateLease,omitempty" tf:"generate_lease,omitempty"`
 
+	// The number of bits of generated keys
 	// The number of bits of generated keys.
 	// +kubebuilder:validation:Optional
 	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The generated key type, choices: rsa, ec, ed25519, any
+	// Defaults to rsa
 	// The generated key type.
 	// +kubebuilder:validation:Optional
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// Specify the allowed key usage constraint on issued certificates
 	// Specify the allowed key usage constraint on issued certificates.
 	// +kubebuilder:validation:Optional
 	KeyUsage []*string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`
 
+	// The locality of generated certificates
 	// The locality of generated certificates.
 	// +kubebuilder:validation:Optional
 	Locality []*string `json:"locality,omitempty" tf:"locality,omitempty"`
 
+	// The maximum lease TTL, in seconds, for the role.
 	// The maximum TTL.
 	// +kubebuilder:validation:Optional
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// The name to identify this role within the backend. Must be unique within the backend.
 	// Unique name for the role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Flag to not store certificates in the storage backend
 	// Flag to not store certificates in the storage backend.
 	// +kubebuilder:validation:Optional
 	NoStore *bool `json:"noStore,omitempty" tf:"no_store,omitempty"`
 
+	// Specifies the duration by which to backdate the NotBefore property.
 	// Specifies the duration by which to backdate the NotBefore property.
 	// +kubebuilder:validation:Optional
 	NotBeforeDuration *string `json:"notBeforeDuration,omitempty" tf:"not_before_duration,omitempty"`
 
+	// The organization of generated certificates
 	// The organization of generated certificates.
 	// +kubebuilder:validation:Optional
 	Organization []*string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// The organization unit of generated certificates
 	// The organization unit of generated certificates.
 	// +kubebuilder:validation:Optional
 	Ou []*string `json:"ou,omitempty" tf:"ou,omitempty"`
 
+	// (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
 	// Policy identifier block; can only be used with Vault 1.11+
 	// +kubebuilder:validation:Optional
 	PolicyIdentifier []PolicyIdentifierParameters `json:"policyIdentifier,omitempty" tf:"policy_identifier,omitempty"`
 
+	// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
 	// Specify the list of allowed policies OIDs.
 	// +kubebuilder:validation:Optional
 	PolicyIdentifiers []*string `json:"policyIdentifiers,omitempty" tf:"policy_identifiers,omitempty"`
 
+	// The postal code of generated certificates
 	// The postal code of generated certificates.
 	// +kubebuilder:validation:Optional
 	PostalCode []*string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
 
+	// The province of generated certificates
 	// The province of generated certificates.
 	// +kubebuilder:validation:Optional
 	Province []*string `json:"province,omitempty" tf:"province,omitempty"`
 
+	// Flag to force CN usage
 	// Flag to force CN usage.
 	// +kubebuilder:validation:Optional
 	RequireCn *bool `json:"requireCn,omitempty" tf:"require_cn,omitempty"`
 
+	// Flag to specify certificates for server use
 	// Flag to specify certificates for server use.
 	// +kubebuilder:validation:Optional
 	ServerFlag *bool `json:"serverFlag,omitempty" tf:"server_flag,omitempty"`
 
+	// The street address of generated certificates
 	// The street address of generated certificates.
 	// +kubebuilder:validation:Optional
 	StreetAddress []*string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
 
+	// The TTL, in seconds, for any certificate issued against this role.
 	// The TTL.
 	// +kubebuilder:validation:Optional
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// Flag to use the CN in the CSR
 	// Flag to use the CN in the CSR.
 	// +kubebuilder:validation:Optional
 	UseCsrCommonName *bool `json:"useCsrCommonName,omitempty" tf:"use_csr_common_name,omitempty"`
 
+	// Flag to use the SANs in the CSR
 	// Flag to use the SANs in the CSR.
 	// +kubebuilder:validation:Optional
 	UseCsrSans *bool `json:"useCsrSans,omitempty" tf:"use_csr_sans,omitempty"`
@@ -339,6 +621,18 @@ type SecretBackendRoleParameters struct {
 type SecretBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRoleStatus defines the observed state of SecretBackendRole.
@@ -349,7 +643,7 @@ type SecretBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRole is the Schema for the SecretBackendRoles API. <no value>
+// SecretBackendRole is the Schema for the SecretBackendRoles API. Create a role on an PKI Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -359,8 +653,8 @@ type SecretBackendRoleStatus struct {
 type SecretBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendRoleSpec   `json:"spec"`
 	Status SecretBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go b/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go
index f73e8caa..a09cb376 100755
--- a/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go
@@ -13,196 +13,371 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendRootCertInitParameters struct {
+
+	// List of alternative names
+	// List of alternative names.
+	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
+
+	// The PKI secret backend the resource belongs to.
+	// The PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// CN of intermediate to create
+	// CN of root to create.
+	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
+
+	// The country
+	// The country.
+	Country *string `json:"country,omitempty" tf:"country,omitempty"`
+
+	// Flag to exclude CN from SANs
+	// Flag to exclude CN from SANs.
+	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
+
+	// The format of data
+	// The format of data.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// List of alternative IPs
+	// List of alternative IPs.
+	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
+
+	// The number of bits to use
+	// The number of bits to use.
+	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
+
+	// The desired key type
+	// The desired key type.
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
+
+	// The locality
+	// The locality.
+	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`
+
+	// The ID of the previously configured managed key. This field is
+	// required if type is kms and it conflicts with managed_key_name
+	// The ID of the previously configured managed key.
+	ManagedKeyID *string `json:"managedKeyId,omitempty" tf:"managed_key_id,omitempty"`
+
+	// The name of the previously configured managed key. This field is
+	// required if type is kms  and it conflicts with managed_key_id
+	// The name of the previously configured managed key.
+	ManagedKeyName *string `json:"managedKeyName,omitempty" tf:"managed_key_name,omitempty"`
+
+	// The maximum path length to encode in the generated certificate
+	// The maximum path length to encode in the generated certificate.
+	MaxPathLength *float64 `json:"maxPathLength,omitempty" tf:"max_path_length,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The organization
+	// The organization.
+	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
+
+	// List of other SANs
+	// List of other SANs.
+	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
+
+	// The organization unit
+	// The organization unit.
+	Ou *string `json:"ou,omitempty" tf:"ou,omitempty"`
+
+	// List of domains for which certificates are allowed to be issued
+	// List of domains for which certificates are allowed to be issued.
+	PermittedDNSDomains []*string `json:"permittedDnsDomains,omitempty" tf:"permitted_dns_domains,omitempty"`
+
+	// The postal code
+	// The postal code.
+	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
+
+	// The private key format
+	// The private key format.
+	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
+
+	// The province
+	// The province.
+	Province *string `json:"province,omitempty" tf:"province,omitempty"`
+
+	// The street address
+	// The street address.
+	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
+
+	// Time to live
+	// Time to live.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// Type of intermediate to create. Must be either "exported", "internal"
+	// or "kms"
+	// Type of root to create. Must be either "exported" or "internal".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// List of alternative URIs
+	// List of alternative URIs.
+	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
+}
+
 type SecretBackendRootCertObservation struct {
 
+	// List of alternative names
 	// List of alternative names.
 	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The certificate.
 	// The certificate.
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
+	// CN of intermediate to create
 	// CN of root to create.
 	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
 
+	// The country
 	// The country.
 	Country *string `json:"country,omitempty" tf:"country,omitempty"`
 
+	// Flag to exclude CN from SANs
 	// Flag to exclude CN from SANs.
 	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
 
+	// The format of data
 	// The format of data.
 	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of alternative IPs
 	// List of alternative IPs.
 	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
 
+	// The issuing CA certificate.
 	// The issuing CA.
 	IssuingCA *string `json:"issuingCa,omitempty" tf:"issuing_ca,omitempty"`
 
+	// The number of bits to use
 	// The number of bits to use.
 	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The desired key type
 	// The desired key type.
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// The locality
 	// The locality.
 	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`
 
+	// The ID of the previously configured managed key. This field is
+	// required if type is kms and it conflicts with managed_key_name
 	// The ID of the previously configured managed key.
 	ManagedKeyID *string `json:"managedKeyId,omitempty" tf:"managed_key_id,omitempty"`
 
+	// The name of the previously configured managed key. This field is
+	// required if type is kms  and it conflicts with managed_key_id
 	// The name of the previously configured managed key.
 	ManagedKeyName *string `json:"managedKeyName,omitempty" tf:"managed_key_name,omitempty"`
 
+	// The maximum path length to encode in the generated certificate
 	// The maximum path length to encode in the generated certificate.
 	MaxPathLength *float64 `json:"maxPathLength,omitempty" tf:"max_path_length,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The organization
 	// The organization.
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// List of other SANs
 	// List of other SANs.
 	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
 
+	// The organization unit
 	// The organization unit.
 	Ou *string `json:"ou,omitempty" tf:"ou,omitempty"`
 
+	// List of domains for which certificates are allowed to be issued
 	// List of domains for which certificates are allowed to be issued.
 	PermittedDNSDomains []*string `json:"permittedDnsDomains,omitempty" tf:"permitted_dns_domains,omitempty"`
 
+	// The postal code
 	// The postal code.
 	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
 
+	// The private key format
 	// The private key format.
 	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
 
+	// The province
 	// The province.
 	Province *string `json:"province,omitempty" tf:"province,omitempty"`
 
+	// Deprecated, use serial_number instead.
 	// The serial number.
 	Serial *string `json:"serial,omitempty" tf:"serial,omitempty"`
 
+	// The certificate's serial number, hex formatted.
 	// The certificate's serial number, hex formatted.
 	SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"`
 
+	// The street address
 	// The street address.
 	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
 
+	// Time to live
 	// Time to live.
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// Type of intermediate to create. Must be either "exported", "internal"
+	// or "kms"
 	// Type of root to create. Must be either "exported" or "internal".
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
+	// List of alternative URIs
 	// List of alternative URIs.
 	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
 }
 
 type SecretBackendRootCertParameters struct {
 
+	// List of alternative names
 	// List of alternative names.
 	// +kubebuilder:validation:Optional
 	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// CN of intermediate to create
 	// CN of root to create.
 	// +kubebuilder:validation:Optional
 	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
 
+	// The country
 	// The country.
 	// +kubebuilder:validation:Optional
 	Country *string `json:"country,omitempty" tf:"country,omitempty"`
 
+	// Flag to exclude CN from SANs
 	// Flag to exclude CN from SANs.
 	// +kubebuilder:validation:Optional
 	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
 
+	// The format of data
 	// The format of data.
 	// +kubebuilder:validation:Optional
 	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
+	// List of alternative IPs
 	// List of alternative IPs.
 	// +kubebuilder:validation:Optional
 	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
 
+	// The number of bits to use
 	// The number of bits to use.
 	// +kubebuilder:validation:Optional
 	KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"`
 
+	// The desired key type
 	// The desired key type.
 	// +kubebuilder:validation:Optional
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// The locality
 	// The locality.
 	// +kubebuilder:validation:Optional
 	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`
 
+	// The ID of the previously configured managed key. This field is
+	// required if type is kms and it conflicts with managed_key_name
 	// The ID of the previously configured managed key.
 	// +kubebuilder:validation:Optional
 	ManagedKeyID *string `json:"managedKeyId,omitempty" tf:"managed_key_id,omitempty"`
 
+	// The name of the previously configured managed key. This field is
+	// required if type is kms  and it conflicts with managed_key_id
 	// The name of the previously configured managed key.
 	// +kubebuilder:validation:Optional
 	ManagedKeyName *string `json:"managedKeyName,omitempty" tf:"managed_key_name,omitempty"`
 
+	// The maximum path length to encode in the generated certificate
 	// The maximum path length to encode in the generated certificate.
 	// +kubebuilder:validation:Optional
 	MaxPathLength *float64 `json:"maxPathLength,omitempty" tf:"max_path_length,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The organization
 	// The organization.
 	// +kubebuilder:validation:Optional
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// List of other SANs
 	// List of other SANs.
 	// +kubebuilder:validation:Optional
 	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
 
+	// The organization unit
 	// The organization unit.
 	// +kubebuilder:validation:Optional
 	Ou *string `json:"ou,omitempty" tf:"ou,omitempty"`
 
+	// List of domains for which certificates are allowed to be issued
 	// List of domains for which certificates are allowed to be issued.
 	// +kubebuilder:validation:Optional
 	PermittedDNSDomains []*string `json:"permittedDnsDomains,omitempty" tf:"permitted_dns_domains,omitempty"`
 
+	// The postal code
 	// The postal code.
 	// +kubebuilder:validation:Optional
 	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
 
+	// The private key format
 	// The private key format.
 	// +kubebuilder:validation:Optional
 	PrivateKeyFormat *string `json:"privateKeyFormat,omitempty" tf:"private_key_format,omitempty"`
 
+	// The province
 	// The province.
 	// +kubebuilder:validation:Optional
 	Province *string `json:"province,omitempty" tf:"province,omitempty"`
 
+	// The street address
 	// The street address.
 	// +kubebuilder:validation:Optional
 	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
 
+	// Time to live
 	// Time to live.
 	// +kubebuilder:validation:Optional
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// Type of intermediate to create. Must be either "exported", "internal"
+	// or "kms"
 	// Type of root to create. Must be either "exported" or "internal".
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
+	// List of alternative URIs
 	// List of alternative URIs.
 	// +kubebuilder:validation:Optional
 	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
@@ -212,6 +387,18 @@ type SecretBackendRootCertParameters struct {
 type SecretBackendRootCertSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRootCertParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRootCertInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRootCertStatus defines the observed state of SecretBackendRootCert.
@@ -222,7 +409,7 @@ type SecretBackendRootCertStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRootCert is the Schema for the SecretBackendRootCerts API. <no value>
+// SecretBackendRootCert is the Schema for the SecretBackendRootCerts API. Generate root.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -232,9 +419,9 @@ type SecretBackendRootCertStatus struct {
 type SecretBackendRootCert struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)",message="commonName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter"
 	Spec   SecretBackendRootCertSpec   `json:"spec"`
 	Status SecretBackendRootCertStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go
index 2344d94b..72f6d718 100755
--- a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go
@@ -13,6 +13,75 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendRootSignIntermediateInitParameters struct {
+
+	// List of alternative names.
+	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
+
+	// The PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// CN of intermediate to create.
+	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
+
+	// The country.
+	Country *string `json:"country,omitempty" tf:"country,omitempty"`
+
+	// The CSR.
+	Csr *string `json:"csr,omitempty" tf:"csr,omitempty"`
+
+	// Flag to exclude CN from SANs.
+	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
+
+	// The format of data.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// List of alternative IPs.
+	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
+
+	// The locality.
+	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`
+
+	// The maximum path length to encode in the generated certificate.
+	MaxPathLength *float64 `json:"maxPathLength,omitempty" tf:"max_path_length,omitempty"`
+
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The organization.
+	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
+
+	// List of other SANs.
+	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
+
+	// The organization unit.
+	Ou *string `json:"ou,omitempty" tf:"ou,omitempty"`
+
+	// List of domains for which certificates are allowed to be issued.
+	PermittedDNSDomains []*string `json:"permittedDnsDomains,omitempty" tf:"permitted_dns_domains,omitempty"`
+
+	// The postal code.
+	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`
+
+	// The province.
+	Province *string `json:"province,omitempty" tf:"province,omitempty"`
+
+	// Revoke the certificate upon resource destruction.
+	Revoke *bool `json:"revoke,omitempty" tf:"revoke,omitempty"`
+
+	// The street address.
+	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
+
+	// Time to live.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// List of alternative URIs.
+	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
+
+	// Preserve CSR values.
+	UseCsrValues *bool `json:"useCsrValues,omitempty" tf:"use_csr_values,omitempty"`
+}
+
 type SecretBackendRootSignIntermediateObservation struct {
 
 	// List of alternative names.
@@ -197,6 +266,18 @@ type SecretBackendRootSignIntermediateParameters struct {
 type SecretBackendRootSignIntermediateSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRootSignIntermediateParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRootSignIntermediateInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRootSignIntermediateStatus defines the observed state of SecretBackendRootSignIntermediate.
@@ -217,9 +298,9 @@ type SecretBackendRootSignIntermediateStatus struct {
 type SecretBackendRootSignIntermediate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)",message="commonName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.csr)",message="csr is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.csr) || has(self.initProvider.csr)",message="csr is a required parameter"
 	Spec   SecretBackendRootSignIntermediateSpec   `json:"spec"`
 	Status SecretBackendRootSignIntermediateStatus `json:"status,omitempty"`
 }
diff --git a/apis/pki/v1alpha1/zz_secretbackendsign_types.go b/apis/pki/v1alpha1/zz_secretbackendsign_types.go
index e65d3400..a32bcbcc 100755
--- a/apis/pki/v1alpha1/zz_secretbackendsign_types.go
+++ b/apis/pki/v1alpha1/zz_secretbackendsign_types.go
@@ -13,128 +13,231 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendSignInitParameters struct {
+
+	// List of alternative names
+	// List of alternative names.
+	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
+
+	// If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false
+	// If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining
+	AutoRenew *bool `json:"autoRenew,omitempty" tf:"auto_renew,omitempty"`
+
+	// The PKI secret backend the resource belongs to.
+	// The PKI secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// CN of certificate to create
+	// CN of intermediate to create.
+	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
+
+	// The CSR
+	// The CSR.
+	Csr *string `json:"csr,omitempty" tf:"csr,omitempty"`
+
+	// Flag to exclude CN from SANs
+	// Flag to exclude CN from SANs.
+	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
+
+	// The format of data
+	// The format of data.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// List of alternative IPs
+	// List of alternative IPs.
+	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
+
+	// Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
+	// Generate a new certificate when the expiration is within this number of seconds
+	MinSecondsRemaining *float64 `json:"minSecondsRemaining,omitempty" tf:"min_seconds_remaining,omitempty"`
+
+	// Name of the role to create the certificate against
+	// Name of the role to create the certificate against.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// List of other SANs
+	// List of other SANs.
+	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
+
+	// Time to live
+	// Time to live.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// List of alternative URIs
+	// List of alternative URIs.
+	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
+}
+
 type SecretBackendSignObservation struct {
 
+	// List of alternative names
 	// List of alternative names.
 	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
 
+	// If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false
 	// If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining
 	AutoRenew *bool `json:"autoRenew,omitempty" tf:"auto_renew,omitempty"`
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The CA chain
 	// The CA chain.
 	CAChain []*string `json:"caChain,omitempty" tf:"ca_chain,omitempty"`
 
+	// The certificate
 	// The certicate.
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
+	// CN of certificate to create
 	// CN of intermediate to create.
 	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
 
+	// The CSR
 	// The CSR.
 	Csr *string `json:"csr,omitempty" tf:"csr,omitempty"`
 
+	// Flag to exclude CN from SANs
 	// Flag to exclude CN from SANs.
 	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
 
+	// The expiration date of the certificate in unix epoch format
 	// The certificate expiration as a Unix-style timestamp.
 	Expiration *float64 `json:"expiration,omitempty" tf:"expiration,omitempty"`
 
+	// The format of data
 	// The format of data.
 	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of alternative IPs
 	// List of alternative IPs.
 	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
 
+	// The issuing CA
 	// The issuing CA.
 	IssuingCA *string `json:"issuingCa,omitempty" tf:"issuing_ca,omitempty"`
 
+	// Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
 	// Generate a new certificate when the expiration is within this number of seconds
 	MinSecondsRemaining *float64 `json:"minSecondsRemaining,omitempty" tf:"min_seconds_remaining,omitempty"`
 
+	// Name of the role to create the certificate against
 	// Name of the role to create the certificate against.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of other SANs
 	// List of other SANs.
 	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
 
+	// true if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining, and false otherwise; if auto_renew is set to true then the provider will plan to replace the certificate once renewal is pending.
 	// Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.
 	RenewPending *bool `json:"renewPending,omitempty" tf:"renew_pending,omitempty"`
 
+	// Use serial_number instead.
 	// The serial number.
 	Serial *string `json:"serial,omitempty" tf:"serial,omitempty"`
 
+	// The certificate's serial number, hex formatted.
 	// The certificate's serial number, hex formatted.
 	SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"`
 
+	// Time to live
 	// Time to live.
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// List of alternative URIs
 	// List of alternative URIs.
 	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
 }
 
 type SecretBackendSignParameters struct {
 
+	// List of alternative names
 	// List of alternative names.
 	// +kubebuilder:validation:Optional
 	AltNames []*string `json:"altNames,omitempty" tf:"alt_names,omitempty"`
 
+	// If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false
 	// If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining
 	// +kubebuilder:validation:Optional
 	AutoRenew *bool `json:"autoRenew,omitempty" tf:"auto_renew,omitempty"`
 
+	// The PKI secret backend the resource belongs to.
 	// The PKI secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// CN of certificate to create
 	// CN of intermediate to create.
 	// +kubebuilder:validation:Optional
 	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
 
+	// The CSR
 	// The CSR.
 	// +kubebuilder:validation:Optional
 	Csr *string `json:"csr,omitempty" tf:"csr,omitempty"`
 
+	// Flag to exclude CN from SANs
 	// Flag to exclude CN from SANs.
 	// +kubebuilder:validation:Optional
 	ExcludeCnFromSans *bool `json:"excludeCnFromSans,omitempty" tf:"exclude_cn_from_sans,omitempty"`
 
+	// The format of data
 	// The format of data.
 	// +kubebuilder:validation:Optional
 	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
+	// List of alternative IPs
 	// List of alternative IPs.
 	// +kubebuilder:validation:Optional
 	IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"`
 
+	// Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)
 	// Generate a new certificate when the expiration is within this number of seconds
 	// +kubebuilder:validation:Optional
 	MinSecondsRemaining *float64 `json:"minSecondsRemaining,omitempty" tf:"min_seconds_remaining,omitempty"`
 
+	// Name of the role to create the certificate against
 	// Name of the role to create the certificate against.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// List of other SANs
 	// List of other SANs.
 	// +kubebuilder:validation:Optional
 	OtherSans []*string `json:"otherSans,omitempty" tf:"other_sans,omitempty"`
 
+	// Time to live
 	// Time to live.
 	// +kubebuilder:validation:Optional
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// List of alternative URIs
 	// List of alternative URIs.
 	// +kubebuilder:validation:Optional
 	URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"`
@@ -144,6 +247,18 @@ type SecretBackendSignParameters struct {
 type SecretBackendSignSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendSignParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendSignInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendSignStatus defines the observed state of SecretBackendSign.
@@ -154,7 +269,7 @@ type SecretBackendSignStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendSign is the Schema for the SecretBackendSigns API. <no value>
+// SecretBackendSign is the Schema for the SecretBackendSigns API. Sign a new certificate based on the CSR by the PKI.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -164,10 +279,10 @@ type SecretBackendSignStatus struct {
 type SecretBackendSign struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)",message="commonName is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.csr)",message="csr is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.csr) || has(self.initProvider.csr)",message="csr is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendSignSpec   `json:"spec"`
 	Status SecretBackendSignStatus `json:"status,omitempty"`
 }
diff --git a/apis/quota/v1alpha1/zz_generated.deepcopy.go b/apis/quota/v1alpha1/zz_generated.deepcopy.go
index a3b24397..cd30d7be 100644
--- a/apis/quota/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/quota/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,41 @@ func (in *LeaseCount) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LeaseCountInitParameters) DeepCopyInto(out *LeaseCountInitParameters) {
+	*out = *in
+	if in.MaxLeases != nil {
+		in, out := &in.MaxLeases, &out.MaxLeases
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LeaseCountInitParameters.
+func (in *LeaseCountInitParameters) DeepCopy() *LeaseCountInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(LeaseCountInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LeaseCountList) DeepCopyInto(out *LeaseCountList) {
 	*out = *in
@@ -152,6 +187,7 @@ func (in *LeaseCountSpec) DeepCopyInto(out *LeaseCountSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LeaseCountSpec.
@@ -208,6 +244,51 @@ func (in *RateLimit) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RateLimitInitParameters) DeepCopyInto(out *RateLimitInitParameters) {
+	*out = *in
+	if in.BlockInterval != nil {
+		in, out := &in.BlockInterval, &out.BlockInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rate != nil {
+		in, out := &in.Rate, &out.Rate
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitInitParameters.
+func (in *RateLimitInitParameters) DeepCopy() *RateLimitInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RateLimitInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RateLimitList) DeepCopyInto(out *RateLimitList) {
 	*out = *in
@@ -340,6 +421,7 @@ func (in *RateLimitSpec) DeepCopyInto(out *RateLimitSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitSpec.
diff --git a/apis/quota/v1alpha1/zz_generated.managed.go b/apis/quota/v1alpha1/zz_generated.managed.go
index 667a02e7..d84dfeba 100644
--- a/apis/quota/v1alpha1/zz_generated.managed.go
+++ b/apis/quota/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *LeaseCount) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this LeaseCount.
-func (mg *LeaseCount) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this LeaseCount.
+func (mg *LeaseCount) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this LeaseCount.
@@ -55,9 +55,9 @@ func (mg *LeaseCount) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this LeaseCount.
-func (mg *LeaseCount) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this LeaseCount.
+func (mg *LeaseCount) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this LeaseCount.
@@ -93,9 +93,9 @@ func (mg *RateLimit) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this RateLimit.
-func (mg *RateLimit) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this RateLimit.
+func (mg *RateLimit) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this RateLimit.
@@ -131,9 +131,9 @@ func (mg *RateLimit) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this RateLimit.
-func (mg *RateLimit) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this RateLimit.
+func (mg *RateLimit) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this RateLimit.
diff --git a/apis/quota/v1alpha1/zz_generated_terraformed.go b/apis/quota/v1alpha1/zz_generated_terraformed.go
index 17815b9f..00aa4829 100755
--- a/apis/quota/v1alpha1/zz_generated_terraformed.go
+++ b/apis/quota/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *LeaseCount) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this LeaseCount
+func (tr *LeaseCount) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this LeaseCount using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *LeaseCount) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *RateLimit) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this RateLimit
+func (tr *RateLimit) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this RateLimit using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *RateLimit) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/quota/v1alpha1/zz_leasecount_types.go b/apis/quota/v1alpha1/zz_leasecount_types.go
index ef34821d..e7cf0b48 100755
--- a/apis/quota/v1alpha1/zz_leasecount_types.go
+++ b/apis/quota/v1alpha1/zz_leasecount_types.go
@@ -13,36 +13,90 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type LeaseCountInitParameters struct {
+
+	// The maximum number of leases to be allowed by the quota
+	// rule. The max_leases must be positive.
+	// The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.
+	MaxLeases *float64 `json:"maxLeases,omitempty" tf:"max_leases,omitempty"`
+
+	// Name of the rate limit quota
+	// The name of the quota.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Path of the mount or namespace to apply the quota. A blank path configures a
+	// global rate limit quota. For example namespace1/ adds a quota to a full namespace,
+	// namespace1/auth/userpass adds a quota to userpass in namespace1.
+	// Updating this field on an existing quota can have "moving" effects. For example, updating
+	// auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to
+	// a namespace specific mount quota. Note, namespaces are supported in Enterprise only.
+	// Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+}
+
 type LeaseCountObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The maximum number of leases to be allowed by the quota
+	// rule. The max_leases must be positive.
 	// The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.
 	MaxLeases *float64 `json:"maxLeases,omitempty" tf:"max_leases,omitempty"`
 
+	// Name of the rate limit quota
 	// The name of the quota.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path of the mount or namespace to apply the quota. A blank path configures a
+	// global rate limit quota. For example namespace1/ adds a quota to a full namespace,
+	// namespace1/auth/userpass adds a quota to userpass in namespace1.
+	// Updating this field on an existing quota can have "moving" effects. For example, updating
+	// auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to
+	// a namespace specific mount quota. Note, namespaces are supported in Enterprise only.
 	// Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type LeaseCountParameters struct {
 
+	// The maximum number of leases to be allowed by the quota
+	// rule. The max_leases must be positive.
 	// The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.
 	// +kubebuilder:validation:Optional
 	MaxLeases *float64 `json:"maxLeases,omitempty" tf:"max_leases,omitempty"`
 
+	// Name of the rate limit quota
 	// The name of the quota.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path of the mount or namespace to apply the quota. A blank path configures a
+	// global rate limit quota. For example namespace1/ adds a quota to a full namespace,
+	// namespace1/auth/userpass adds a quota to userpass in namespace1.
+	// Updating this field on an existing quota can have "moving" effects. For example, updating
+	// auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to
+	// a namespace specific mount quota. Note, namespaces are supported in Enterprise only.
 	// Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
@@ -52,6 +106,18 @@ type LeaseCountParameters struct {
 type LeaseCountSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     LeaseCountParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider LeaseCountInitParameters `json:"initProvider,omitempty"`
 }
 
 // LeaseCountStatus defines the observed state of LeaseCount.
@@ -62,7 +128,7 @@ type LeaseCountStatus struct {
 
 // +kubebuilder:object:root=true
 
-// LeaseCount is the Schema for the LeaseCounts API. <no value>
+// LeaseCount is the Schema for the LeaseCounts API. Manage Lease Count Quota
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -72,8 +138,8 @@ type LeaseCountStatus struct {
 type LeaseCount struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.maxLeases)",message="maxLeases is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.maxLeases) || has(self.initProvider.maxLeases)",message="maxLeases is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   LeaseCountSpec   `json:"spec"`
 	Status LeaseCountStatus `json:"status,omitempty"`
 }
diff --git a/apis/quota/v1alpha1/zz_ratelimit_types.go b/apis/quota/v1alpha1/zz_ratelimit_types.go
index 5731355f..ebc9e6af 100755
--- a/apis/quota/v1alpha1/zz_ratelimit_types.go
+++ b/apis/quota/v1alpha1/zz_ratelimit_types.go
@@ -13,51 +13,120 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type RateLimitInitParameters struct {
+
+	// If set, when a client reaches a rate limit threshold, the client will
+	// be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
+	// If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
+	BlockInterval *float64 `json:"blockInterval,omitempty" tf:"block_interval,omitempty"`
+
+	// The duration in seconds to enforce rate limiting for.
+	// The duration in seconds to enforce rate limiting for.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// Name of the rate limit quota
+	// The name of the quota.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Path of the mount or namespace to apply the quota. A blank path configures a
+	// global rate limit quota. For example namespace1/ adds a quota to a full namespace,
+	// namespace1/auth/userpass adds a quota to userpass in namespace1.
+	// Updating this field on an existing quota can have "moving" effects. For example, updating
+	// auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to
+	// a namespace specific mount quota. Note, namespaces are supported in Enterprise only.
+	// Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The maximum number of requests at any given second to be allowed by the quota
+	// rule. The rate must be positive.
+	// The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.
+	Rate *float64 `json:"rate,omitempty" tf:"rate,omitempty"`
+}
+
 type RateLimitObservation struct {
 
+	// If set, when a client reaches a rate limit threshold, the client will
+	// be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
 	// If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
 	BlockInterval *float64 `json:"blockInterval,omitempty" tf:"block_interval,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The duration in seconds to enforce rate limiting for.
 	// The duration in seconds to enforce rate limiting for.
 	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
 
+	// Name of the rate limit quota
 	// The name of the quota.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path of the mount or namespace to apply the quota. A blank path configures a
+	// global rate limit quota. For example namespace1/ adds a quota to a full namespace,
+	// namespace1/auth/userpass adds a quota to userpass in namespace1.
+	// Updating this field on an existing quota can have "moving" effects. For example, updating
+	// auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to
+	// a namespace specific mount quota. Note, namespaces are supported in Enterprise only.
 	// Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The maximum number of requests at any given second to be allowed by the quota
+	// rule. The rate must be positive.
 	// The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.
 	Rate *float64 `json:"rate,omitempty" tf:"rate,omitempty"`
 }
 
 type RateLimitParameters struct {
 
+	// If set, when a client reaches a rate limit threshold, the client will
+	// be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
 	// If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
 	// +kubebuilder:validation:Optional
 	BlockInterval *float64 `json:"blockInterval,omitempty" tf:"block_interval,omitempty"`
 
+	// The duration in seconds to enforce rate limiting for.
 	// The duration in seconds to enforce rate limiting for.
 	// +kubebuilder:validation:Optional
 	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
 
+	// Name of the rate limit quota
 	// The name of the quota.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path of the mount or namespace to apply the quota. A blank path configures a
+	// global rate limit quota. For example namespace1/ adds a quota to a full namespace,
+	// namespace1/auth/userpass adds a quota to userpass in namespace1.
+	// Updating this field on an existing quota can have "moving" effects. For example, updating
+	// auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to
+	// a namespace specific mount quota. Note, namespaces are supported in Enterprise only.
 	// Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The maximum number of requests at any given second to be allowed by the quota
+	// rule. The rate must be positive.
 	// The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.
 	// +kubebuilder:validation:Optional
 	Rate *float64 `json:"rate,omitempty" tf:"rate,omitempty"`
@@ -67,6 +136,18 @@ type RateLimitParameters struct {
 type RateLimitSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     RateLimitParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider RateLimitInitParameters `json:"initProvider,omitempty"`
 }
 
 // RateLimitStatus defines the observed state of RateLimit.
@@ -77,7 +158,7 @@ type RateLimitStatus struct {
 
 // +kubebuilder:object:root=true
 
-// RateLimit is the Schema for the RateLimits API. <no value>
+// RateLimit is the Schema for the RateLimits API. Manage Rate Limit Quota
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -87,8 +168,8 @@ type RateLimitStatus struct {
 type RateLimit struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rate)",message="rate is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.rate) || has(self.initProvider.rate)",message="rate is a required parameter"
 	Spec   RateLimitSpec   `json:"spec"`
 	Status RateLimitStatus `json:"status,omitempty"`
 }
diff --git a/apis/rabbitmq/v1alpha1/zz_generated.deepcopy.go b/apis/rabbitmq/v1alpha1/zz_generated.deepcopy.go
index 41e4e0cb..46aea536 100644
--- a/apis/rabbitmq/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/rabbitmq/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,71 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) {
+	*out = *in
+	if in.ConnectionURI != nil {
+		in, out := &in.ConnectionURI, &out.ConnectionURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PasswordPolicy != nil {
+		in, out := &in.PasswordPolicy, &out.PasswordPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernameTemplate != nil {
+		in, out := &in.UsernameTemplate, &out.UsernameTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyConnection != nil {
+		in, out := &in.VerifyConnection, &out.VerifyConnection
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters.
+func (in *SecretBackendInitParameters) DeepCopy() *SecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendList) DeepCopyInto(out *SecretBackendList) {
 	*out = *in
@@ -236,6 +301,55 @@ func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = new(string)
+		**out = **in
+	}
+	if in.Vhost != nil {
+		in, out := &in.Vhost, &out.Vhost
+		*out = make([]VhostInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VhostTopic != nil {
+		in, out := &in.VhostTopic, &out.VhostTopic
+		*out = make([]VhostTopicInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters.
+func (in *SecretBackendRoleInitParameters) DeepCopy() *SecretBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
 	*out = *in
@@ -376,6 +490,7 @@ func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
@@ -410,6 +525,7 @@ func (in *SecretBackendSpec) DeepCopyInto(out *SecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendSpec.
@@ -439,6 +555,41 @@ func (in *SecretBackendStatus) DeepCopy() *SecretBackendStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VhostInitParameters) DeepCopyInto(out *VhostInitParameters) {
+	*out = *in
+	if in.Configure != nil {
+		in, out := &in.Configure, &out.Configure
+		*out = new(string)
+		**out = **in
+	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.Read != nil {
+		in, out := &in.Read, &out.Read
+		*out = new(string)
+		**out = **in
+	}
+	if in.Write != nil {
+		in, out := &in.Write, &out.Write
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VhostInitParameters.
+func (in *VhostInitParameters) DeepCopy() *VhostInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(VhostInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VhostObservation) DeepCopyInto(out *VhostObservation) {
 	*out = *in
@@ -509,6 +660,33 @@ func (in *VhostParameters) DeepCopy() *VhostParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VhostTopicInitParameters) DeepCopyInto(out *VhostTopicInitParameters) {
+	*out = *in
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.Vhost != nil {
+		in, out := &in.Vhost, &out.Vhost
+		*out = make([]VhostTopicVhostInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VhostTopicInitParameters.
+func (in *VhostTopicInitParameters) DeepCopy() *VhostTopicInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(VhostTopicInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VhostTopicObservation) DeepCopyInto(out *VhostTopicObservation) {
 	*out = *in
@@ -563,6 +741,36 @@ func (in *VhostTopicParameters) DeepCopy() *VhostTopicParameters {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VhostTopicVhostInitParameters) DeepCopyInto(out *VhostTopicVhostInitParameters) {
+	*out = *in
+	if in.Read != nil {
+		in, out := &in.Read, &out.Read
+		*out = new(string)
+		**out = **in
+	}
+	if in.Topic != nil {
+		in, out := &in.Topic, &out.Topic
+		*out = new(string)
+		**out = **in
+	}
+	if in.Write != nil {
+		in, out := &in.Write, &out.Write
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VhostTopicVhostInitParameters.
+func (in *VhostTopicVhostInitParameters) DeepCopy() *VhostTopicVhostInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(VhostTopicVhostInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VhostTopicVhostObservation) DeepCopyInto(out *VhostTopicVhostObservation) {
 	*out = *in
diff --git a/apis/rabbitmq/v1alpha1/zz_generated.managed.go b/apis/rabbitmq/v1alpha1/zz_generated.managed.go
index 5b479260..d73589a2 100644
--- a/apis/rabbitmq/v1alpha1/zz_generated.managed.go
+++ b/apis/rabbitmq/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackend.
@@ -55,9 +55,9 @@ func (mg *SecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackend.
-func (mg *SecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackend.
+func (mg *SecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackend.
@@ -93,9 +93,9 @@ func (mg *SecretBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRole.
@@ -131,9 +131,9 @@ func (mg *SecretBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRole.
diff --git a/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go b/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go
index 72e8ca2f..0845bc70 100755
--- a/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go
+++ b/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackend
+func (tr *SecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRole
+func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/rabbitmq/v1alpha1/zz_secretbackend_types.go b/apis/rabbitmq/v1alpha1/zz_secretbackend_types.go
index fbbd2fa8..6762f736 100755
--- a/apis/rabbitmq/v1alpha1/zz_secretbackend_types.go
+++ b/apis/rabbitmq/v1alpha1/zz_secretbackend_types.go
@@ -13,87 +13,176 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendInitParameters struct {
+
+	// Specifies the RabbitMQ connection URI.
+	// Specifies the RabbitMQ connection URI.
+	ConnectionURI *string `json:"connectionUri,omitempty" tf:"connection_uri,omitempty"`
+
+	// The default TTL for credentials
+	// issued by this backend.
+	// Default lease duration for secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// A human-friendly description for this backend.
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
+	// Maximum possible lease duration for secrets in seconds
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
+	// Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
+	PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"`
+
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to rabbitmq.
+	// The path of the RabbitMQ Secret Backend where the connection should be configured
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Template describing how dynamic usernames are generated.
+	// Template describing how dynamic usernames are generated.
+	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
+
+	// Specifies whether to verify connection URI, username, and password.
+	// Defaults to true.
+	// Specifies whether to verify connection URI, username, and password.
+	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
+}
+
 type SecretBackendObservation struct {
 
+	// Specifies the RabbitMQ connection URI.
 	// Specifies the RabbitMQ connection URI.
 	ConnectionURI *string `json:"connectionUri,omitempty" tf:"connection_uri,omitempty"`
 
+	// The default TTL for credentials
+	// issued by this backend.
 	// Default lease duration for secrets in seconds
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
 	// Maximum possible lease duration for secrets in seconds
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
 	// Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
 	PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to rabbitmq.
 	// The path of the RabbitMQ Secret Backend where the connection should be configured
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Specifies whether to verify connection URI, username, and password.
+	// Defaults to true.
 	// Specifies whether to verify connection URI, username, and password.
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
 }
 
 type SecretBackendParameters struct {
 
+	// Specifies the RabbitMQ connection URI.
 	// Specifies the RabbitMQ connection URI.
 	// +kubebuilder:validation:Optional
 	ConnectionURI *string `json:"connectionUri,omitempty" tf:"connection_uri,omitempty"`
 
+	// The default TTL for credentials
+	// issued by this backend.
 	// Default lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
 	// Maximum possible lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
 	// Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
 	// +kubebuilder:validation:Optional
 	PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"`
 
+	// Specifies the RabbitMQ management administrator password.
 	// Specifies the RabbitMQ management administrator password
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
+	// The unique path this backend should be mounted at. Must
+	// not begin or end with a /. Defaults to rabbitmq.
 	// The path of the RabbitMQ Secret Backend where the connection should be configured
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Specifies the RabbitMQ management administrator username.
 	// Specifies the RabbitMQ management administrator username
 	// +kubebuilder:validation:Optional
 	UsernameSecretRef v1.SecretKeySelector `json:"usernameSecretRef" tf:"-"`
 
+	// Template describing how dynamic usernames are generated.
 	// Template describing how dynamic usernames are generated.
 	// +kubebuilder:validation:Optional
 	UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"`
 
+	// Specifies whether to verify connection URI, username, and password.
+	// Defaults to true.
 	// Specifies whether to verify connection URI, username, and password.
 	// +kubebuilder:validation:Optional
 	VerifyConnection *bool `json:"verifyConnection,omitempty" tf:"verify_connection,omitempty"`
@@ -103,6 +192,18 @@ type SecretBackendParameters struct {
 type SecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendStatus defines the observed state of SecretBackend.
@@ -113,7 +214,7 @@ type SecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackend is the Schema for the SecretBackends API. <no value>
+// SecretBackend is the Schema for the SecretBackends API. Creates an RabbitMQ secret backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -123,9 +224,9 @@ type SecretBackendStatus struct {
 type SecretBackend struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.connectionUri)",message="connectionUri is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.passwordSecretRef)",message="passwordSecretRef is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.usernameSecretRef)",message="usernameSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.connectionUri) || has(self.initProvider.connectionUri)",message="connectionUri is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.passwordSecretRef)",message="passwordSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.usernameSecretRef)",message="usernameSecretRef is a required parameter"
 	Spec   SecretBackendSpec   `json:"spec"`
 	Status SecretBackendStatus `json:"status,omitempty"`
 }
diff --git a/apis/rabbitmq/v1alpha1/zz_secretbackendrole_types.go b/apis/rabbitmq/v1alpha1/zz_secretbackendrole_types.go
index f1eaea76..cd602734 100755
--- a/apis/rabbitmq/v1alpha1/zz_secretbackendrole_types.go
+++ b/apis/rabbitmq/v1alpha1/zz_secretbackendrole_types.go
@@ -13,56 +13,125 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendRoleInitParameters struct {
+
+	// The path the RabbitMQ secret backend is mounted at,
+	// with no leading or trailing /s.
+	// The path of the Rabbitmq Secret Backend the role belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
+	// Unique name for the role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies a comma-separated RabbitMQ management tags.
+	// Specifies a comma-separated RabbitMQ management tags.
+	Tags *string `json:"tags,omitempty" tf:"tags,omitempty"`
+
+	// Specifies a map of virtual hosts to permissions.
+	// Specifies a map of virtual hosts to permissions.
+	Vhost []VhostInitParameters `json:"vhost,omitempty" tf:"vhost,omitempty"`
+
+	// Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.
+	// Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.
+	VhostTopic []VhostTopicInitParameters `json:"vhostTopic,omitempty" tf:"vhost_topic,omitempty"`
+}
+
 type SecretBackendRoleObservation struct {
 
+	// The path the RabbitMQ secret backend is mounted at,
+	// with no leading or trailing /s.
 	// The path of the Rabbitmq Secret Backend the role belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
 	// Unique name for the role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies a comma-separated RabbitMQ management tags.
 	// Specifies a comma-separated RabbitMQ management tags.
 	Tags *string `json:"tags,omitempty" tf:"tags,omitempty"`
 
+	// Specifies a map of virtual hosts to permissions.
 	// Specifies a map of virtual hosts to permissions.
 	Vhost []VhostObservation `json:"vhost,omitempty" tf:"vhost,omitempty"`
 
+	// Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.
 	// Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.
 	VhostTopic []VhostTopicObservation `json:"vhostTopic,omitempty" tf:"vhost_topic,omitempty"`
 }
 
 type SecretBackendRoleParameters struct {
 
+	// The path the RabbitMQ secret backend is mounted at,
+	// with no leading or trailing /s.
 	// The path of the Rabbitmq Secret Backend the role belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The name to identify this role within the backend.
+	// Must be unique within the backend.
 	// Unique name for the role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies a comma-separated RabbitMQ management tags.
 	// Specifies a comma-separated RabbitMQ management tags.
 	// +kubebuilder:validation:Optional
 	Tags *string `json:"tags,omitempty" tf:"tags,omitempty"`
 
+	// Specifies a map of virtual hosts to permissions.
 	// Specifies a map of virtual hosts to permissions.
 	// +kubebuilder:validation:Optional
 	Vhost []VhostParameters `json:"vhost,omitempty" tf:"vhost,omitempty"`
 
+	// Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.
 	// Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.
 	// +kubebuilder:validation:Optional
 	VhostTopic []VhostTopicParameters `json:"vhostTopic,omitempty" tf:"vhost_topic,omitempty"`
 }
 
+type VhostInitParameters struct {
+
+	// The configure permissions for this vhost.
+	Configure *string `json:"configure,omitempty" tf:"configure,omitempty"`
+
+	// The vhost to set permissions for.
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// The read permissions for this vhost.
+	Read *string `json:"read,omitempty" tf:"read,omitempty"`
+
+	// The write permissions for this vhost.
+	Write *string `json:"write,omitempty" tf:"write,omitempty"`
+}
+
 type VhostObservation struct {
 
 	// The configure permissions for this vhost.
@@ -81,20 +150,30 @@ type VhostObservation struct {
 type VhostParameters struct {
 
 	// The configure permissions for this vhost.
-	// +kubebuilder:validation:Required
-	Configure *string `json:"configure" tf:"configure,omitempty"`
+	// +kubebuilder:validation:Optional
+	Configure *string `json:"configure,omitempty" tf:"configure,omitempty"`
 
 	// The vhost to set permissions for.
-	// +kubebuilder:validation:Required
-	Host *string `json:"host" tf:"host,omitempty"`
+	// +kubebuilder:validation:Optional
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
 	// The read permissions for this vhost.
-	// +kubebuilder:validation:Required
-	Read *string `json:"read" tf:"read,omitempty"`
+	// +kubebuilder:validation:Optional
+	Read *string `json:"read,omitempty" tf:"read,omitempty"`
 
 	// The write permissions for this vhost.
-	// +kubebuilder:validation:Required
-	Write *string `json:"write" tf:"write,omitempty"`
+	// +kubebuilder:validation:Optional
+	Write *string `json:"write,omitempty" tf:"write,omitempty"`
+}
+
+type VhostTopicInitParameters struct {
+
+	// The vhost to set permissions for.
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// Specifies a map of virtual hosts to permissions.
+	// Specifies a map of virtual hosts to permissions.
+	Vhost []VhostTopicVhostInitParameters `json:"vhost,omitempty" tf:"vhost,omitempty"`
 }
 
 type VhostTopicObservation struct {
@@ -102,6 +181,7 @@ type VhostTopicObservation struct {
 	// The vhost to set permissions for.
 	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Specifies a map of virtual hosts to permissions.
 	// Specifies a map of virtual hosts to permissions.
 	Vhost []VhostTopicVhostObservation `json:"vhost,omitempty" tf:"vhost,omitempty"`
 }
@@ -109,14 +189,27 @@ type VhostTopicObservation struct {
 type VhostTopicParameters struct {
 
 	// The vhost to set permissions for.
-	// +kubebuilder:validation:Required
-	Host *string `json:"host" tf:"host,omitempty"`
+	// +kubebuilder:validation:Optional
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
+	// Specifies a map of virtual hosts to permissions.
 	// Specifies a map of virtual hosts to permissions.
 	// +kubebuilder:validation:Optional
 	Vhost []VhostTopicVhostParameters `json:"vhost,omitempty" tf:"vhost,omitempty"`
 }
 
+type VhostTopicVhostInitParameters struct {
+
+	// The read permissions for this vhost.
+	Read *string `json:"read,omitempty" tf:"read,omitempty"`
+
+	// The vhost to set permissions for.
+	Topic *string `json:"topic,omitempty" tf:"topic,omitempty"`
+
+	// The write permissions for this vhost.
+	Write *string `json:"write,omitempty" tf:"write,omitempty"`
+}
+
 type VhostTopicVhostObservation struct {
 
 	// The read permissions for this vhost.
@@ -132,22 +225,34 @@ type VhostTopicVhostObservation struct {
 type VhostTopicVhostParameters struct {
 
 	// The read permissions for this vhost.
-	// +kubebuilder:validation:Required
-	Read *string `json:"read" tf:"read,omitempty"`
+	// +kubebuilder:validation:Optional
+	Read *string `json:"read,omitempty" tf:"read,omitempty"`
 
 	// The vhost to set permissions for.
-	// +kubebuilder:validation:Required
-	Topic *string `json:"topic" tf:"topic,omitempty"`
+	// +kubebuilder:validation:Optional
+	Topic *string `json:"topic,omitempty" tf:"topic,omitempty"`
 
 	// The write permissions for this vhost.
-	// +kubebuilder:validation:Required
-	Write *string `json:"write" tf:"write,omitempty"`
+	// +kubebuilder:validation:Optional
+	Write *string `json:"write,omitempty" tf:"write,omitempty"`
 }
 
 // SecretBackendRoleSpec defines the desired state of SecretBackendRole
 type SecretBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRoleStatus defines the observed state of SecretBackendRole.
@@ -158,7 +263,7 @@ type SecretBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRole is the Schema for the SecretBackendRoles API. <no value>
+// SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role on an RabbitMQ Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -168,8 +273,8 @@ type SecretBackendRoleStatus struct {
 type SecretBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendRoleSpec   `json:"spec"`
 	Status SecretBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/raft/v1alpha1/zz_autopilot_types.go b/apis/raft/v1alpha1/zz_autopilot_types.go
index 40c2ff7c..94f10846 100755
--- a/apis/raft/v1alpha1/zz_autopilot_types.go
+++ b/apis/raft/v1alpha1/zz_autopilot_types.go
@@ -13,65 +13,146 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AutopilotInitParameters struct {
+
+	// quorum is also set.
+	// Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.
+	CleanupDeadServers *bool `json:"cleanupDeadServers,omitempty" tf:"cleanup_dead_servers,omitempty"`
+
+	// Limit the amount of time a
+	// server can go without leader contact before being considered failed. This only takes
+	// effect when cleanup_dead_servers is set.
+	// Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.
+	DeadServerLastContactThreshold *string `json:"deadServerLastContactThreshold,omitempty" tf:"dead_server_last_contact_threshold,omitempty"`
+
+	// only)
+	// Disables automatically upgrading Vault using autopilot. (Enterprise-only)
+	DisableUpgradeMigration *bool `json:"disableUpgradeMigration,omitempty" tf:"disable_upgrade_migration,omitempty"`
+
+	// Limit the amount of time a server can go
+	// without leader contact before being considered unhealthy.
+	// Limit the amount of time a server can go without leader contact before being considered unhealthy.
+	LastContactThreshold *string `json:"lastContactThreshold,omitempty" tf:"last_contact_threshold,omitempty"`
+
+	// Maximum number of log entries in the Raft log
+	// that a server can be behind its leader before being considered unhealthy.
+	// Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.
+	MaxTrailingLogs *float64 `json:"maxTrailingLogs,omitempty" tf:"max_trailing_logs,omitempty"`
+
+	// Minimum number of servers allowed in a cluster before
+	// autopilot can prune dead servers. This should at least be 3. Applicable only for
+	// voting nodes.
+	// Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.
+	MinQuorum *float64 `json:"minQuorum,omitempty" tf:"min_quorum,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Minimum amount of time a server must be
+	// stable in the 'healthy' state before being added to the cluster.
+	// Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.
+	ServerStabilizationTime *string `json:"serverStabilizationTime,omitempty" tf:"server_stabilization_time,omitempty"`
+}
+
 type AutopilotObservation struct {
 
+	// quorum is also set.
 	// Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.
 	CleanupDeadServers *bool `json:"cleanupDeadServers,omitempty" tf:"cleanup_dead_servers,omitempty"`
 
+	// Limit the amount of time a
+	// server can go without leader contact before being considered failed. This only takes
+	// effect when cleanup_dead_servers is set.
 	// Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.
 	DeadServerLastContactThreshold *string `json:"deadServerLastContactThreshold,omitempty" tf:"dead_server_last_contact_threshold,omitempty"`
 
+	// only)
 	// Disables automatically upgrading Vault using autopilot. (Enterprise-only)
 	DisableUpgradeMigration *bool `json:"disableUpgradeMigration,omitempty" tf:"disable_upgrade_migration,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Limit the amount of time a server can go
+	// without leader contact before being considered unhealthy.
 	// Limit the amount of time a server can go without leader contact before being considered unhealthy.
 	LastContactThreshold *string `json:"lastContactThreshold,omitempty" tf:"last_contact_threshold,omitempty"`
 
+	// Maximum number of log entries in the Raft log
+	// that a server can be behind its leader before being considered unhealthy.
 	// Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.
 	MaxTrailingLogs *float64 `json:"maxTrailingLogs,omitempty" tf:"max_trailing_logs,omitempty"`
 
+	// Minimum number of servers allowed in a cluster before
+	// autopilot can prune dead servers. This should at least be 3. Applicable only for
+	// voting nodes.
 	// Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.
 	MinQuorum *float64 `json:"minQuorum,omitempty" tf:"min_quorum,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Minimum amount of time a server must be
+	// stable in the 'healthy' state before being added to the cluster.
 	// Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.
 	ServerStabilizationTime *string `json:"serverStabilizationTime,omitempty" tf:"server_stabilization_time,omitempty"`
 }
 
 type AutopilotParameters struct {
 
+	// quorum is also set.
 	// Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.
 	// +kubebuilder:validation:Optional
 	CleanupDeadServers *bool `json:"cleanupDeadServers,omitempty" tf:"cleanup_dead_servers,omitempty"`
 
+	// Limit the amount of time a
+	// server can go without leader contact before being considered failed. This only takes
+	// effect when cleanup_dead_servers is set.
 	// Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.
 	// +kubebuilder:validation:Optional
 	DeadServerLastContactThreshold *string `json:"deadServerLastContactThreshold,omitempty" tf:"dead_server_last_contact_threshold,omitempty"`
 
+	// only)
 	// Disables automatically upgrading Vault using autopilot. (Enterprise-only)
 	// +kubebuilder:validation:Optional
 	DisableUpgradeMigration *bool `json:"disableUpgradeMigration,omitempty" tf:"disable_upgrade_migration,omitempty"`
 
+	// Limit the amount of time a server can go
+	// without leader contact before being considered unhealthy.
 	// Limit the amount of time a server can go without leader contact before being considered unhealthy.
 	// +kubebuilder:validation:Optional
 	LastContactThreshold *string `json:"lastContactThreshold,omitempty" tf:"last_contact_threshold,omitempty"`
 
+	// Maximum number of log entries in the Raft log
+	// that a server can be behind its leader before being considered unhealthy.
 	// Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.
 	// +kubebuilder:validation:Optional
 	MaxTrailingLogs *float64 `json:"maxTrailingLogs,omitempty" tf:"max_trailing_logs,omitempty"`
 
+	// Minimum number of servers allowed in a cluster before
+	// autopilot can prune dead servers. This should at least be 3. Applicable only for
+	// voting nodes.
 	// Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.
 	// +kubebuilder:validation:Optional
 	MinQuorum *float64 `json:"minQuorum,omitempty" tf:"min_quorum,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Minimum amount of time a server must be
+	// stable in the 'healthy' state before being added to the cluster.
 	// Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.
 	// +kubebuilder:validation:Optional
 	ServerStabilizationTime *string `json:"serverStabilizationTime,omitempty" tf:"server_stabilization_time,omitempty"`
@@ -81,6 +162,18 @@ type AutopilotParameters struct {
 type AutopilotSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AutopilotParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AutopilotInitParameters `json:"initProvider,omitempty"`
 }
 
 // AutopilotStatus defines the observed state of Autopilot.
@@ -91,7 +184,7 @@ type AutopilotStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Autopilot is the Schema for the Autopilots API. <no value>
+// Autopilot is the Schema for the Autopilots API. Configures Raft's Autopilot capabilities.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/raft/v1alpha1/zz_generated.deepcopy.go b/apis/raft/v1alpha1/zz_generated.deepcopy.go
index c0e1bcdb..aab9d1a3 100644
--- a/apis/raft/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/raft/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,61 @@ func (in *Autopilot) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutopilotInitParameters) DeepCopyInto(out *AutopilotInitParameters) {
+	*out = *in
+	if in.CleanupDeadServers != nil {
+		in, out := &in.CleanupDeadServers, &out.CleanupDeadServers
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeadServerLastContactThreshold != nil {
+		in, out := &in.DeadServerLastContactThreshold, &out.DeadServerLastContactThreshold
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableUpgradeMigration != nil {
+		in, out := &in.DisableUpgradeMigration, &out.DisableUpgradeMigration
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LastContactThreshold != nil {
+		in, out := &in.LastContactThreshold, &out.LastContactThreshold
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxTrailingLogs != nil {
+		in, out := &in.MaxTrailingLogs, &out.MaxTrailingLogs
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinQuorum != nil {
+		in, out := &in.MinQuorum, &out.MinQuorum
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerStabilizationTime != nil {
+		in, out := &in.ServerStabilizationTime, &out.ServerStabilizationTime
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutopilotInitParameters.
+func (in *AutopilotInitParameters) DeepCopy() *AutopilotInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AutopilotInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutopilotList) DeepCopyInto(out *AutopilotList) {
 	*out = *in
@@ -192,6 +247,7 @@ func (in *AutopilotSpec) DeepCopyInto(out *AutopilotSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutopilotSpec.
@@ -248,6 +304,161 @@ func (in *SnapshotAgentConfig) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SnapshotAgentConfigInitParameters) DeepCopyInto(out *SnapshotAgentConfigInitParameters) {
+	*out = *in
+	if in.AwsAccessKeyID != nil {
+		in, out := &in.AwsAccessKeyID, &out.AwsAccessKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsS3Bucket != nil {
+		in, out := &in.AwsS3Bucket, &out.AwsS3Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsS3DisableTLS != nil {
+		in, out := &in.AwsS3DisableTLS, &out.AwsS3DisableTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AwsS3EnableKMS != nil {
+		in, out := &in.AwsS3EnableKMS, &out.AwsS3EnableKMS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AwsS3Endpoint != nil {
+		in, out := &in.AwsS3Endpoint, &out.AwsS3Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsS3ForcePathStyle != nil {
+		in, out := &in.AwsS3ForcePathStyle, &out.AwsS3ForcePathStyle
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AwsS3KMSKey != nil {
+		in, out := &in.AwsS3KMSKey, &out.AwsS3KMSKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsS3Region != nil {
+		in, out := &in.AwsS3Region, &out.AwsS3Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsS3ServerSideEncryption != nil {
+		in, out := &in.AwsS3ServerSideEncryption, &out.AwsS3ServerSideEncryption
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AwsSecretAccessKey != nil {
+		in, out := &in.AwsSecretAccessKey, &out.AwsSecretAccessKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsSessionToken != nil {
+		in, out := &in.AwsSessionToken, &out.AwsSessionToken
+		*out = new(string)
+		**out = **in
+	}
+	if in.AzureAccountKey != nil {
+		in, out := &in.AzureAccountKey, &out.AzureAccountKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.AzureAccountName != nil {
+		in, out := &in.AzureAccountName, &out.AzureAccountName
+		*out = new(string)
+		**out = **in
+	}
+	if in.AzureBlobEnvironment != nil {
+		in, out := &in.AzureBlobEnvironment, &out.AzureBlobEnvironment
+		*out = new(string)
+		**out = **in
+	}
+	if in.AzureContainerName != nil {
+		in, out := &in.AzureContainerName, &out.AzureContainerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.AzureEndpoint != nil {
+		in, out := &in.AzureEndpoint, &out.AzureEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilePrefix != nil {
+		in, out := &in.FilePrefix, &out.FilePrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.GoogleDisableTLS != nil {
+		in, out := &in.GoogleDisableTLS, &out.GoogleDisableTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.GoogleEndpoint != nil {
+		in, out := &in.GoogleEndpoint, &out.GoogleEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.GoogleGcsBucket != nil {
+		in, out := &in.GoogleGcsBucket, &out.GoogleGcsBucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.GoogleServiceAccountKey != nil {
+		in, out := &in.GoogleServiceAccountKey, &out.GoogleServiceAccountKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.IntervalSeconds != nil {
+		in, out := &in.IntervalSeconds, &out.IntervalSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LocalMaxSpace != nil {
+		in, out := &in.LocalMaxSpace, &out.LocalMaxSpace
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PathPrefix != nil {
+		in, out := &in.PathPrefix, &out.PathPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Retain != nil {
+		in, out := &in.Retain, &out.Retain
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageType != nil {
+		in, out := &in.StorageType, &out.StorageType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotAgentConfigInitParameters.
+func (in *SnapshotAgentConfigInitParameters) DeepCopy() *SnapshotAgentConfigInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SnapshotAgentConfigInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapshotAgentConfigList) DeepCopyInto(out *SnapshotAgentConfigList) {
 	*out = *in
@@ -600,6 +811,7 @@ func (in *SnapshotAgentConfigSpec) DeepCopyInto(out *SnapshotAgentConfigSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotAgentConfigSpec.
diff --git a/apis/raft/v1alpha1/zz_generated.managed.go b/apis/raft/v1alpha1/zz_generated.managed.go
index 1ab2968f..287cbcd7 100644
--- a/apis/raft/v1alpha1/zz_generated.managed.go
+++ b/apis/raft/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Autopilot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Autopilot.
-func (mg *Autopilot) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Autopilot.
+func (mg *Autopilot) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Autopilot.
@@ -55,9 +55,9 @@ func (mg *Autopilot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Autopilot.
-func (mg *Autopilot) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Autopilot.
+func (mg *Autopilot) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Autopilot.
@@ -93,9 +93,9 @@ func (mg *SnapshotAgentConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SnapshotAgentConfig.
-func (mg *SnapshotAgentConfig) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SnapshotAgentConfig.
+func (mg *SnapshotAgentConfig) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SnapshotAgentConfig.
@@ -131,9 +131,9 @@ func (mg *SnapshotAgentConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SnapshotAgentConfig.
-func (mg *SnapshotAgentConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SnapshotAgentConfig.
+func (mg *SnapshotAgentConfig) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SnapshotAgentConfig.
diff --git a/apis/raft/v1alpha1/zz_generated_terraformed.go b/apis/raft/v1alpha1/zz_generated_terraformed.go
index 6354915f..3893c9a0 100755
--- a/apis/raft/v1alpha1/zz_generated_terraformed.go
+++ b/apis/raft/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Autopilot) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Autopilot
+func (tr *Autopilot) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Autopilot using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Autopilot) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SnapshotAgentConfig) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SnapshotAgentConfig
+func (tr *SnapshotAgentConfig) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SnapshotAgentConfig using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SnapshotAgentConfig) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/raft/v1alpha1/zz_snapshotagentconfig_types.go b/apis/raft/v1alpha1/zz_snapshotagentconfig_types.go
index 684c9a54..f880da5f 100755
--- a/apis/raft/v1alpha1/zz_snapshotagentconfig_types.go
+++ b/apis/raft/v1alpha1/zz_snapshotagentconfig_types.go
@@ -13,205 +13,448 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SnapshotAgentConfigInitParameters struct {
+
+	// AWS access key ID.
+	// AWS access key ID.
+	AwsAccessKeyID *string `json:"awsAccessKeyId,omitempty" tf:"aws_access_key_id,omitempty"`
+
+	// S3 bucket to write snapshots to.
+	// S3 bucket to write snapshots to.
+	AwsS3Bucket *string `json:"awsS3Bucket,omitempty" tf:"aws_s3_bucket,omitempty"`
+
+	// Disable TLS for the S3 endpoint. This
+	// should only be used for testing purposes, typically in conjunction with
+	// aws_s3_endpoint.
+	// Disable TLS for the S3 endpoint. This should only be used for testing purposes.
+	AwsS3DisableTLS *bool `json:"awsS3DisableTls,omitempty" tf:"aws_s3_disable_tls,omitempty"`
+
+	// Use KMS to encrypt bucket contents.
+	// Use KMS to encrypt bucket contents.
+	AwsS3EnableKMS *bool `json:"awsS3EnableKms,omitempty" tf:"aws_s3_enable_kms,omitempty"`
+
+	// AWS endpoint. This is typically only set when
+	// using a non-AWS S3 implementation like Minio.
+	// AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.
+	AwsS3Endpoint *string `json:"awsS3Endpoint,omitempty" tf:"aws_s3_endpoint,omitempty"`
+
+	// Use the endpoint/bucket URL style
+	// instead of bucket.endpoint. May be needed when setting aws_s3_endpoint.
+	// Use the endpoint/bucket URL style instead of bucket.endpoint.
+	AwsS3ForcePathStyle *bool `json:"awsS3ForcePathStyle,omitempty" tf:"aws_s3_force_path_style,omitempty"`
+
+	// Use named KMS key, when aws_s3_enable_kms = true
+	// Use named KMS key, when aws_s3_enable_kms=true
+	AwsS3KMSKey *string `json:"awsS3KmsKey,omitempty" tf:"aws_s3_kms_key,omitempty"`
+
+	// AWS region bucket is in.
+	// AWS region bucket is in.
+	AwsS3Region *string `json:"awsS3Region,omitempty" tf:"aws_s3_region,omitempty"`
+
+	// Use AES256 to encrypt bucket contents.
+	// Use AES256 to encrypt bucket contents.
+	AwsS3ServerSideEncryption *bool `json:"awsS3ServerSideEncryption,omitempty" tf:"aws_s3_server_side_encryption,omitempty"`
+
+	// AWS secret access key.
+	// AWS secret access key.
+	AwsSecretAccessKey *string `json:"awsSecretAccessKey,omitempty" tf:"aws_secret_access_key,omitempty"`
+
+	// AWS session token.
+	// AWS session token.
+	AwsSessionToken *string `json:"awsSessionToken,omitempty" tf:"aws_session_token,omitempty"`
+
+	// Azure account key.
+	// Azure account key.
+	AzureAccountKey *string `json:"azureAccountKey,omitempty" tf:"azure_account_key,omitempty"`
+
+	// Azure account name.
+	// Azure account name.
+	AzureAccountName *string `json:"azureAccountName,omitempty" tf:"azure_account_name,omitempty"`
+
+	// Azure blob environment.
+	// Azure blob environment.
+	AzureBlobEnvironment *string `json:"azureBlobEnvironment,omitempty" tf:"azure_blob_environment,omitempty"`
+
+	// Azure container name to write
+	// snapshots to.
+	// Azure container name to write snapshots to.
+	AzureContainerName *string `json:"azureContainerName,omitempty" tf:"azure_container_name,omitempty"`
+
+	// Azure blob storage endpoint. This is typically
+	// only set when using a non-Azure implementation like Azurite.
+	// Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.
+	AzureEndpoint *string `json:"azureEndpoint,omitempty" tf:"azure_endpoint,omitempty"`
+
+	// Within the directory or bucket
+	// prefix given by path_prefix, the file or object name of snapshot files
+	// will start with this string.
+	// The file or object name of snapshot files will start with this string.
+	FilePrefix *string `json:"filePrefix,omitempty" tf:"file_prefix,omitempty"`
+
+	// Disable TLS for the GCS endpoint. This
+	// should only be used for testing purposes, typically in conjunction with
+	// google_endpoint.
+	// Disable TLS for the GCS endpoint.
+	GoogleDisableTLS *bool `json:"googleDisableTls,omitempty" tf:"google_disable_tls,omitempty"`
+
+	// GCS endpoint. This is typically only set when
+	// using a non-Google GCS implementation like fake-gcs-server.
+	// GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.
+	GoogleEndpoint *string `json:"googleEndpoint,omitempty" tf:"google_endpoint,omitempty"`
+
+	// GCS bucket to write snapshots to.
+	// GCS bucket to write snapshots to.
+	GoogleGcsBucket *string `json:"googleGcsBucket,omitempty" tf:"google_gcs_bucket,omitempty"`
+
+	// Google service account key in JSON format.
+	// The raw value looks like this:
+	// Google service account key in JSON format.
+	GoogleServiceAccountKey *string `json:"googleServiceAccountKey,omitempty" tf:"google_service_account_key,omitempty"`
+
+	// Time (in seconds) between snapshots.
+	// Number of seconds between snapshots.
+	IntervalSeconds *float64 `json:"intervalSeconds,omitempty" tf:"interval_seconds,omitempty"`
+
+	// For storage_type = local, the maximum
+	// space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough
+	// space left in this allowance.
+	// The maximum space, in bytes, to use for snapshots.
+	LocalMaxSpace *float64 `json:"localMaxSpace,omitempty" tf:"local_max_space,omitempty"`
+
+	// <required> – Name of the configuration to modify.
+	// Name of the snapshot agent configuration.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// For storage_type = "local", the directory to
+	// write the snapshots in. For cloud storage types, the bucket prefix to use.
+	// Types azure-s3 and google-gcs require a trailing / (slash).
+	// Types local and aws-s3 the trailing / is optional.
+	// The directory or bucket prefix to to use.
+	PathPrefix *string `json:"pathPrefix,omitempty" tf:"path_prefix,omitempty"`
+
+	// How many snapshots are to be kept; when writing a
+	// snapshot, if there are more snapshots already stored than this number, the
+	// oldest ones will be deleted.
+	// How many snapshots are to be kept.
+	Retain *float64 `json:"retain,omitempty" tf:"retain,omitempty"`
+
+	// One of "local", "azure-blob", "aws-s3",
+	// or "google-gcs". The remaining parameters described below are all specific to
+	// the selected storage_type and prefixed accordingly.
+	// What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs".
+	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
+}
+
 type SnapshotAgentConfigObservation struct {
 
+	// AWS access key ID.
 	// AWS access key ID.
 	AwsAccessKeyID *string `json:"awsAccessKeyId,omitempty" tf:"aws_access_key_id,omitempty"`
 
+	// S3 bucket to write snapshots to.
 	// S3 bucket to write snapshots to.
 	AwsS3Bucket *string `json:"awsS3Bucket,omitempty" tf:"aws_s3_bucket,omitempty"`
 
+	// Disable TLS for the S3 endpoint. This
+	// should only be used for testing purposes, typically in conjunction with
+	// aws_s3_endpoint.
 	// Disable TLS for the S3 endpoint. This should only be used for testing purposes.
 	AwsS3DisableTLS *bool `json:"awsS3DisableTls,omitempty" tf:"aws_s3_disable_tls,omitempty"`
 
+	// Use KMS to encrypt bucket contents.
 	// Use KMS to encrypt bucket contents.
 	AwsS3EnableKMS *bool `json:"awsS3EnableKms,omitempty" tf:"aws_s3_enable_kms,omitempty"`
 
+	// AWS endpoint. This is typically only set when
+	// using a non-AWS S3 implementation like Minio.
 	// AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.
 	AwsS3Endpoint *string `json:"awsS3Endpoint,omitempty" tf:"aws_s3_endpoint,omitempty"`
 
+	// Use the endpoint/bucket URL style
+	// instead of bucket.endpoint. May be needed when setting aws_s3_endpoint.
 	// Use the endpoint/bucket URL style instead of bucket.endpoint.
 	AwsS3ForcePathStyle *bool `json:"awsS3ForcePathStyle,omitempty" tf:"aws_s3_force_path_style,omitempty"`
 
+	// Use named KMS key, when aws_s3_enable_kms = true
 	// Use named KMS key, when aws_s3_enable_kms=true
 	AwsS3KMSKey *string `json:"awsS3KmsKey,omitempty" tf:"aws_s3_kms_key,omitempty"`
 
+	// AWS region bucket is in.
 	// AWS region bucket is in.
 	AwsS3Region *string `json:"awsS3Region,omitempty" tf:"aws_s3_region,omitempty"`
 
+	// Use AES256 to encrypt bucket contents.
 	// Use AES256 to encrypt bucket contents.
 	AwsS3ServerSideEncryption *bool `json:"awsS3ServerSideEncryption,omitempty" tf:"aws_s3_server_side_encryption,omitempty"`
 
+	// AWS secret access key.
 	// AWS secret access key.
 	AwsSecretAccessKey *string `json:"awsSecretAccessKey,omitempty" tf:"aws_secret_access_key,omitempty"`
 
+	// AWS session token.
 	// AWS session token.
 	AwsSessionToken *string `json:"awsSessionToken,omitempty" tf:"aws_session_token,omitempty"`
 
+	// Azure account key.
 	// Azure account key.
 	AzureAccountKey *string `json:"azureAccountKey,omitempty" tf:"azure_account_key,omitempty"`
 
+	// Azure account name.
 	// Azure account name.
 	AzureAccountName *string `json:"azureAccountName,omitempty" tf:"azure_account_name,omitempty"`
 
+	// Azure blob environment.
 	// Azure blob environment.
 	AzureBlobEnvironment *string `json:"azureBlobEnvironment,omitempty" tf:"azure_blob_environment,omitempty"`
 
+	// Azure container name to write
+	// snapshots to.
 	// Azure container name to write snapshots to.
 	AzureContainerName *string `json:"azureContainerName,omitempty" tf:"azure_container_name,omitempty"`
 
+	// Azure blob storage endpoint. This is typically
+	// only set when using a non-Azure implementation like Azurite.
 	// Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.
 	AzureEndpoint *string `json:"azureEndpoint,omitempty" tf:"azure_endpoint,omitempty"`
 
+	// Within the directory or bucket
+	// prefix given by path_prefix, the file or object name of snapshot files
+	// will start with this string.
 	// The file or object name of snapshot files will start with this string.
 	FilePrefix *string `json:"filePrefix,omitempty" tf:"file_prefix,omitempty"`
 
+	// Disable TLS for the GCS endpoint. This
+	// should only be used for testing purposes, typically in conjunction with
+	// google_endpoint.
 	// Disable TLS for the GCS endpoint.
 	GoogleDisableTLS *bool `json:"googleDisableTls,omitempty" tf:"google_disable_tls,omitempty"`
 
+	// GCS endpoint. This is typically only set when
+	// using a non-Google GCS implementation like fake-gcs-server.
 	// GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.
 	GoogleEndpoint *string `json:"googleEndpoint,omitempty" tf:"google_endpoint,omitempty"`
 
+	// GCS bucket to write snapshots to.
 	// GCS bucket to write snapshots to.
 	GoogleGcsBucket *string `json:"googleGcsBucket,omitempty" tf:"google_gcs_bucket,omitempty"`
 
+	// Google service account key in JSON format.
+	// The raw value looks like this:
 	// Google service account key in JSON format.
 	GoogleServiceAccountKey *string `json:"googleServiceAccountKey,omitempty" tf:"google_service_account_key,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Time (in seconds) between snapshots.
 	// Number of seconds between snapshots.
 	IntervalSeconds *float64 `json:"intervalSeconds,omitempty" tf:"interval_seconds,omitempty"`
 
+	// For storage_type = local, the maximum
+	// space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough
+	// space left in this allowance.
 	// The maximum space, in bytes, to use for snapshots.
 	LocalMaxSpace *float64 `json:"localMaxSpace,omitempty" tf:"local_max_space,omitempty"`
 
+	// <required> – Name of the configuration to modify.
 	// Name of the snapshot agent configuration.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// For storage_type = "local", the directory to
+	// write the snapshots in. For cloud storage types, the bucket prefix to use.
+	// Types azure-s3 and google-gcs require a trailing / (slash).
+	// Types local and aws-s3 the trailing / is optional.
 	// The directory or bucket prefix to to use.
 	PathPrefix *string `json:"pathPrefix,omitempty" tf:"path_prefix,omitempty"`
 
+	// How many snapshots are to be kept; when writing a
+	// snapshot, if there are more snapshots already stored than this number, the
+	// oldest ones will be deleted.
 	// How many snapshots are to be kept.
 	Retain *float64 `json:"retain,omitempty" tf:"retain,omitempty"`
 
+	// One of "local", "azure-blob", "aws-s3",
+	// or "google-gcs". The remaining parameters described below are all specific to
+	// the selected storage_type and prefixed accordingly.
 	// What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs".
 	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
 }
 
 type SnapshotAgentConfigParameters struct {
 
+	// AWS access key ID.
 	// AWS access key ID.
 	// +kubebuilder:validation:Optional
 	AwsAccessKeyID *string `json:"awsAccessKeyId,omitempty" tf:"aws_access_key_id,omitempty"`
 
+	// S3 bucket to write snapshots to.
 	// S3 bucket to write snapshots to.
 	// +kubebuilder:validation:Optional
 	AwsS3Bucket *string `json:"awsS3Bucket,omitempty" tf:"aws_s3_bucket,omitempty"`
 
+	// Disable TLS for the S3 endpoint. This
+	// should only be used for testing purposes, typically in conjunction with
+	// aws_s3_endpoint.
 	// Disable TLS for the S3 endpoint. This should only be used for testing purposes.
 	// +kubebuilder:validation:Optional
 	AwsS3DisableTLS *bool `json:"awsS3DisableTls,omitempty" tf:"aws_s3_disable_tls,omitempty"`
 
+	// Use KMS to encrypt bucket contents.
 	// Use KMS to encrypt bucket contents.
 	// +kubebuilder:validation:Optional
 	AwsS3EnableKMS *bool `json:"awsS3EnableKms,omitempty" tf:"aws_s3_enable_kms,omitempty"`
 
+	// AWS endpoint. This is typically only set when
+	// using a non-AWS S3 implementation like Minio.
 	// AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.
 	// +kubebuilder:validation:Optional
 	AwsS3Endpoint *string `json:"awsS3Endpoint,omitempty" tf:"aws_s3_endpoint,omitempty"`
 
+	// Use the endpoint/bucket URL style
+	// instead of bucket.endpoint. May be needed when setting aws_s3_endpoint.
 	// Use the endpoint/bucket URL style instead of bucket.endpoint.
 	// +kubebuilder:validation:Optional
 	AwsS3ForcePathStyle *bool `json:"awsS3ForcePathStyle,omitempty" tf:"aws_s3_force_path_style,omitempty"`
 
+	// Use named KMS key, when aws_s3_enable_kms = true
 	// Use named KMS key, when aws_s3_enable_kms=true
 	// +kubebuilder:validation:Optional
 	AwsS3KMSKey *string `json:"awsS3KmsKey,omitempty" tf:"aws_s3_kms_key,omitempty"`
 
+	// AWS region bucket is in.
 	// AWS region bucket is in.
 	// +kubebuilder:validation:Optional
 	AwsS3Region *string `json:"awsS3Region,omitempty" tf:"aws_s3_region,omitempty"`
 
+	// Use AES256 to encrypt bucket contents.
 	// Use AES256 to encrypt bucket contents.
 	// +kubebuilder:validation:Optional
 	AwsS3ServerSideEncryption *bool `json:"awsS3ServerSideEncryption,omitempty" tf:"aws_s3_server_side_encryption,omitempty"`
 
+	// AWS secret access key.
 	// AWS secret access key.
 	// +kubebuilder:validation:Optional
 	AwsSecretAccessKey *string `json:"awsSecretAccessKey,omitempty" tf:"aws_secret_access_key,omitempty"`
 
+	// AWS session token.
 	// AWS session token.
 	// +kubebuilder:validation:Optional
 	AwsSessionToken *string `json:"awsSessionToken,omitempty" tf:"aws_session_token,omitempty"`
 
+	// Azure account key.
 	// Azure account key.
 	// +kubebuilder:validation:Optional
 	AzureAccountKey *string `json:"azureAccountKey,omitempty" tf:"azure_account_key,omitempty"`
 
+	// Azure account name.
 	// Azure account name.
 	// +kubebuilder:validation:Optional
 	AzureAccountName *string `json:"azureAccountName,omitempty" tf:"azure_account_name,omitempty"`
 
+	// Azure blob environment.
 	// Azure blob environment.
 	// +kubebuilder:validation:Optional
 	AzureBlobEnvironment *string `json:"azureBlobEnvironment,omitempty" tf:"azure_blob_environment,omitempty"`
 
+	// Azure container name to write
+	// snapshots to.
 	// Azure container name to write snapshots to.
 	// +kubebuilder:validation:Optional
 	AzureContainerName *string `json:"azureContainerName,omitempty" tf:"azure_container_name,omitempty"`
 
+	// Azure blob storage endpoint. This is typically
+	// only set when using a non-Azure implementation like Azurite.
 	// Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.
 	// +kubebuilder:validation:Optional
 	AzureEndpoint *string `json:"azureEndpoint,omitempty" tf:"azure_endpoint,omitempty"`
 
+	// Within the directory or bucket
+	// prefix given by path_prefix, the file or object name of snapshot files
+	// will start with this string.
 	// The file or object name of snapshot files will start with this string.
 	// +kubebuilder:validation:Optional
 	FilePrefix *string `json:"filePrefix,omitempty" tf:"file_prefix,omitempty"`
 
+	// Disable TLS for the GCS endpoint. This
+	// should only be used for testing purposes, typically in conjunction with
+	// google_endpoint.
 	// Disable TLS for the GCS endpoint.
 	// +kubebuilder:validation:Optional
 	GoogleDisableTLS *bool `json:"googleDisableTls,omitempty" tf:"google_disable_tls,omitempty"`
 
+	// GCS endpoint. This is typically only set when
+	// using a non-Google GCS implementation like fake-gcs-server.
 	// GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.
 	// +kubebuilder:validation:Optional
 	GoogleEndpoint *string `json:"googleEndpoint,omitempty" tf:"google_endpoint,omitempty"`
 
+	// GCS bucket to write snapshots to.
 	// GCS bucket to write snapshots to.
 	// +kubebuilder:validation:Optional
 	GoogleGcsBucket *string `json:"googleGcsBucket,omitempty" tf:"google_gcs_bucket,omitempty"`
 
+	// Google service account key in JSON format.
+	// The raw value looks like this:
 	// Google service account key in JSON format.
 	// +kubebuilder:validation:Optional
 	GoogleServiceAccountKey *string `json:"googleServiceAccountKey,omitempty" tf:"google_service_account_key,omitempty"`
 
+	// Time (in seconds) between snapshots.
 	// Number of seconds between snapshots.
 	// +kubebuilder:validation:Optional
 	IntervalSeconds *float64 `json:"intervalSeconds,omitempty" tf:"interval_seconds,omitempty"`
 
+	// For storage_type = local, the maximum
+	// space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough
+	// space left in this allowance.
 	// The maximum space, in bytes, to use for snapshots.
 	// +kubebuilder:validation:Optional
 	LocalMaxSpace *float64 `json:"localMaxSpace,omitempty" tf:"local_max_space,omitempty"`
 
+	// <required> – Name of the configuration to modify.
 	// Name of the snapshot agent configuration.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// For storage_type = "local", the directory to
+	// write the snapshots in. For cloud storage types, the bucket prefix to use.
+	// Types azure-s3 and google-gcs require a trailing / (slash).
+	// Types local and aws-s3 the trailing / is optional.
 	// The directory or bucket prefix to to use.
 	// +kubebuilder:validation:Optional
 	PathPrefix *string `json:"pathPrefix,omitempty" tf:"path_prefix,omitempty"`
 
+	// How many snapshots are to be kept; when writing a
+	// snapshot, if there are more snapshots already stored than this number, the
+	// oldest ones will be deleted.
 	// How many snapshots are to be kept.
 	// +kubebuilder:validation:Optional
 	Retain *float64 `json:"retain,omitempty" tf:"retain,omitempty"`
 
+	// One of "local", "azure-blob", "aws-s3",
+	// or "google-gcs". The remaining parameters described below are all specific to
+	// the selected storage_type and prefixed accordingly.
 	// What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs".
 	// +kubebuilder:validation:Optional
 	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
@@ -221,6 +464,18 @@ type SnapshotAgentConfigParameters struct {
 type SnapshotAgentConfigSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SnapshotAgentConfigParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SnapshotAgentConfigInitParameters `json:"initProvider,omitempty"`
 }
 
 // SnapshotAgentConfigStatus defines the observed state of SnapshotAgentConfig.
@@ -231,7 +486,7 @@ type SnapshotAgentConfigStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SnapshotAgentConfig is the Schema for the SnapshotAgentConfigs API. <no value>
+// SnapshotAgentConfig is the Schema for the SnapshotAgentConfigs API. Creates a Raft Snapshot Agent Configuration for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -241,10 +496,10 @@ type SnapshotAgentConfigStatus struct {
 type SnapshotAgentConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.intervalSeconds)",message="intervalSeconds is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pathPrefix)",message="pathPrefix is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.storageType)",message="storageType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.intervalSeconds) || has(self.initProvider.intervalSeconds)",message="intervalSeconds is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.pathPrefix) || has(self.initProvider.pathPrefix)",message="pathPrefix is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.storageType) || has(self.initProvider.storageType)",message="storageType is a required parameter"
 	Spec   SnapshotAgentConfigSpec   `json:"spec"`
 	Status SnapshotAgentConfigStatus `json:"status,omitempty"`
 }
diff --git a/apis/rgp/v1alpha1/zz_generated.deepcopy.go b/apis/rgp/v1alpha1/zz_generated.deepcopy.go
index c39cf7cb..eb3f7c03 100644
--- a/apis/rgp/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/rgp/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,41 @@ func (in *Policy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyInitParameters) DeepCopyInto(out *PolicyInitParameters) {
+	*out = *in
+	if in.EnforcementLevel != nil {
+		in, out := &in.EnforcementLevel, &out.EnforcementLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyInitParameters.
+func (in *PolicyInitParameters) DeepCopy() *PolicyInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyList) DeepCopyInto(out *PolicyList) {
 	*out = *in
@@ -152,6 +187,7 @@ func (in *PolicySpec) DeepCopyInto(out *PolicySpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
diff --git a/apis/rgp/v1alpha1/zz_generated.managed.go b/apis/rgp/v1alpha1/zz_generated.managed.go
index 51f4cdcf..a29e31ba 100644
--- a/apis/rgp/v1alpha1/zz_generated.managed.go
+++ b/apis/rgp/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Policy.
-func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Policy.
+func (mg *Policy) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Policy.
@@ -55,9 +55,9 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Policy.
-func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Policy.
+func (mg *Policy) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Policy.
diff --git a/apis/rgp/v1alpha1/zz_generated_terraformed.go b/apis/rgp/v1alpha1/zz_generated_terraformed.go
index f8f1146f..ae06c29e 100755
--- a/apis/rgp/v1alpha1/zz_generated_terraformed.go
+++ b/apis/rgp/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Policy) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Policy
+func (tr *Policy) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Policy using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Policy) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/rgp/v1alpha1/zz_policy_types.go b/apis/rgp/v1alpha1/zz_policy_types.go
index 2466d8b7..c809c082 100755
--- a/apis/rgp/v1alpha1/zz_policy_types.go
+++ b/apis/rgp/v1alpha1/zz_policy_types.go
@@ -13,37 +13,73 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type PolicyInitParameters struct {
+
+	// Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory
+	// Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'
+	EnforcementLevel *string `json:"enforcementLevel,omitempty" tf:"enforcement_level,omitempty"`
+
+	// The name of the policy
+	// Name of the policy
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// String containing a Sentinel policy
+	// The policy document
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+}
+
 type PolicyObservation struct {
 
+	// Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory
 	// Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'
 	EnforcementLevel *string `json:"enforcementLevel,omitempty" tf:"enforcement_level,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the policy
 	// Name of the policy
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// String containing a Sentinel policy
 	// The policy document
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type PolicyParameters struct {
 
+	// Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory
 	// Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'
 	// +kubebuilder:validation:Optional
 	EnforcementLevel *string `json:"enforcementLevel,omitempty" tf:"enforcement_level,omitempty"`
 
+	// The name of the policy
 	// Name of the policy
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// String containing a Sentinel policy
 	// The policy document
 	// +kubebuilder:validation:Optional
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
@@ -53,6 +89,18 @@ type PolicyParameters struct {
 type PolicySpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     PolicyParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider PolicyInitParameters `json:"initProvider,omitempty"`
 }
 
 // PolicyStatus defines the observed state of Policy.
@@ -63,7 +111,7 @@ type PolicyStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Policy is the Schema for the Policys API. <no value>
+// Policy is the Schema for the Policys API. Writes Sentinel role governing policies for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,9 +121,9 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enforcementLevel)",message="enforcementLevel is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.enforcementLevel) || has(self.initProvider.enforcementLevel)",message="enforcementLevel is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || has(self.initProvider.policy)",message="policy is a required parameter"
 	Spec   PolicySpec   `json:"spec"`
 	Status PolicyStatus `json:"status,omitempty"`
 }
diff --git a/apis/ssh/v1alpha1/zz_generated.deepcopy.go b/apis/ssh/v1alpha1/zz_generated.deepcopy.go
index 946542ec..f7103f94 100644
--- a/apis/ssh/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/ssh/v1alpha1/zz_generated.deepcopy.go
@@ -14,6 +14,37 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedUserKeyConfigInitParameters) DeepCopyInto(out *AllowedUserKeyConfigInitParameters) {
+	*out = *in
+	if in.Lengths != nil {
+		in, out := &in.Lengths, &out.Lengths
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedUserKeyConfigInitParameters.
+func (in *AllowedUserKeyConfigInitParameters) DeepCopy() *AllowedUserKeyConfigInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowedUserKeyConfigInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AllowedUserKeyConfigObservation) DeepCopyInto(out *AllowedUserKeyConfigObservation) {
 	*out = *in
@@ -103,6 +134,41 @@ func (in *SecretBackendCA) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendCAInitParameters) DeepCopyInto(out *SecretBackendCAInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.GenerateSigningKey != nil {
+		in, out := &in.GenerateSigningKey, &out.GenerateSigningKey
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCAInitParameters.
+func (in *SecretBackendCAInitParameters) DeepCopy() *SecretBackendCAInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendCAInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendCAList) DeepCopyInto(out *SecretBackendCAList) {
 	*out = *in
@@ -220,6 +286,7 @@ func (in *SecretBackendCASpec) DeepCopyInto(out *SecretBackendCASpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCASpec.
@@ -276,6 +343,178 @@ func (in *SecretBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) {
+	*out = *in
+	if in.AlgorithmSigner != nil {
+		in, out := &in.AlgorithmSigner, &out.AlgorithmSigner
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowBareDomains != nil {
+		in, out := &in.AllowBareDomains, &out.AllowBareDomains
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowHostCertificates != nil {
+		in, out := &in.AllowHostCertificates, &out.AllowHostCertificates
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowSubdomains != nil {
+		in, out := &in.AllowSubdomains, &out.AllowSubdomains
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowUserCertificates != nil {
+		in, out := &in.AllowUserCertificates, &out.AllowUserCertificates
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowUserKeyIds != nil {
+		in, out := &in.AllowUserKeyIds, &out.AllowUserKeyIds
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowedCriticalOptions != nil {
+		in, out := &in.AllowedCriticalOptions, &out.AllowedCriticalOptions
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowedDomains != nil {
+		in, out := &in.AllowedDomains, &out.AllowedDomains
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowedExtensions != nil {
+		in, out := &in.AllowedExtensions, &out.AllowedExtensions
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowedUserKeyConfig != nil {
+		in, out := &in.AllowedUserKeyConfig, &out.AllowedUserKeyConfig
+		*out = make([]AllowedUserKeyConfigInitParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AllowedUserKeyLengths != nil {
+		in, out := &in.AllowedUserKeyLengths, &out.AllowedUserKeyLengths
+		*out = make(map[string]*float64, len(*in))
+		for key, val := range *in {
+			var outVal *float64
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(float64)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.AllowedUsers != nil {
+		in, out := &in.AllowedUsers, &out.AllowedUsers
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowedUsersTemplate != nil {
+		in, out := &in.AllowedUsersTemplate, &out.AllowedUsersTemplate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.CidrList != nil {
+		in, out := &in.CidrList, &out.CidrList
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultCriticalOptions != nil {
+		in, out := &in.DefaultCriticalOptions, &out.DefaultCriticalOptions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.DefaultExtensions != nil {
+		in, out := &in.DefaultExtensions, &out.DefaultExtensions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.DefaultUser != nil {
+		in, out := &in.DefaultUser, &out.DefaultUser
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultUserTemplate != nil {
+		in, out := &in.DefaultUserTemplate, &out.DefaultUserTemplate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KeyIDFormat != nil {
+		in, out := &in.KeyIDFormat, &out.KeyIDFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyType != nil {
+		in, out := &in.KeyType, &out.KeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters.
+func (in *SecretBackendRoleInitParameters) DeepCopy() *SecretBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendRoleList) DeepCopyInto(out *SecretBackendRoleList) {
 	*out = *in
@@ -662,6 +901,7 @@ func (in *SecretBackendRoleSpec) DeepCopyInto(out *SecretBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleSpec.
diff --git a/apis/ssh/v1alpha1/zz_generated.managed.go b/apis/ssh/v1alpha1/zz_generated.managed.go
index ff1b3ec9..b47698da 100644
--- a/apis/ssh/v1alpha1/zz_generated.managed.go
+++ b/apis/ssh/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackendCA) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendCA.
-func (mg *SecretBackendCA) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendCA.
+func (mg *SecretBackendCA) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendCA.
@@ -55,9 +55,9 @@ func (mg *SecretBackendCA) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendCA.
-func (mg *SecretBackendCA) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendCA.
+func (mg *SecretBackendCA) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendCA.
@@ -93,9 +93,9 @@ func (mg *SecretBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendRole.
@@ -131,9 +131,9 @@ func (mg *SecretBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendRole.
-func (mg *SecretBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendRole.
+func (mg *SecretBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendRole.
diff --git a/apis/ssh/v1alpha1/zz_generated_terraformed.go b/apis/ssh/v1alpha1/zz_generated_terraformed.go
index bdb37fd9..a74c1eae 100755
--- a/apis/ssh/v1alpha1/zz_generated_terraformed.go
+++ b/apis/ssh/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackendCA) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendCA
+func (tr *SecretBackendCA) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendCA using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendCA) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *SecretBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendRole
+func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/ssh/v1alpha1/zz_secretbackendca_types.go b/apis/ssh/v1alpha1/zz_secretbackendca_types.go
index 14e81ea8..9336d73a 100755
--- a/apis/ssh/v1alpha1/zz_secretbackendca_types.go
+++ b/apis/ssh/v1alpha1/zz_secretbackendca_types.go
@@ -13,41 +13,78 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendCAInitParameters struct {
+
+	// The path where the SSH secret backend is mounted. Defaults to 'ssh'
+	// The path of the SSH Secret Backend where the CA should be configured
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Whether Vault should generate the signing key pair internally. Defaults to true
+	// Whether Vault should generate the signing key pair internally.
+	GenerateSigningKey *bool `json:"generateSigningKey,omitempty" tf:"generate_signing_key,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The public key part the SSH CA key pair; required if generate_signing_key is false.
+	// Public key part the SSH CA key pair; required if generate_signing_key is false.
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+}
+
 type SecretBackendCAObservation struct {
 
+	// The path where the SSH secret backend is mounted. Defaults to 'ssh'
 	// The path of the SSH Secret Backend where the CA should be configured
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Whether Vault should generate the signing key pair internally. Defaults to true
 	// Whether Vault should generate the signing key pair internally.
 	GenerateSigningKey *bool `json:"generateSigningKey,omitempty" tf:"generate_signing_key,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The public key part the SSH CA key pair; required if generate_signing_key is false.
 	// Public key part the SSH CA key pair; required if generate_signing_key is false.
 	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
 }
 
 type SecretBackendCAParameters struct {
 
+	// The path where the SSH secret backend is mounted. Defaults to 'ssh'
 	// The path of the SSH Secret Backend where the CA should be configured
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Whether Vault should generate the signing key pair internally. Defaults to true
 	// Whether Vault should generate the signing key pair internally.
 	// +kubebuilder:validation:Optional
 	GenerateSigningKey *bool `json:"generateSigningKey,omitempty" tf:"generate_signing_key,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The private key part the SSH CA key pair; required if generate_signing_key is false.
 	// Private key part the SSH CA key pair; required if generate_signing_key is false.
 	// +kubebuilder:validation:Optional
 	PrivateKeySecretRef *v1.SecretKeySelector `json:"privateKeySecretRef,omitempty" tf:"-"`
 
+	// The public key part the SSH CA key pair; required if generate_signing_key is false.
 	// Public key part the SSH CA key pair; required if generate_signing_key is false.
 	// +kubebuilder:validation:Optional
 	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
@@ -57,6 +94,18 @@ type SecretBackendCAParameters struct {
 type SecretBackendCASpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendCAParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendCAInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendCAStatus defines the observed state of SecretBackendCA.
@@ -67,7 +116,7 @@ type SecretBackendCAStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendCA is the Schema for the SecretBackendCAs API. <no value>
+// SecretBackendCA is the Schema for the SecretBackendCAs API. Managing CA information in an SSH secret backend in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/ssh/v1alpha1/zz_secretbackendrole_types.go b/apis/ssh/v1alpha1/zz_secretbackendrole_types.go
index 904ec84c..89fce815 100755
--- a/apis/ssh/v1alpha1/zz_secretbackendrole_types.go
+++ b/apis/ssh/v1alpha1/zz_secretbackendrole_types.go
@@ -13,11 +13,37 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AllowedUserKeyConfigInitParameters struct {
+
+	// A list of allowed key lengths as integers.
+	// For key types that do not support setting the length a value of [0] should be used.
+	// Setting multiple lengths is only supported on Vault 1.10+. For prior releases length
+	// must be set to a single element list.
+	// List of allowed key lengths, vault-1.10 and above
+	Lengths []*float64 `json:"lengths,omitempty" tf:"lengths,omitempty"`
+
+	// The SSH public key type.
+	// Supported key types are:
+	// rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519,
+	// ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
+	// Key type, choices:
+	// rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type AllowedUserKeyConfigObservation struct {
 
+	// A list of allowed key lengths as integers.
+	// For key types that do not support setting the length a value of [0] should be used.
+	// Setting multiple lengths is only supported on Vault 1.10+. For prior releases length
+	// must be set to a single element list.
 	// List of allowed key lengths, vault-1.10 and above
 	Lengths []*float64 `json:"lengths,omitempty" tf:"lengths,omitempty"`
 
+	// The SSH public key type.
+	// Supported key types are:
+	// rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519,
+	// ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
 	// Key type, choices:
 	// rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -25,150 +51,311 @@ type AllowedUserKeyConfigObservation struct {
 
 type AllowedUserKeyConfigParameters struct {
 
+	// A list of allowed key lengths as integers.
+	// For key types that do not support setting the length a value of [0] should be used.
+	// Setting multiple lengths is only supported on Vault 1.10+. For prior releases length
+	// must be set to a single element list.
 	// List of allowed key lengths, vault-1.10 and above
-	// +kubebuilder:validation:Required
-	Lengths []*float64 `json:"lengths" tf:"lengths,omitempty"`
+	// +kubebuilder:validation:Optional
+	Lengths []*float64 `json:"lengths,omitempty" tf:"lengths,omitempty"`
 
+	// The SSH public key type.
+	// Supported key types are:
+	// rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519,
+	// ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
 	// Key type, choices:
 	// rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
+type SecretBackendRoleInitParameters struct {
+
+	// When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
+	AlgorithmSigner *string `json:"algorithmSigner,omitempty" tf:"algorithm_signer,omitempty"`
+
+	// Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
+	AllowBareDomains *bool `json:"allowBareDomains,omitempty" tf:"allow_bare_domains,omitempty"`
+
+	// Specifies if certificates are allowed to be signed for use as a 'host'.
+	AllowHostCertificates *bool `json:"allowHostCertificates,omitempty" tf:"allow_host_certificates,omitempty"`
+
+	// Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
+	AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"`
+
+	// Specifies if certificates are allowed to be signed for use as a 'user'.
+	AllowUserCertificates *bool `json:"allowUserCertificates,omitempty" tf:"allow_user_certificates,omitempty"`
+
+	// Specifies if users can override the key ID for a signed certificate with the key_id field.
+	AllowUserKeyIds *bool `json:"allowUserKeyIds,omitempty" tf:"allow_user_key_ids,omitempty"`
+
+	// Specifies a comma-separated list of critical options that certificates can have when signed.
+	AllowedCriticalOptions *string `json:"allowedCriticalOptions,omitempty" tf:"allowed_critical_options,omitempty"`
+
+	// The list of domains for which a client can request a host certificate.
+	AllowedDomains *string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"`
+
+	// Specifies a comma-separated list of extensions that certificates can have when signed.
+	AllowedExtensions *string `json:"allowedExtensions,omitempty" tf:"allowed_extensions,omitempty"`
+
+	// Set of configuration blocks to define allowed
+	// user key configuration, like key type and their lengths. Can be specified multiple times.
+	// See
+	// Set of allowed public key types and their relevant configuration
+	AllowedUserKeyConfig []AllowedUserKeyConfigInitParameters `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"`
+
+	// Specifies a map of ssh key types and their expected sizes which
+	// are allowed to be signed by the CA type.
+	// Deprecated: use allowed_user_key_config instead
+	AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"`
+
+	// Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
+	AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"`
+
+	// Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
+	AllowedUsersTemplate *bool `json:"allowedUsersTemplate,omitempty" tf:"allowed_users_template,omitempty"`
+
+	// The path where the SSH secret backend is mounted.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The comma-separated string of CIDR blocks for which this role is applicable.
+	CidrList *string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"`
+
+	// Specifies a map of critical options that certificates have when signed.
+	DefaultCriticalOptions map[string]*string `json:"defaultCriticalOptions,omitempty" tf:"default_critical_options,omitempty"`
+
+	// Specifies a map of extensions that certificates have when signed.
+	DefaultExtensions map[string]*string `json:"defaultExtensions,omitempty" tf:"default_extensions,omitempty"`
+
+	// Specifies the default username for which a credential will be generated.
+	DefaultUser *string `json:"defaultUser,omitempty" tf:"default_user,omitempty"`
+
+	// If set, default_users can be specified using identity template values. A non-templated user is also permitted.
+	DefaultUserTemplate *bool `json:"defaultUserTemplate,omitempty" tf:"default_user_template,omitempty"`
+
+	// Specifies a custom format for the key id of a signed certificate.
+	KeyIDFormat *string `json:"keyIdFormat,omitempty" tf:"key_id_format,omitempty"`
+
+	// Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
+
+	// Specifies the maximum Time To Live value.
+	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// Specifies the name of the role to create.
+	// Unique name for the role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies the Time To Live value.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
 
 type SecretBackendRoleObservation struct {
+
+	// When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
 	AlgorithmSigner *string `json:"algorithmSigner,omitempty" tf:"algorithm_signer,omitempty"`
 
+	// Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
 	AllowBareDomains *bool `json:"allowBareDomains,omitempty" tf:"allow_bare_domains,omitempty"`
 
+	// Specifies if certificates are allowed to be signed for use as a 'host'.
 	AllowHostCertificates *bool `json:"allowHostCertificates,omitempty" tf:"allow_host_certificates,omitempty"`
 
+	// Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
 	AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"`
 
+	// Specifies if certificates are allowed to be signed for use as a 'user'.
 	AllowUserCertificates *bool `json:"allowUserCertificates,omitempty" tf:"allow_user_certificates,omitempty"`
 
+	// Specifies if users can override the key ID for a signed certificate with the key_id field.
 	AllowUserKeyIds *bool `json:"allowUserKeyIds,omitempty" tf:"allow_user_key_ids,omitempty"`
 
+	// Specifies a comma-separated list of critical options that certificates can have when signed.
 	AllowedCriticalOptions *string `json:"allowedCriticalOptions,omitempty" tf:"allowed_critical_options,omitempty"`
 
+	// The list of domains for which a client can request a host certificate.
 	AllowedDomains *string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"`
 
+	// Specifies a comma-separated list of extensions that certificates can have when signed.
 	AllowedExtensions *string `json:"allowedExtensions,omitempty" tf:"allowed_extensions,omitempty"`
 
+	// Set of configuration blocks to define allowed
+	// user key configuration, like key type and their lengths. Can be specified multiple times.
+	// See
 	// Set of allowed public key types and their relevant configuration
 	AllowedUserKeyConfig []AllowedUserKeyConfigObservation `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"`
 
+	// Specifies a map of ssh key types and their expected sizes which
+	// are allowed to be signed by the CA type.
+	// Deprecated: use allowed_user_key_config instead
 	AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"`
 
+	// Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
 	AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"`
 
+	// Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
 	AllowedUsersTemplate *bool `json:"allowedUsersTemplate,omitempty" tf:"allowed_users_template,omitempty"`
 
+	// The path where the SSH secret backend is mounted.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The comma-separated string of CIDR blocks for which this role is applicable.
 	CidrList *string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"`
 
+	// Specifies a map of critical options that certificates have when signed.
 	DefaultCriticalOptions map[string]*string `json:"defaultCriticalOptions,omitempty" tf:"default_critical_options,omitempty"`
 
+	// Specifies a map of extensions that certificates have when signed.
 	DefaultExtensions map[string]*string `json:"defaultExtensions,omitempty" tf:"default_extensions,omitempty"`
 
+	// Specifies the default username for which a credential will be generated.
 	DefaultUser *string `json:"defaultUser,omitempty" tf:"default_user,omitempty"`
 
+	// If set, default_users can be specified using identity template values. A non-templated user is also permitted.
 	DefaultUserTemplate *bool `json:"defaultUserTemplate,omitempty" tf:"default_user_template,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies a custom format for the key id of a signed certificate.
 	KeyIDFormat *string `json:"keyIdFormat,omitempty" tf:"key_id_format,omitempty"`
 
+	// Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// Specifies the maximum Time To Live value.
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// Specifies the name of the role to create.
 	// Unique name for the role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies the Time To Live value.
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
 
 type SecretBackendRoleParameters struct {
 
+	// When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
 	// +kubebuilder:validation:Optional
 	AlgorithmSigner *string `json:"algorithmSigner,omitempty" tf:"algorithm_signer,omitempty"`
 
+	// Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
 	// +kubebuilder:validation:Optional
 	AllowBareDomains *bool `json:"allowBareDomains,omitempty" tf:"allow_bare_domains,omitempty"`
 
+	// Specifies if certificates are allowed to be signed for use as a 'host'.
 	// +kubebuilder:validation:Optional
 	AllowHostCertificates *bool `json:"allowHostCertificates,omitempty" tf:"allow_host_certificates,omitempty"`
 
+	// Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
 	// +kubebuilder:validation:Optional
 	AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"`
 
+	// Specifies if certificates are allowed to be signed for use as a 'user'.
 	// +kubebuilder:validation:Optional
 	AllowUserCertificates *bool `json:"allowUserCertificates,omitempty" tf:"allow_user_certificates,omitempty"`
 
+	// Specifies if users can override the key ID for a signed certificate with the key_id field.
 	// +kubebuilder:validation:Optional
 	AllowUserKeyIds *bool `json:"allowUserKeyIds,omitempty" tf:"allow_user_key_ids,omitempty"`
 
+	// Specifies a comma-separated list of critical options that certificates can have when signed.
 	// +kubebuilder:validation:Optional
 	AllowedCriticalOptions *string `json:"allowedCriticalOptions,omitempty" tf:"allowed_critical_options,omitempty"`
 
+	// The list of domains for which a client can request a host certificate.
 	// +kubebuilder:validation:Optional
 	AllowedDomains *string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"`
 
+	// Specifies a comma-separated list of extensions that certificates can have when signed.
 	// +kubebuilder:validation:Optional
 	AllowedExtensions *string `json:"allowedExtensions,omitempty" tf:"allowed_extensions,omitempty"`
 
+	// Set of configuration blocks to define allowed
+	// user key configuration, like key type and their lengths. Can be specified multiple times.
+	// See
 	// Set of allowed public key types and their relevant configuration
 	// +kubebuilder:validation:Optional
 	AllowedUserKeyConfig []AllowedUserKeyConfigParameters `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"`
 
+	// Specifies a map of ssh key types and their expected sizes which
+	// are allowed to be signed by the CA type.
+	// Deprecated: use allowed_user_key_config instead
 	// +kubebuilder:validation:Optional
 	AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"`
 
+	// Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
 	// +kubebuilder:validation:Optional
 	AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"`
 
+	// Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
 	// +kubebuilder:validation:Optional
 	AllowedUsersTemplate *bool `json:"allowedUsersTemplate,omitempty" tf:"allowed_users_template,omitempty"`
 
+	// The path where the SSH secret backend is mounted.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The comma-separated string of CIDR blocks for which this role is applicable.
 	// +kubebuilder:validation:Optional
 	CidrList *string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"`
 
+	// Specifies a map of critical options that certificates have when signed.
 	// +kubebuilder:validation:Optional
 	DefaultCriticalOptions map[string]*string `json:"defaultCriticalOptions,omitempty" tf:"default_critical_options,omitempty"`
 
+	// Specifies a map of extensions that certificates have when signed.
 	// +kubebuilder:validation:Optional
 	DefaultExtensions map[string]*string `json:"defaultExtensions,omitempty" tf:"default_extensions,omitempty"`
 
+	// Specifies the default username for which a credential will be generated.
 	// +kubebuilder:validation:Optional
 	DefaultUser *string `json:"defaultUser,omitempty" tf:"default_user,omitempty"`
 
+	// If set, default_users can be specified using identity template values. A non-templated user is also permitted.
 	// +kubebuilder:validation:Optional
 	DefaultUserTemplate *bool `json:"defaultUserTemplate,omitempty" tf:"default_user_template,omitempty"`
 
+	// Specifies a custom format for the key id of a signed certificate.
 	// +kubebuilder:validation:Optional
 	KeyIDFormat *string `json:"keyIdFormat,omitempty" tf:"key_id_format,omitempty"`
 
+	// Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
 	// +kubebuilder:validation:Optional
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// Specifies the maximum Time To Live value.
 	// +kubebuilder:validation:Optional
 	MaxTTL *string `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// Specifies the name of the role to create.
 	// Unique name for the role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies the Time To Live value.
 	// +kubebuilder:validation:Optional
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
@@ -177,6 +364,18 @@ type SecretBackendRoleParameters struct {
 type SecretBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendRoleStatus defines the observed state of SecretBackendRole.
@@ -187,7 +386,7 @@ type SecretBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendRole is the Schema for the SecretBackendRoles API. <no value>
+// SecretBackendRole is the Schema for the SecretBackendRoles API. Managing roles in an SSH secret backend in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -197,9 +396,9 @@ type SecretBackendRoleStatus struct {
 type SecretBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyType)",message="keyType is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.keyType) || has(self.initProvider.keyType)",message="keyType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendRoleSpec   `json:"spec"`
 	Status SecretBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go b/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go
index 373a4842..4f021105 100755
--- a/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go
+++ b/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go
@@ -13,30 +13,76 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type CloudSecretBackendInitParameters struct {
+
+	// 0.0.1:8500".
+	Address *string `json:"address,omitempty" tf:"address,omitempty"`
+
+	// The unique location this backend should be mounted at. Must not begin or end with a /
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	BasePath *string `json:"basePath,omitempty" tf:"base_path,omitempty"`
+
+	// The default TTL for credentials issued by this backend.
+	// Default lease duration for secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// A human-friendly description for this backend.
+	// Human-friendly description of the mount for the backend.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
+	// If set, opts out of mount migration on path updates.
+	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
+
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
+	// Maximum possible lease duration for secrets in seconds
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+}
+
 type CloudSecretBackendObservation struct {
 
 	// 0.0.1:8500".
 	Address *string `json:"address,omitempty" tf:"address,omitempty"`
 
-	// unique name of the vault Upbound official provider cloud mount to configure
+	// The unique location this backend should be mounted at. Must not begin or end with a /
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	BasePath *string `json:"basePath,omitempty" tf:"base_path,omitempty"`
 
+	// The default TTL for credentials issued by this backend.
 	// Default lease duration for secrets in seconds
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
 	// Maximum possible lease duration for secrets in seconds
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
@@ -47,29 +93,39 @@ type CloudSecretBackendParameters struct {
 	// +kubebuilder:validation:Optional
 	Address *string `json:"address,omitempty" tf:"address,omitempty"`
 
-	// unique name of the vault Upbound official provider cloud mount to configure
+	// The unique location this backend should be mounted at. Must not begin or end with a /
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	// +kubebuilder:validation:Optional
 	BasePath *string `json:"basePath,omitempty" tf:"base_path,omitempty"`
 
+	// The default TTL for credentials issued by this backend.
 	// Default lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// A human-friendly description for this backend.
 	// Human-friendly description of the mount for the backend.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// If set, opts out of mount migration on path updates.
+	// See here for more info on Mount Migration
 	// If set, opts out of mount migration on path updates.
 	// +kubebuilder:validation:Optional
 	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`
 
+	// The maximum TTL that can be requested
+	// for credentials issued by this backend.
 	// Maximum possible lease duration for secrets in seconds
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -82,6 +138,18 @@ type CloudSecretBackendParameters struct {
 type CloudSecretBackendSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     CloudSecretBackendParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider CloudSecretBackendInitParameters `json:"initProvider,omitempty"`
 }
 
 // CloudSecretBackendStatus defines the observed state of CloudSecretBackend.
@@ -92,7 +160,7 @@ type CloudSecretBackendStatus struct {
 
 // +kubebuilder:object:root=true
 
-// CloudSecretBackend is the Schema for the CloudSecretBackends API. <no value>
+// CloudSecretBackend is the Schema for the CloudSecretBackends API.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/apis/terraform/v1alpha1/zz_cloudsecretcreds_types.go b/apis/terraform/v1alpha1/zz_cloudsecretcreds_types.go
index a68ce217..e78ea983 100755
--- a/apis/terraform/v1alpha1/zz_cloudsecretcreds_types.go
+++ b/apis/terraform/v1alpha1/zz_cloudsecretcreds_types.go
@@ -13,35 +13,66 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type CloudSecretCredsInitParameters struct {
+
+	// the path to the Upbound official provider cloud secret backend to
+	// read credentials from, with no leading or trailing /s.
+	// Upbound official provider cloud secret backend to generate tokens from
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Name of the role.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+}
+
 type CloudSecretCredsObservation struct {
 
+	// the path to the Upbound official provider cloud secret backend to
+	// read credentials from, with no leading or trailing /s.
 	// Upbound official provider cloud secret backend to generate tokens from
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
-	// name of the Upbound official provider cloud or enterprise organization
+	// The organization associated with the token provided
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
 	// Name of the role.
 	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
-	// g., settings/teams/team-xxxxxxxxxxxxx)
+	// The team id associated with the token provided.g., settings/teams/team-xxxxxxxxxxxxx)
 	TeamID *string `json:"teamId,omitempty" tf:"team_id,omitempty"`
 
-	// id of the Upbound official provider token provided
+	// The public identifier for a specific token. It can be used
+	// to look up information about a token or to revoke a token
 	TokenID *string `json:"tokenId,omitempty" tf:"token_id,omitempty"`
 }
 
 type CloudSecretCredsParameters struct {
 
+	// the path to the Upbound official provider cloud secret backend to
+	// read credentials from, with no leading or trailing /s.
 	// Upbound official provider cloud secret backend to generate tokens from
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
@@ -55,6 +86,18 @@ type CloudSecretCredsParameters struct {
 type CloudSecretCredsSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     CloudSecretCredsParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider CloudSecretCredsInitParameters `json:"initProvider,omitempty"`
 }
 
 // CloudSecretCredsStatus defines the observed state of CloudSecretCreds.
@@ -65,7 +108,7 @@ type CloudSecretCredsStatus struct {
 
 // +kubebuilder:object:root=true
 
-// CloudSecretCreds is the Schema for the CloudSecretCredss API. <no value>
+// CloudSecretCreds is the Schema for the CloudSecretCredss API.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -75,8 +118,8 @@ type CloudSecretCredsStatus struct {
 type CloudSecretCreds struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter"
 	Spec   CloudSecretCredsSpec   `json:"spec"`
 	Status CloudSecretCredsStatus `json:"status,omitempty"`
 }
diff --git a/apis/terraform/v1alpha1/zz_cloudsecretrole_types.go b/apis/terraform/v1alpha1/zz_cloudsecretrole_types.go
index 7c05abea..ecac491a 100755
--- a/apis/terraform/v1alpha1/zz_cloudsecretrole_types.go
+++ b/apis/terraform/v1alpha1/zz_cloudsecretrole_types.go
@@ -13,23 +13,68 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type CloudSecretRoleInitParameters struct {
+
+	// Must not begin or end with a /.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Maximum TTL for leases associated with this role, in seconds.
+	// Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.
+	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// the name of the Upbound official provider cloud secrets engine role to create.
+	// the name of an existing role against which to create this Upbound official provider cloud credential
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// the organization name managing your Upbound official provider cloud instance.
+	// name of the Upbound official provider cloud or enterprise organization
+	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
+
+	// Specifies the TTL for this role.
+	// Default lease for generated credentials. If not set or set to 0, will use system default.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// g., settings/teams/team-xxxxxxxxxxxxx)
+	TeamID *string `json:"teamId,omitempty" tf:"team_id,omitempty"`
+
+	// g., user-xxxxxxxxxxxxxxxx)
+	UserID *string `json:"userId,omitempty" tf:"user_id,omitempty"`
+}
+
 type CloudSecretRoleObservation struct {
+
+	// Must not begin or end with a /.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Maximum TTL for leases associated with this role, in seconds.
 	// Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// the name of the Upbound official provider cloud secrets engine role to create.
 	// the name of an existing role against which to create this Upbound official provider cloud credential
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// the organization name managing your Upbound official provider cloud instance.
 	// name of the Upbound official provider cloud or enterprise organization
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// Specifies the TTL for this role.
 	// Default lease for generated credentials. If not set or set to 0, will use system default.
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
@@ -42,25 +87,34 @@ type CloudSecretRoleObservation struct {
 
 type CloudSecretRoleParameters struct {
 
+	// Must not begin or end with a /.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Maximum TTL for leases associated with this role, in seconds.
 	// Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.
 	// +kubebuilder:validation:Optional
 	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
 
+	// the name of the Upbound official provider cloud secrets engine role to create.
 	// the name of an existing role against which to create this Upbound official provider cloud credential
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// the organization name managing your Upbound official provider cloud instance.
 	// name of the Upbound official provider cloud or enterprise organization
 	// +kubebuilder:validation:Optional
 	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
 
+	// Specifies the TTL for this role.
 	// Default lease for generated credentials. If not set or set to 0, will use system default.
 	// +kubebuilder:validation:Optional
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
@@ -78,6 +132,18 @@ type CloudSecretRoleParameters struct {
 type CloudSecretRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     CloudSecretRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider CloudSecretRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // CloudSecretRoleStatus defines the observed state of CloudSecretRole.
@@ -88,7 +154,7 @@ type CloudSecretRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// CloudSecretRole is the Schema for the CloudSecretRoles API. <no value>
+// CloudSecretRole is the Schema for the CloudSecretRoles API.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -98,7 +164,7 @@ type CloudSecretRoleStatus struct {
 type CloudSecretRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   CloudSecretRoleSpec   `json:"spec"`
 	Status CloudSecretRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/terraform/v1alpha1/zz_generated.deepcopy.go b/apis/terraform/v1alpha1/zz_generated.deepcopy.go
index f68c8396..7dbf8efe 100644
--- a/apis/terraform/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/terraform/v1alpha1/zz_generated.deepcopy.go
@@ -41,6 +41,61 @@ func (in *CloudSecretBackend) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CloudSecretBackendInitParameters) DeepCopyInto(out *CloudSecretBackendInitParameters) {
+	*out = *in
+	if in.Address != nil {
+		in, out := &in.Address, &out.Address
+		*out = new(string)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.BasePath != nil {
+		in, out := &in.BasePath, &out.BasePath
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableRemount != nil {
+		in, out := &in.DisableRemount, &out.DisableRemount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretBackendInitParameters.
+func (in *CloudSecretBackendInitParameters) DeepCopy() *CloudSecretBackendInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(CloudSecretBackendInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudSecretBackendList) DeepCopyInto(out *CloudSecretBackendList) {
 	*out = *in
@@ -198,6 +253,7 @@ func (in *CloudSecretBackendSpec) DeepCopyInto(out *CloudSecretBackendSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretBackendSpec.
@@ -254,6 +310,36 @@ func (in *CloudSecretCreds) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CloudSecretCredsInitParameters) DeepCopyInto(out *CloudSecretCredsInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretCredsInitParameters.
+func (in *CloudSecretCredsInitParameters) DeepCopy() *CloudSecretCredsInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(CloudSecretCredsInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudSecretCredsList) DeepCopyInto(out *CloudSecretCredsList) {
 	*out = *in
@@ -371,6 +457,7 @@ func (in *CloudSecretCredsSpec) DeepCopyInto(out *CloudSecretCredsSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretCredsSpec.
@@ -427,6 +514,61 @@ func (in *CloudSecretRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CloudSecretRoleInitParameters) DeepCopyInto(out *CloudSecretRoleInitParameters) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Organization != nil {
+		in, out := &in.Organization, &out.Organization
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TeamID != nil {
+		in, out := &in.TeamID, &out.TeamID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserID != nil {
+		in, out := &in.UserID, &out.UserID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretRoleInitParameters.
+func (in *CloudSecretRoleInitParameters) DeepCopy() *CloudSecretRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(CloudSecretRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudSecretRoleList) DeepCopyInto(out *CloudSecretRoleList) {
 	*out = *in
@@ -579,6 +721,7 @@ func (in *CloudSecretRoleSpec) DeepCopyInto(out *CloudSecretRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretRoleSpec.
diff --git a/apis/terraform/v1alpha1/zz_generated.managed.go b/apis/terraform/v1alpha1/zz_generated.managed.go
index d8f66ad3..7d8e2ab2 100644
--- a/apis/terraform/v1alpha1/zz_generated.managed.go
+++ b/apis/terraform/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *CloudSecretBackend) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this CloudSecretBackend.
-func (mg *CloudSecretBackend) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this CloudSecretBackend.
+func (mg *CloudSecretBackend) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this CloudSecretBackend.
@@ -55,9 +55,9 @@ func (mg *CloudSecretBackend) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this CloudSecretBackend.
-func (mg *CloudSecretBackend) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this CloudSecretBackend.
+func (mg *CloudSecretBackend) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this CloudSecretBackend.
@@ -93,9 +93,9 @@ func (mg *CloudSecretCreds) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this CloudSecretCreds.
-func (mg *CloudSecretCreds) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this CloudSecretCreds.
+func (mg *CloudSecretCreds) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this CloudSecretCreds.
@@ -131,9 +131,9 @@ func (mg *CloudSecretCreds) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this CloudSecretCreds.
-func (mg *CloudSecretCreds) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this CloudSecretCreds.
+func (mg *CloudSecretCreds) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this CloudSecretCreds.
@@ -169,9 +169,9 @@ func (mg *CloudSecretRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this CloudSecretRole.
-func (mg *CloudSecretRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this CloudSecretRole.
+func (mg *CloudSecretRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this CloudSecretRole.
@@ -207,9 +207,9 @@ func (mg *CloudSecretRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this CloudSecretRole.
-func (mg *CloudSecretRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this CloudSecretRole.
+func (mg *CloudSecretRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this CloudSecretRole.
diff --git a/apis/terraform/v1alpha1/zz_generated_terraformed.go b/apis/terraform/v1alpha1/zz_generated_terraformed.go
index 4687ff12..24d6af24 100755
--- a/apis/terraform/v1alpha1/zz_generated_terraformed.go
+++ b/apis/terraform/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *CloudSecretBackend) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this CloudSecretBackend
+func (tr *CloudSecretBackend) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this CloudSecretBackend using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *CloudSecretBackend) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *CloudSecretCreds) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this CloudSecretCreds
+func (tr *CloudSecretCreds) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this CloudSecretCreds using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *CloudSecretCreds) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *CloudSecretRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this CloudSecretRole
+func (tr *CloudSecretRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this CloudSecretRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *CloudSecretRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/token/v1alpha1/zz_authbackendrole_types.go b/apis/token/v1alpha1/zz_authbackendrole_types.go
index 0945ab1c..d069ddab 100755
--- a/apis/token/v1alpha1/zz_authbackendrole_types.go
+++ b/apis/token/v1alpha1/zz_authbackendrole_types.go
@@ -13,130 +13,294 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuthBackendRoleInitParameters struct {
+
+	// List of allowed entity aliases.
+	// Set of allowed entity aliases for this role.
+	AllowedEntityAliases []*string `json:"allowedEntityAliases,omitempty" tf:"allowed_entity_aliases,omitempty"`
+
+	// List of allowed policies for given role.
+	// List of allowed policies for given role.
+	AllowedPolicies []*string `json:"allowedPolicies,omitempty" tf:"allowed_policies,omitempty"`
+
+	// Set of allowed policies with glob match for given role.
+	// Set of allowed policies with glob match for given role.
+	AllowedPoliciesGlob []*string `json:"allowedPoliciesGlob,omitempty" tf:"allowed_policies_glob,omitempty"`
+
+	// List of disallowed policies for given role.
+	// List of disallowed policies for given role.
+	DisallowedPolicies []*string `json:"disallowedPolicies,omitempty" tf:"disallowed_policies,omitempty"`
+
+	// Set of disallowed policies with glob match for given role.
+	// Set of disallowed policies with glob match for given role.
+	DisallowedPoliciesGlob []*string `json:"disallowedPoliciesGlob,omitempty" tf:"disallowed_policies_glob,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// If true, tokens created against this policy will be orphan tokens.
+	// If true, tokens created against this policy will be orphan tokens.
+	Orphan *bool `json:"orphan,omitempty" tf:"orphan,omitempty"`
+
+	// Tokens created against this role will have the given suffix as part of their path in addition to the role name.
+	// Tokens created against this role will have the given suffix as part of their path in addition to the role name.
+	PathSuffix *string `json:"pathSuffix,omitempty" tf:"path_suffix,omitempty"`
+
+	// Whether to disable the ability of the token to be renewed past its initial TTL.
+	// Whether to disable the ability of the token to be renewed past its initial TTL.
+	Renewable *bool `json:"renewable,omitempty" tf:"renewable,omitempty"`
+
+	// The name of the role.
+	// Name of the role.
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
+	// Specifies the blocks of IP addresses which are allowed to use the generated token
+	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
+
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
+	// Generated Token's Explicit Maximum TTL in seconds
+	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
+
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The maximum lifetime of the generated token
+	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
+
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
+	// If true, the 'default' policy will not automatically be added to generated tokens
+	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
+
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
+	// The maximum number of times a token may be used, a value of zero means unlimited
+	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
+
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
+	// Generated Token's Period
+	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
+
+	// Generated Token's Policies
+	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
+
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
+	// The initial ttl of the token to generate in seconds
+	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
+
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
+	// The type of token to generate, service or batch
+	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
+}
+
 type AuthBackendRoleObservation struct {
 
+	// List of allowed entity aliases.
 	// Set of allowed entity aliases for this role.
 	AllowedEntityAliases []*string `json:"allowedEntityAliases,omitempty" tf:"allowed_entity_aliases,omitempty"`
 
+	// List of allowed policies for given role.
 	// List of allowed policies for given role.
 	AllowedPolicies []*string `json:"allowedPolicies,omitempty" tf:"allowed_policies,omitempty"`
 
+	// Set of allowed policies with glob match for given role.
 	// Set of allowed policies with glob match for given role.
 	AllowedPoliciesGlob []*string `json:"allowedPoliciesGlob,omitempty" tf:"allowed_policies_glob,omitempty"`
 
+	// List of disallowed policies for given role.
 	// List of disallowed policies for given role.
 	DisallowedPolicies []*string `json:"disallowedPolicies,omitempty" tf:"disallowed_policies,omitempty"`
 
+	// Set of disallowed policies with glob match for given role.
 	// Set of disallowed policies with glob match for given role.
 	DisallowedPoliciesGlob []*string `json:"disallowedPoliciesGlob,omitempty" tf:"disallowed_policies_glob,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// If true, tokens created against this policy will be orphan tokens.
 	// If true, tokens created against this policy will be orphan tokens.
 	Orphan *bool `json:"orphan,omitempty" tf:"orphan,omitempty"`
 
+	// Tokens created against this role will have the given suffix as part of their path in addition to the role name.
 	// Tokens created against this role will have the given suffix as part of their path in addition to the role name.
 	PathSuffix *string `json:"pathSuffix,omitempty" tf:"path_suffix,omitempty"`
 
+	// Whether to disable the ability of the token to be renewed past its initial TTL.
 	// Whether to disable the ability of the token to be renewed past its initial TTL.
 	Renewable *bool `json:"renewable,omitempty" tf:"renewable,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
 
 	// Generated Token's Policies
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
 }
 
 type AuthBackendRoleParameters struct {
 
+	// List of allowed entity aliases.
 	// Set of allowed entity aliases for this role.
 	// +kubebuilder:validation:Optional
 	AllowedEntityAliases []*string `json:"allowedEntityAliases,omitempty" tf:"allowed_entity_aliases,omitempty"`
 
+	// List of allowed policies for given role.
 	// List of allowed policies for given role.
 	// +kubebuilder:validation:Optional
 	AllowedPolicies []*string `json:"allowedPolicies,omitempty" tf:"allowed_policies,omitempty"`
 
+	// Set of allowed policies with glob match for given role.
 	// Set of allowed policies with glob match for given role.
 	// +kubebuilder:validation:Optional
 	AllowedPoliciesGlob []*string `json:"allowedPoliciesGlob,omitempty" tf:"allowed_policies_glob,omitempty"`
 
+	// List of disallowed policies for given role.
 	// List of disallowed policies for given role.
 	// +kubebuilder:validation:Optional
 	DisallowedPolicies []*string `json:"disallowedPolicies,omitempty" tf:"disallowed_policies,omitempty"`
 
+	// Set of disallowed policies with glob match for given role.
 	// Set of disallowed policies with glob match for given role.
 	// +kubebuilder:validation:Optional
 	DisallowedPoliciesGlob []*string `json:"disallowedPoliciesGlob,omitempty" tf:"disallowed_policies_glob,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// If true, tokens created against this policy will be orphan tokens.
 	// If true, tokens created against this policy will be orphan tokens.
 	// +kubebuilder:validation:Optional
 	Orphan *bool `json:"orphan,omitempty" tf:"orphan,omitempty"`
 
+	// Tokens created against this role will have the given suffix as part of their path in addition to the role name.
 	// Tokens created against this role will have the given suffix as part of their path in addition to the role name.
 	// +kubebuilder:validation:Optional
 	PathSuffix *string `json:"pathSuffix,omitempty" tf:"path_suffix,omitempty"`
 
+	// Whether to disable the ability of the token to be renewed past its initial TTL.
 	// Whether to disable the ability of the token to be renewed past its initial TTL.
 	// +kubebuilder:validation:Optional
 	Renewable *bool `json:"renewable,omitempty" tf:"renewable,omitempty"`
 
+	// The name of the role.
 	// Name of the role.
 	// +kubebuilder:validation:Optional
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// List of CIDR blocks; if set, specifies blocks of IP
+	// addresses which can authenticate successfully, and ties the resulting token to these blocks
+	// as well.
 	// Specifies the blocks of IP addresses which are allowed to use the generated token
 	// +kubebuilder:validation:Optional
 	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`
 
+	// If set, will encode an
+	// explicit max TTL
+	// onto the token in number of seconds. This is a hard cap even if token_ttl and
+	// token_max_ttl would otherwise allow a renewal.
 	// Generated Token's Explicit Maximum TTL in seconds
 	// +kubebuilder:validation:Optional
 	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`
 
+	// The maximum lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The maximum lifetime of the generated token
 	// +kubebuilder:validation:Optional
 	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`
 
+	// If set, the default policy will not be set on
+	// generated tokens; otherwise it will be added to the policies set in token_policies.
 	// If true, the 'default' policy will not automatically be added to generated tokens
 	// +kubebuilder:validation:Optional
 	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`
 
+	// The maximum number
+	// of times a generated token may be used (within its lifetime); 0 means unlimited.
 	// The maximum number of times a token may be used, a value of zero means unlimited
 	// +kubebuilder:validation:Optional
 	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`
 
+	// If set, indicates that the
+	// token generated using this role should never expire. The token should be renewed within the
+	// duration specified by this value. At each renewal, the token's TTL will be set to the
+	// value of this field. Specified in seconds.
 	// Generated Token's Period
 	// +kubebuilder:validation:Optional
 	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`
@@ -145,10 +309,17 @@ type AuthBackendRoleParameters struct {
 	// +kubebuilder:validation:Optional
 	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`
 
+	// The incremental lifetime for generated tokens in number of seconds.
+	// Its current value will be referenced at renewal time.
 	// The initial ttl of the token to generate in seconds
 	// +kubebuilder:validation:Optional
 	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`
 
+	// The type of token that should be generated. Can be service,
+	// batch, or default to use the mount's tuned default (which unless changed will be
+	// service tokens). For token store roles, there are two additional possibilities:
+	// default-service and default-batch which specify the type to return unless the client
+	// requests a different type at generation time.
 	// The type of token to generate, service or batch
 	// +kubebuilder:validation:Optional
 	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
@@ -158,6 +329,18 @@ type AuthBackendRoleParameters struct {
 type AuthBackendRoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuthBackendRoleStatus defines the observed state of AuthBackendRole.
@@ -168,7 +351,7 @@ type AuthBackendRoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// AuthBackendRole is the Schema for the AuthBackendRoles API. <no value>
+// AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Token auth backend roles in Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -178,7 +361,7 @@ type AuthBackendRoleStatus struct {
 type AuthBackendRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)",message="roleName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter"
 	Spec   AuthBackendRoleSpec   `json:"spec"`
 	Status AuthBackendRoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/token/v1alpha1/zz_generated.deepcopy.go b/apis/token/v1alpha1/zz_generated.deepcopy.go
index 55b2835c..2704388b 100644
--- a/apis/token/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/token/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,158 @@ func (in *AuthBackendRole) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters) {
+	*out = *in
+	if in.AllowedEntityAliases != nil {
+		in, out := &in.AllowedEntityAliases, &out.AllowedEntityAliases
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedPolicies != nil {
+		in, out := &in.AllowedPolicies, &out.AllowedPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedPoliciesGlob != nil {
+		in, out := &in.AllowedPoliciesGlob, &out.AllowedPoliciesGlob
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DisallowedPolicies != nil {
+		in, out := &in.DisallowedPolicies, &out.DisallowedPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DisallowedPoliciesGlob != nil {
+		in, out := &in.DisallowedPoliciesGlob, &out.DisallowedPoliciesGlob
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Orphan != nil {
+		in, out := &in.Orphan, &out.Orphan
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PathSuffix != nil {
+		in, out := &in.PathSuffix, &out.PathSuffix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Renewable != nil {
+		in, out := &in.Renewable, &out.Renewable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenBoundCidrs != nil {
+		in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenExplicitMaxTTL != nil {
+		in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenMaxTTL != nil {
+		in, out := &in.TokenMaxTTL, &out.TokenMaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenNoDefaultPolicy != nil {
+		in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TokenNumUses != nil {
+		in, out := &in.TokenNumUses, &out.TokenNumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPeriod != nil {
+		in, out := &in.TokenPeriod, &out.TokenPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenPolicies != nil {
+		in, out := &in.TokenPolicies, &out.TokenPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenTTL != nil {
+		in, out := &in.TokenTTL, &out.TokenTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenType != nil {
+		in, out := &in.TokenType, &out.TokenType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
+func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthBackendRoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList) {
 	*out = *in
@@ -386,6 +538,7 @@ func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
diff --git a/apis/token/v1alpha1/zz_generated.managed.go b/apis/token/v1alpha1/zz_generated.managed.go
index b79200d3..836c358b 100644
--- a/apis/token/v1alpha1/zz_generated.managed.go
+++ b/apis/token/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this AuthBackendRole.
@@ -55,9 +55,9 @@ func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this AuthBackendRole.
-func (mg *AuthBackendRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this AuthBackendRole.
+func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this AuthBackendRole.
diff --git a/apis/token/v1alpha1/zz_generated_terraformed.go b/apis/token/v1alpha1/zz_generated_terraformed.go
index bcb5257e..87c9ba69 100755
--- a/apis/token/v1alpha1/zz_generated_terraformed.go
+++ b/apis/token/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *AuthBackendRole) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this AuthBackendRole
+func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this AuthBackendRole using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/transform/v1alpha1/zz_alphabet_types.go b/apis/transform/v1alpha1/zz_alphabet_types.go
index 70213fe6..9eb7bad3 100755
--- a/apis/transform/v1alpha1/zz_alphabet_types.go
+++ b/apis/transform/v1alpha1/zz_alphabet_types.go
@@ -13,37 +13,73 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AlphabetInitParameters struct {
+
+	// A string of characters that contains the alphabet set.
+	// A string of characters that contains the alphabet set.
+	Alphabet *string `json:"alphabet,omitempty" tf:"alphabet,omitempty"`
+
+	// The name of the alphabet.
+	// The name of the alphabet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Path to where the back-end is mounted within Vault.
+	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+}
+
 type AlphabetObservation struct {
 
+	// A string of characters that contains the alphabet set.
 	// A string of characters that contains the alphabet set.
 	Alphabet *string `json:"alphabet,omitempty" tf:"alphabet,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the alphabet.
 	// The name of the alphabet.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path to where the back-end is mounted within Vault.
 	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type AlphabetParameters struct {
 
+	// A string of characters that contains the alphabet set.
 	// A string of characters that contains the alphabet set.
 	// +kubebuilder:validation:Optional
 	Alphabet *string `json:"alphabet,omitempty" tf:"alphabet,omitempty"`
 
+	// The name of the alphabet.
 	// The name of the alphabet.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path to where the back-end is mounted within Vault.
 	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
@@ -53,6 +89,18 @@ type AlphabetParameters struct {
 type AlphabetSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AlphabetParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AlphabetInitParameters `json:"initProvider,omitempty"`
 }
 
 // AlphabetStatus defines the observed state of Alphabet.
@@ -63,7 +111,7 @@ type AlphabetStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Alphabet is the Schema for the Alphabets API. <no value>
+// Alphabet is the Schema for the Alphabets API. "/transform/alphabet/{name}"
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -73,8 +121,8 @@ type AlphabetStatus struct {
 type Alphabet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   AlphabetSpec   `json:"spec"`
 	Status AlphabetStatus `json:"status,omitempty"`
 }
diff --git a/apis/transform/v1alpha1/zz_generated.deepcopy.go b/apis/transform/v1alpha1/zz_generated.deepcopy.go
index 7fdde48f..3950a775 100644
--- a/apis/transform/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/transform/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,41 @@ func (in *Alphabet) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlphabetInitParameters) DeepCopyInto(out *AlphabetInitParameters) {
+	*out = *in
+	if in.Alphabet != nil {
+		in, out := &in.Alphabet, &out.Alphabet
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlphabetInitParameters.
+func (in *AlphabetInitParameters) DeepCopy() *AlphabetInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AlphabetInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AlphabetList) DeepCopyInto(out *AlphabetList) {
 	*out = *in
@@ -152,6 +187,7 @@ func (in *AlphabetSpec) DeepCopyInto(out *AlphabetSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlphabetSpec.
@@ -208,6 +244,47 @@ func (in *Role) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleInitParameters) DeepCopyInto(out *RoleInitParameters) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Transformations != nil {
+		in, out := &in.Transformations, &out.Transformations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleInitParameters.
+func (in *RoleInitParameters) DeepCopy() *RoleInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RoleList) DeepCopyInto(out *RoleList) {
 	*out = *in
@@ -332,6 +409,7 @@ func (in *RoleSpec) DeepCopyInto(out *RoleSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleSpec.
@@ -388,6 +466,71 @@ func (in *Template) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateInitParameters) DeepCopyInto(out *TemplateInitParameters) {
+	*out = *in
+	if in.Alphabet != nil {
+		in, out := &in.Alphabet, &out.Alphabet
+		*out = new(string)
+		**out = **in
+	}
+	if in.DecodeFormats != nil {
+		in, out := &in.DecodeFormats, &out.DecodeFormats
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.EncodeFormat != nil {
+		in, out := &in.EncodeFormat, &out.EncodeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pattern != nil {
+		in, out := &in.Pattern, &out.Pattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateInitParameters.
+func (in *TemplateInitParameters) DeepCopy() *TemplateInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TemplateList) DeepCopyInto(out *TemplateList) {
 	*out = *in
@@ -560,6 +703,7 @@ func (in *TemplateSpec) DeepCopyInto(out *TemplateSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateSpec.
@@ -616,6 +760,83 @@ func (in *Transformation) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TransformationInitParameters) DeepCopyInto(out *TransformationInitParameters) {
+	*out = *in
+	if in.AllowedRoles != nil {
+		in, out := &in.AllowedRoles, &out.AllowedRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DeletionAllowed != nil {
+		in, out := &in.DeletionAllowed, &out.DeletionAllowed
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaskingCharacter != nil {
+		in, out := &in.MaskingCharacter, &out.MaskingCharacter
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Template != nil {
+		in, out := &in.Template, &out.Template
+		*out = new(string)
+		**out = **in
+	}
+	if in.Templates != nil {
+		in, out := &in.Templates, &out.Templates
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TweakSource != nil {
+		in, out := &in.TweakSource, &out.TweakSource
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransformationInitParameters.
+func (in *TransformationInitParameters) DeepCopy() *TransformationInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(TransformationInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransformationList) DeepCopyInto(out *TransformationList) {
 	*out = *in
@@ -812,6 +1033,7 @@ func (in *TransformationSpec) DeepCopyInto(out *TransformationSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransformationSpec.
diff --git a/apis/transform/v1alpha1/zz_generated.managed.go b/apis/transform/v1alpha1/zz_generated.managed.go
index f034021e..fc7369b7 100644
--- a/apis/transform/v1alpha1/zz_generated.managed.go
+++ b/apis/transform/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Alphabet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Alphabet.
-func (mg *Alphabet) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Alphabet.
+func (mg *Alphabet) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Alphabet.
@@ -55,9 +55,9 @@ func (mg *Alphabet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Alphabet.
-func (mg *Alphabet) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Alphabet.
+func (mg *Alphabet) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Alphabet.
@@ -93,9 +93,9 @@ func (mg *Role) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Role.
-func (mg *Role) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Role.
+func (mg *Role) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Role.
@@ -131,9 +131,9 @@ func (mg *Role) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Role.
-func (mg *Role) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Role.
+func (mg *Role) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Role.
@@ -169,9 +169,9 @@ func (mg *Template) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Template.
-func (mg *Template) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Template.
+func (mg *Template) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Template.
@@ -207,9 +207,9 @@ func (mg *Template) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Template.
-func (mg *Template) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Template.
+func (mg *Template) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Template.
@@ -245,9 +245,9 @@ func (mg *Transformation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Transformation.
-func (mg *Transformation) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Transformation.
+func (mg *Transformation) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Transformation.
@@ -283,9 +283,9 @@ func (mg *Transformation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Transformation.
-func (mg *Transformation) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Transformation.
+func (mg *Transformation) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Transformation.
diff --git a/apis/transform/v1alpha1/zz_generated_terraformed.go b/apis/transform/v1alpha1/zz_generated_terraformed.go
index 489a81f2..f1ca095f 100755
--- a/apis/transform/v1alpha1/zz_generated_terraformed.go
+++ b/apis/transform/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Alphabet) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Alphabet
+func (tr *Alphabet) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Alphabet using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Alphabet) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *Role) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Role
+func (tr *Role) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Role using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Role) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *Template) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Template
+func (tr *Template) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Template using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Template) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *Transformation) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Transformation
+func (tr *Transformation) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Transformation using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Transformation) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/transform/v1alpha1/zz_role_types.go b/apis/transform/v1alpha1/zz_role_types.go
index 33354760..3ec2e9f9 100755
--- a/apis/transform/v1alpha1/zz_role_types.go
+++ b/apis/transform/v1alpha1/zz_role_types.go
@@ -13,36 +13,72 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type RoleInitParameters struct {
+
+	// The name of the role.
+	// The name of the role.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Path to where the back-end is mounted within Vault.
+	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// A comma separated string or slice of transformations to use.
+	// A comma separated string or slice of transformations to use.
+	Transformations []*string `json:"transformations,omitempty" tf:"transformations,omitempty"`
+}
+
 type RoleObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the role.
 	// The name of the role.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path to where the back-end is mounted within Vault.
 	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// A comma separated string or slice of transformations to use.
 	// A comma separated string or slice of transformations to use.
 	Transformations []*string `json:"transformations,omitempty" tf:"transformations,omitempty"`
 }
 
 type RoleParameters struct {
 
+	// The name of the role.
 	// The name of the role.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path to where the back-end is mounted within Vault.
 	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// A comma separated string or slice of transformations to use.
 	// A comma separated string or slice of transformations to use.
 	// +kubebuilder:validation:Optional
 	Transformations []*string `json:"transformations,omitempty" tf:"transformations,omitempty"`
@@ -52,6 +88,18 @@ type RoleParameters struct {
 type RoleSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     RoleParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider RoleInitParameters `json:"initProvider,omitempty"`
 }
 
 // RoleStatus defines the observed state of Role.
@@ -62,7 +110,7 @@ type RoleStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Role is the Schema for the Roles API. <no value>
+// Role is the Schema for the Roles API. "/transform/role/{name}"
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -72,8 +120,8 @@ type RoleStatus struct {
 type Role struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   RoleSpec   `json:"spec"`
 	Status RoleStatus `json:"status,omitempty"`
 }
diff --git a/apis/transform/v1alpha1/zz_template_types.go b/apis/transform/v1alpha1/zz_template_types.go
index f04f1f78..afcd6b98 100755
--- a/apis/transform/v1alpha1/zz_template_types.go
+++ b/apis/transform/v1alpha1/zz_template_types.go
@@ -13,69 +13,137 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type TemplateInitParameters struct {
+
+	// The alphabet to use for this template. This is only used during FPE transformations.
+	// The alphabet to use for this template. This is only used during FPE transformations.
+	Alphabet *string `json:"alphabet,omitempty" tf:"alphabet,omitempty"`
+
+	// - Optional mapping of name to regular expression template, used to customize
+	// the decoded output. (requires Vault Enterprise 1.9+)
+	// The map of regular expression templates used to customize decoded outputs.
+	// Only applicable to FPE transformations.
+	DecodeFormats map[string]*string `json:"decodeFormats,omitempty" tf:"decode_formats,omitempty"`
+
+	// - The regular expression template used to format encoded values.
+	// (requires Vault Enterprise 1.9+)
+	// The regular expression template used for encoding values.
+	// Only applicable to FPE transformations.
+	EncodeFormat *string `json:"encodeFormat,omitempty" tf:"encode_format,omitempty"`
+
+	// The name of the template.
+	// The name of the template.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Path to where the back-end is mounted within Vault.
+	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The pattern used for matching. Currently, only regular expression pattern is supported.
+	// The pattern used for matching. Currently, only regular expression pattern is supported.
+	Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"`
+
+	// The pattern type to use for match detection. Currently, only regex is supported.
+	// The pattern type to use for match detection. Currently, only regex is supported.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type TemplateObservation struct {
 
+	// The alphabet to use for this template. This is only used during FPE transformations.
 	// The alphabet to use for this template. This is only used during FPE transformations.
 	Alphabet *string `json:"alphabet,omitempty" tf:"alphabet,omitempty"`
 
+	// - Optional mapping of name to regular expression template, used to customize
+	// the decoded output. (requires Vault Enterprise 1.9+)
 	// The map of regular expression templates used to customize decoded outputs.
 	// Only applicable to FPE transformations.
 	DecodeFormats map[string]*string `json:"decodeFormats,omitempty" tf:"decode_formats,omitempty"`
 
+	// - The regular expression template used to format encoded values.
+	// (requires Vault Enterprise 1.9+)
 	// The regular expression template used for encoding values.
 	// Only applicable to FPE transformations.
 	EncodeFormat *string `json:"encodeFormat,omitempty" tf:"encode_format,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the template.
 	// The name of the template.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path to where the back-end is mounted within Vault.
 	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The pattern used for matching. Currently, only regular expression pattern is supported.
 	// The pattern used for matching. Currently, only regular expression pattern is supported.
 	Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"`
 
+	// The pattern type to use for match detection. Currently, only regex is supported.
 	// The pattern type to use for match detection. Currently, only regex is supported.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type TemplateParameters struct {
 
+	// The alphabet to use for this template. This is only used during FPE transformations.
 	// The alphabet to use for this template. This is only used during FPE transformations.
 	// +kubebuilder:validation:Optional
 	Alphabet *string `json:"alphabet,omitempty" tf:"alphabet,omitempty"`
 
+	// - Optional mapping of name to regular expression template, used to customize
+	// the decoded output. (requires Vault Enterprise 1.9+)
 	// The map of regular expression templates used to customize decoded outputs.
 	// Only applicable to FPE transformations.
 	// +kubebuilder:validation:Optional
 	DecodeFormats map[string]*string `json:"decodeFormats,omitempty" tf:"decode_formats,omitempty"`
 
+	// - The regular expression template used to format encoded values.
+	// (requires Vault Enterprise 1.9+)
 	// The regular expression template used for encoding values.
 	// Only applicable to FPE transformations.
 	// +kubebuilder:validation:Optional
 	EncodeFormat *string `json:"encodeFormat,omitempty" tf:"encode_format,omitempty"`
 
+	// The name of the template.
 	// The name of the template.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path to where the back-end is mounted within Vault.
 	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The pattern used for matching. Currently, only regular expression pattern is supported.
 	// The pattern used for matching. Currently, only regular expression pattern is supported.
 	// +kubebuilder:validation:Optional
 	Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"`
 
+	// The pattern type to use for match detection. Currently, only regex is supported.
 	// The pattern type to use for match detection. Currently, only regex is supported.
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -85,6 +153,18 @@ type TemplateParameters struct {
 type TemplateSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     TemplateParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider TemplateInitParameters `json:"initProvider,omitempty"`
 }
 
 // TemplateStatus defines the observed state of Template.
@@ -95,7 +175,7 @@ type TemplateStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Template is the Schema for the Templates API. <no value>
+// Template is the Schema for the Templates API. "/transform/template/{name}"
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -105,8 +185,8 @@ type TemplateStatus struct {
 type Template struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   TemplateSpec   `json:"spec"`
 	Status TemplateStatus `json:"status,omitempty"`
 }
diff --git a/apis/transform/v1alpha1/zz_transformation_types.go b/apis/transform/v1alpha1/zz_transformation_types.go
index 517893e0..bf591bd6 100755
--- a/apis/transform/v1alpha1/zz_transformation_types.go
+++ b/apis/transform/v1alpha1/zz_transformation_types.go
@@ -13,79 +13,157 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type TransformationInitParameters struct {
+
+	// The set of roles allowed to perform this transformation.
+	// The set of roles allowed to perform this transformation.
+	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
+
+	// If true, this transform can be deleted.
+	// Otherwise, deletion is blocked while this value remains false. Default: false
+	// Only supported on vault-1.12+
+	// If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.
+	DeletionAllowed *bool `json:"deletionAllowed,omitempty" tf:"deletion_allowed,omitempty"`
+
+	// The character used to replace data when in masking mode
+	// The character used to replace data when in masking mode
+	MaskingCharacter *string `json:"maskingCharacter,omitempty" tf:"masking_character,omitempty"`
+
+	// The name of the transformation.
+	// The name of the transformation.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Path to where the back-end is mounted within Vault.
+	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The name of the template to use.
+	// The name of the template to use.
+	Template *string `json:"template,omitempty" tf:"template,omitempty"`
+
+	// Templates configured for transformation.
+	// Templates configured for transformation.
+	Templates []*string `json:"templates,omitempty" tf:"templates,omitempty"`
+
+	// The source of where the tweak value comes from. Only valid when in FPE mode.
+	// The source of where the tweak value comes from. Only valid when in FPE mode.
+	TweakSource *string `json:"tweakSource,omitempty" tf:"tweak_source,omitempty"`
+
+	// The type of transformation to perform.
+	// The type of transformation to perform.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type TransformationObservation struct {
 
+	// The set of roles allowed to perform this transformation.
 	// The set of roles allowed to perform this transformation.
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// If true, this transform can be deleted.
+	// Otherwise, deletion is blocked while this value remains false. Default: false
+	// Only supported on vault-1.12+
 	// If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.
 	DeletionAllowed *bool `json:"deletionAllowed,omitempty" tf:"deletion_allowed,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The character used to replace data when in masking mode
 	// The character used to replace data when in masking mode
 	MaskingCharacter *string `json:"maskingCharacter,omitempty" tf:"masking_character,omitempty"`
 
+	// The name of the transformation.
 	// The name of the transformation.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path to where the back-end is mounted within Vault.
 	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The name of the template to use.
 	// The name of the template to use.
 	Template *string `json:"template,omitempty" tf:"template,omitempty"`
 
+	// Templates configured for transformation.
 	// Templates configured for transformation.
 	Templates []*string `json:"templates,omitempty" tf:"templates,omitempty"`
 
+	// The source of where the tweak value comes from. Only valid when in FPE mode.
 	// The source of where the tweak value comes from. Only valid when in FPE mode.
 	TweakSource *string `json:"tweakSource,omitempty" tf:"tweak_source,omitempty"`
 
+	// The type of transformation to perform.
 	// The type of transformation to perform.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type TransformationParameters struct {
 
+	// The set of roles allowed to perform this transformation.
 	// The set of roles allowed to perform this transformation.
 	// +kubebuilder:validation:Optional
 	AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"`
 
+	// If true, this transform can be deleted.
+	// Otherwise, deletion is blocked while this value remains false. Default: false
+	// Only supported on vault-1.12+
 	// If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.
 	// +kubebuilder:validation:Optional
 	DeletionAllowed *bool `json:"deletionAllowed,omitempty" tf:"deletion_allowed,omitempty"`
 
+	// The character used to replace data when in masking mode
 	// The character used to replace data when in masking mode
 	// +kubebuilder:validation:Optional
 	MaskingCharacter *string `json:"maskingCharacter,omitempty" tf:"masking_character,omitempty"`
 
+	// The name of the transformation.
 	// The name of the transformation.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Path to where the back-end is mounted within Vault.
 	// The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws".
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The name of the template to use.
 	// The name of the template to use.
 	// +kubebuilder:validation:Optional
 	Template *string `json:"template,omitempty" tf:"template,omitempty"`
 
+	// Templates configured for transformation.
 	// Templates configured for transformation.
 	// +kubebuilder:validation:Optional
 	Templates []*string `json:"templates,omitempty" tf:"templates,omitempty"`
 
+	// The source of where the tweak value comes from. Only valid when in FPE mode.
 	// The source of where the tweak value comes from. Only valid when in FPE mode.
 	// +kubebuilder:validation:Optional
 	TweakSource *string `json:"tweakSource,omitempty" tf:"tweak_source,omitempty"`
 
+	// The type of transformation to perform.
 	// The type of transformation to perform.
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -95,6 +173,18 @@ type TransformationParameters struct {
 type TransformationSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     TransformationParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider TransformationInitParameters `json:"initProvider,omitempty"`
 }
 
 // TransformationStatus defines the observed state of Transformation.
@@ -105,7 +195,7 @@ type TransformationStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Transformation is the Schema for the Transformations API. <no value>
+// Transformation is the Schema for the Transformations API. "/transform/transformation/{name}"
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -115,8 +205,8 @@ type TransformationStatus struct {
 type Transformation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   TransformationSpec   `json:"spec"`
 	Status TransformationStatus `json:"status,omitempty"`
 }
diff --git a/apis/transit/v1alpha1/zz_generated.deepcopy.go b/apis/transit/v1alpha1/zz_generated.deepcopy.go
index 1a8b02f0..1851f266 100644
--- a/apis/transit/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/transit/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,86 @@ func (in *SecretBackendKey) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretBackendKeyInitParameters) DeepCopyInto(out *SecretBackendKeyInitParameters) {
+	*out = *in
+	if in.AllowPlaintextBackup != nil {
+		in, out := &in.AllowPlaintextBackup, &out.AllowPlaintextBackup
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoRotateInterval != nil {
+		in, out := &in.AutoRotateInterval, &out.AutoRotateInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AutoRotatePeriod != nil {
+		in, out := &in.AutoRotatePeriod, &out.AutoRotatePeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConvergentEncryption != nil {
+		in, out := &in.ConvergentEncryption, &out.ConvergentEncryption
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeletionAllowed != nil {
+		in, out := &in.DeletionAllowed, &out.DeletionAllowed
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Derived != nil {
+		in, out := &in.Derived, &out.Derived
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Exportable != nil {
+		in, out := &in.Exportable, &out.Exportable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MinDecryptionVersion != nil {
+		in, out := &in.MinDecryptionVersion, &out.MinDecryptionVersion
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinEncryptionVersion != nil {
+		in, out := &in.MinEncryptionVersion, &out.MinEncryptionVersion
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendKeyInitParameters.
+func (in *SecretBackendKeyInitParameters) DeepCopy() *SecretBackendKeyInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretBackendKeyInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretBackendKeyList) DeepCopyInto(out *SecretBackendKeyList) {
 	*out = *in
@@ -293,6 +373,7 @@ func (in *SecretBackendKeySpec) DeepCopyInto(out *SecretBackendKeySpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendKeySpec.
diff --git a/apis/transit/v1alpha1/zz_generated.managed.go b/apis/transit/v1alpha1/zz_generated.managed.go
index 07eb559e..82c6ccad 100644
--- a/apis/transit/v1alpha1/zz_generated.managed.go
+++ b/apis/transit/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *SecretBackendKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this SecretBackendKey.
-func (mg *SecretBackendKey) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this SecretBackendKey.
+func (mg *SecretBackendKey) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this SecretBackendKey.
@@ -55,9 +55,9 @@ func (mg *SecretBackendKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this SecretBackendKey.
-func (mg *SecretBackendKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this SecretBackendKey.
+func (mg *SecretBackendKey) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this SecretBackendKey.
diff --git a/apis/transit/v1alpha1/zz_generated_terraformed.go b/apis/transit/v1alpha1/zz_generated_terraformed.go
index a849c24c..ee2f060c 100755
--- a/apis/transit/v1alpha1/zz_generated_terraformed.go
+++ b/apis/transit/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *SecretBackendKey) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this SecretBackendKey
+func (tr *SecretBackendKey) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this SecretBackendKey using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *SecretBackendKey) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/transit/v1alpha1/zz_secretbackendkey_types.go b/apis/transit/v1alpha1/zz_secretbackendkey_types.go
index 0370d48c..0bddced2 100755
--- a/apis/transit/v1alpha1/zz_secretbackendkey_types.go
+++ b/apis/transit/v1alpha1/zz_secretbackendkey_types.go
@@ -13,121 +13,221 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type SecretBackendKeyInitParameters struct {
+
+	// Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
+	// If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.
+	AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"`
+
+	// Replaced by auto_rotate_period.
+	// Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
+	AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"`
+
+	// Amount of time the key should live before being automatically rotated.
+	// A value of 0 disables automatic rotation for the key.
+	// Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
+	AutoRotatePeriod *float64 `json:"autoRotatePeriod,omitempty" tf:"auto_rotate_period,omitempty"`
+
+	// The path the transit secret backend is mounted at, with no leading or trailing /s.
+	// The Transit secret backend the resource belongs to.
+	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
+	// Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
+	ConvergentEncryption *bool `json:"convergentEncryption,omitempty" tf:"convergent_encryption,omitempty"`
+
+	// Specifies if the keyring is allowed to be deleted.
+	// Specifies if the key is allowed to be deleted.
+	DeletionAllowed *bool `json:"deletionAllowed,omitempty" tf:"deletion_allowed,omitempty"`
+
+	// Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
+	// Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
+	Derived *bool `json:"derived,omitempty" tf:"derived,omitempty"`
+
+	// Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
+	// Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.
+	Exportable *bool `json:"exportable,omitempty" tf:"exportable,omitempty"`
+
+	// Minimum key version to use for decryption.
+	// Minimum key version to use for decryption.
+	MinDecryptionVersion *float64 `json:"minDecryptionVersion,omitempty" tf:"min_decryption_version,omitempty"`
+
+	// Minimum key version to use for encryption
+	// Minimum key version to use for encryption
+	MinEncryptionVersion *float64 `json:"minEncryptionVersion,omitempty" tf:"min_encryption_version,omitempty"`
+
+	// The name to identify this key within the backend. Must be unique within the backend.
+	// Name of the encryption key to create.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096.
+	// Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type SecretBackendKeyObservation struct {
 
+	// Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
 	// If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.
 	AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"`
 
+	// Replaced by auto_rotate_period.
 	// Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
 	AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"`
 
+	// Amount of time the key should live before being automatically rotated.
+	// A value of 0 disables automatic rotation for the key.
 	// Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
 	AutoRotatePeriod *float64 `json:"autoRotatePeriod,omitempty" tf:"auto_rotate_period,omitempty"`
 
+	// The path the transit secret backend is mounted at, with no leading or trailing /s.
 	// The Transit secret backend the resource belongs to.
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
 	// Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
 	ConvergentEncryption *bool `json:"convergentEncryption,omitempty" tf:"convergent_encryption,omitempty"`
 
+	// Specifies if the keyring is allowed to be deleted.
 	// Specifies if the key is allowed to be deleted.
 	DeletionAllowed *bool `json:"deletionAllowed,omitempty" tf:"deletion_allowed,omitempty"`
 
+	// Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
 	// Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
 	Derived *bool `json:"derived,omitempty" tf:"derived,omitempty"`
 
+	// Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
 	// Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.
 	Exportable *bool `json:"exportable,omitempty" tf:"exportable,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.
 	// List of key versions in the keyring.
 	Keys []map[string]*string `json:"keys,omitempty" tf:"keys,omitempty"`
 
+	// Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
 	// Latest key version in use in the keyring
 	LatestVersion *float64 `json:"latestVersion,omitempty" tf:"latest_version,omitempty"`
 
+	// Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
 	// Minimum key version available for use.
 	MinAvailableVersion *float64 `json:"minAvailableVersion,omitempty" tf:"min_available_version,omitempty"`
 
+	// Minimum key version to use for decryption.
 	// Minimum key version to use for decryption.
 	MinDecryptionVersion *float64 `json:"minDecryptionVersion,omitempty" tf:"min_decryption_version,omitempty"`
 
+	// Minimum key version to use for encryption
 	// Minimum key version to use for encryption
 	MinEncryptionVersion *float64 `json:"minEncryptionVersion,omitempty" tf:"min_encryption_version,omitempty"`
 
+	// The name to identify this key within the backend. Must be unique within the backend.
 	// Name of the encryption key to create.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Whether or not the key supports decryption, based on key type.
 	// Whether or not the key supports decryption, based on key type.
 	SupportsDecryption *bool `json:"supportsDecryption,omitempty" tf:"supports_decryption,omitempty"`
 
+	// Whether or not the key supports derivation, based on key type.
 	// Whether or not the key supports derivation, based on key type.
 	SupportsDerivation *bool `json:"supportsDerivation,omitempty" tf:"supports_derivation,omitempty"`
 
+	// Whether or not the key supports encryption, based on key type.
 	// Whether or not the key supports encryption, based on key type.
 	SupportsEncryption *bool `json:"supportsEncryption,omitempty" tf:"supports_encryption,omitempty"`
 
+	// Whether or not the key supports signing, based on key type.
 	// Whether or not the key supports signing, based on key type.
 	SupportsSigning *bool `json:"supportsSigning,omitempty" tf:"supports_signing,omitempty"`
 
+	// Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096.
 	// Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type SecretBackendKeyParameters struct {
 
+	// Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
 	// If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.
 	// +kubebuilder:validation:Optional
 	AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"`
 
+	// Replaced by auto_rotate_period.
 	// Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
 	// +kubebuilder:validation:Optional
 	AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"`
 
+	// Amount of time the key should live before being automatically rotated.
+	// A value of 0 disables automatic rotation for the key.
 	// Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
 	// +kubebuilder:validation:Optional
 	AutoRotatePeriod *float64 `json:"autoRotatePeriod,omitempty" tf:"auto_rotate_period,omitempty"`
 
+	// The path the transit secret backend is mounted at, with no leading or trailing /s.
 	// The Transit secret backend the resource belongs to.
 	// +kubebuilder:validation:Optional
 	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`
 
+	// Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
 	// Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
 	// +kubebuilder:validation:Optional
 	ConvergentEncryption *bool `json:"convergentEncryption,omitempty" tf:"convergent_encryption,omitempty"`
 
+	// Specifies if the keyring is allowed to be deleted.
 	// Specifies if the key is allowed to be deleted.
 	// +kubebuilder:validation:Optional
 	DeletionAllowed *bool `json:"deletionAllowed,omitempty" tf:"deletion_allowed,omitempty"`
 
+	// Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
 	// Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
 	// +kubebuilder:validation:Optional
 	Derived *bool `json:"derived,omitempty" tf:"derived,omitempty"`
 
+	// Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
 	// Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.
 	// +kubebuilder:validation:Optional
 	Exportable *bool `json:"exportable,omitempty" tf:"exportable,omitempty"`
 
+	// Minimum key version to use for decryption.
 	// Minimum key version to use for decryption.
 	// +kubebuilder:validation:Optional
 	MinDecryptionVersion *float64 `json:"minDecryptionVersion,omitempty" tf:"min_decryption_version,omitempty"`
 
+	// Minimum key version to use for encryption
 	// Minimum key version to use for encryption
 	// +kubebuilder:validation:Optional
 	MinEncryptionVersion *float64 `json:"minEncryptionVersion,omitempty" tf:"min_encryption_version,omitempty"`
 
+	// The name to identify this key within the backend. Must be unique within the backend.
 	// Name of the encryption key to create.
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096.
 	// Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -137,6 +237,18 @@ type SecretBackendKeyParameters struct {
 type SecretBackendKeySpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     SecretBackendKeyParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider SecretBackendKeyInitParameters `json:"initProvider,omitempty"`
 }
 
 // SecretBackendKeyStatus defines the observed state of SecretBackendKey.
@@ -147,7 +259,7 @@ type SecretBackendKeyStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretBackendKey is the Schema for the SecretBackendKeys API. <no value>
+// SecretBackendKey is the Schema for the SecretBackendKeys API. Create an Encryption Keyring on a Transit Secret Backend for Vault.
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -157,8 +269,8 @@ type SecretBackendKeyStatus struct {
 type SecretBackendKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)",message="backend is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
 	Spec   SecretBackendKeySpec   `json:"spec"`
 	Status SecretBackendKeyStatus `json:"status,omitempty"`
 }
diff --git a/apis/vault/v1alpha1/zz_audit_types.go b/apis/vault/v1alpha1/zz_audit_types.go
index 915b5786..cea0fb30 100755
--- a/apis/vault/v1alpha1/zz_audit_types.go
+++ b/apis/vault/v1alpha1/zz_audit_types.go
@@ -13,51 +13,99 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type AuditInitParameters struct {
+
+	// Human-friendly description of the audit device.
+	// Human-friendly description of the audit device.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.
+	// Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Configuration options to pass to the audit device itself.
+	// Configuration options to pass to the audit device itself.
+	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
+
+	// The path to mount the audit device. This defaults to the type.
+	// Path in which to enable the audit device.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Type of the audit device, such as 'file'.
+	// Type of the audit device, such as 'file'.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type AuditObservation struct {
 
+	// Human-friendly description of the audit device.
 	// Human-friendly description of the audit device.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.
 	// Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Configuration options to pass to the audit device itself.
 	// Configuration options to pass to the audit device itself.
 	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
 
+	// The path to mount the audit device. This defaults to the type.
 	// Path in which to enable the audit device.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Type of the audit device, such as 'file'.
 	// Type of the audit device, such as 'file'.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type AuditParameters struct {
 
+	// Human-friendly description of the audit device.
 	// Human-friendly description of the audit device.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.
 	// Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Configuration options to pass to the audit device itself.
 	// Configuration options to pass to the audit device itself.
 	// +kubebuilder:validation:Optional
 	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
 
+	// The path to mount the audit device. This defaults to the type.
 	// Path in which to enable the audit device.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Type of the audit device, such as 'file'.
 	// Type of the audit device, such as 'file'.
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -67,6 +115,18 @@ type AuditParameters struct {
 type AuditSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     AuditParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider AuditInitParameters `json:"initProvider,omitempty"`
 }
 
 // AuditStatus defines the observed state of Audit.
@@ -77,7 +137,7 @@ type AuditStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Audit is the Schema for the Audits API. <no value>
+// Audit is the Schema for the Audits API. Writes audit backends for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -87,8 +147,8 @@ type AuditStatus struct {
 type Audit struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.options)",message="options is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.options) || has(self.initProvider.options)",message="options is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter"
 	Spec   AuditSpec   `json:"spec"`
 	Status AuditStatus `json:"status,omitempty"`
 }
diff --git a/apis/vault/v1alpha1/zz_generated.deepcopy.go b/apis/vault/v1alpha1/zz_generated.deepcopy.go
index 70d88404..7d9c3343 100644
--- a/apis/vault/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/vault/v1alpha1/zz_generated.deepcopy.go
@@ -40,6 +40,61 @@ func (in *Audit) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuditInitParameters) DeepCopyInto(out *AuditInitParameters) {
+	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditInitParameters.
+func (in *AuditInitParameters) DeepCopy() *AuditInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AuditInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuditList) DeepCopyInto(out *AuditList) {
 	*out = *in
@@ -192,6 +247,7 @@ func (in *AuditSpec) DeepCopyInto(out *AuditSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSpec.
@@ -248,6 +304,114 @@ func (in *Mount) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) {
+	*out = *in
+	if in.AllowedManagedKeys != nil {
+		in, out := &in.AllowedManagedKeys, &out.AllowedManagedKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACRequestKeys != nil {
+		in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuditNonHMACResponseKeys != nil {
+		in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DefaultLeaseTTLSeconds != nil {
+		in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExternalEntropyAccess != nil {
+		in, out := &in.ExternalEntropyAccess, &out.ExternalEntropyAccess
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxLeaseTTLSeconds != nil {
+		in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.SealWrap != nil {
+		in, out := &in.SealWrap, &out.SealWrap
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MountInitParameters.
+func (in *MountInitParameters) DeepCopy() *MountInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MountInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MountList) DeepCopyInto(out *MountList) {
 	*out = *in
@@ -511,6 +675,7 @@ func (in *MountSpec) DeepCopyInto(out *MountSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MountSpec.
@@ -567,6 +732,36 @@ func (in *Namespace) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceInitParameters) DeepCopyInto(out *NamespaceInitParameters) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.PathFq != nil {
+		in, out := &in.PathFq, &out.PathFq
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceInitParameters.
+func (in *NamespaceInitParameters) DeepCopy() *NamespaceInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NamespaceList) DeepCopyInto(out *NamespaceList) {
 	*out = *in
@@ -674,6 +869,7 @@ func (in *NamespaceSpec) DeepCopyInto(out *NamespaceSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceSpec.
@@ -730,6 +926,36 @@ func (in *Policy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyInitParameters) DeepCopyInto(out *PolicyInitParameters) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyInitParameters.
+func (in *PolicyInitParameters) DeepCopy() *PolicyInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyList) DeepCopyInto(out *PolicyList) {
 	*out = *in
@@ -832,6 +1058,7 @@ func (in *PolicySpec) DeepCopyInto(out *PolicySpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
@@ -888,6 +1115,112 @@ func (in *Token) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenInitParameters) DeepCopyInto(out *TokenInitParameters) {
+	*out = *in
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExplicitMaxTTL != nil {
+		in, out := &in.ExplicitMaxTTL, &out.ExplicitMaxTTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoDefaultPolicy != nil {
+		in, out := &in.NoDefaultPolicy, &out.NoDefaultPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NoParent != nil {
+		in, out := &in.NoParent, &out.NoParent
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NumUses != nil {
+		in, out := &in.NumUses, &out.NumUses
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Period != nil {
+		in, out := &in.Period, &out.Period
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RenewIncrement != nil {
+		in, out := &in.RenewIncrement, &out.RenewIncrement
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RenewMinLease != nil {
+		in, out := &in.RenewMinLease, &out.RenewMinLease
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Renewable != nil {
+		in, out := &in.Renewable, &out.Renewable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.WrappingTTL != nil {
+		in, out := &in.WrappingTTL, &out.WrappingTTL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenInitParameters.
+func (in *TokenInitParameters) DeepCopy() *TokenInitParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenInitParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenList) DeepCopyInto(out *TokenList) {
 	*out = *in
@@ -1152,6 +1485,7 @@ func (in *TokenSpec) DeepCopyInto(out *TokenSpec) {
 	*out = *in
 	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
 	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	in.InitProvider.DeepCopyInto(&out.InitProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenSpec.
diff --git a/apis/vault/v1alpha1/zz_generated.managed.go b/apis/vault/v1alpha1/zz_generated.managed.go
index 8dc7150b..5f156001 100644
--- a/apis/vault/v1alpha1/zz_generated.managed.go
+++ b/apis/vault/v1alpha1/zz_generated.managed.go
@@ -17,9 +17,9 @@ func (mg *Audit) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Audit.
-func (mg *Audit) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Audit.
+func (mg *Audit) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Audit.
@@ -55,9 +55,9 @@ func (mg *Audit) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Audit.
-func (mg *Audit) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Audit.
+func (mg *Audit) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Audit.
@@ -93,9 +93,9 @@ func (mg *Mount) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Mount.
-func (mg *Mount) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Mount.
+func (mg *Mount) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Mount.
@@ -131,9 +131,9 @@ func (mg *Mount) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Mount.
-func (mg *Mount) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Mount.
+func (mg *Mount) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Mount.
@@ -169,9 +169,9 @@ func (mg *Namespace) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Namespace.
-func (mg *Namespace) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Namespace.
+func (mg *Namespace) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Namespace.
@@ -207,9 +207,9 @@ func (mg *Namespace) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Namespace.
-func (mg *Namespace) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Namespace.
+func (mg *Namespace) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Namespace.
@@ -245,9 +245,9 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Policy.
-func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Policy.
+func (mg *Policy) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Policy.
@@ -283,9 +283,9 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Policy.
-func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Policy.
+func (mg *Policy) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Policy.
@@ -321,9 +321,9 @@ func (mg *Token) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
-// GetManagementPolicy of this Token.
-func (mg *Token) GetManagementPolicy() xpv1.ManagementPolicy {
-	return mg.Spec.ManagementPolicy
+// GetManagementPolicies of this Token.
+func (mg *Token) GetManagementPolicies() xpv1.ManagementPolicies {
+	return mg.Spec.ManagementPolicies
 }
 
 // GetProviderConfigReference of this Token.
@@ -359,9 +359,9 @@ func (mg *Token) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
-// SetManagementPolicy of this Token.
-func (mg *Token) SetManagementPolicy(r xpv1.ManagementPolicy) {
-	mg.Spec.ManagementPolicy = r
+// SetManagementPolicies of this Token.
+func (mg *Token) SetManagementPolicies(r xpv1.ManagementPolicies) {
+	mg.Spec.ManagementPolicies = r
 }
 
 // SetProviderConfigReference of this Token.
diff --git a/apis/vault/v1alpha1/zz_generated_terraformed.go b/apis/vault/v1alpha1/zz_generated_terraformed.go
index 00a4dcc9..dd502b3d 100755
--- a/apis/vault/v1alpha1/zz_generated_terraformed.go
+++ b/apis/vault/v1alpha1/zz_generated_terraformed.go
@@ -69,6 +69,16 @@ func (tr *Audit) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Audit
+func (tr *Audit) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Audit using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Audit) LateInitialize(attrs []byte) (bool, error) {
@@ -143,6 +153,16 @@ func (tr *Mount) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Mount
+func (tr *Mount) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Mount using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Mount) LateInitialize(attrs []byte) (bool, error) {
@@ -217,6 +237,16 @@ func (tr *Namespace) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Namespace
+func (tr *Namespace) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Namespace using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Namespace) LateInitialize(attrs []byte) (bool, error) {
@@ -291,6 +321,16 @@ func (tr *Policy) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Policy
+func (tr *Policy) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Policy using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Policy) LateInitialize(attrs []byte) (bool, error) {
@@ -365,6 +405,16 @@ func (tr *Token) SetParameters(params map[string]any) error {
 	return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider)
 }
 
+// GetInitParameters of this Token
+func (tr *Token) GetInitParameters() (map[string]any, error) {
+	p, err := json.TFParser.Marshal(tr.Spec.InitProvider)
+	if err != nil {
+		return nil, err
+	}
+	base := map[string]any{}
+	return base, json.TFParser.Unmarshal(p, &base)
+}
+
 // LateInitialize this Token using its observed tfState.
 // returns True if there are any spec changes for the resource.
 func (tr *Token) LateInitialize(attrs []byte) (bool, error) {
diff --git a/apis/vault/v1alpha1/zz_mount_types.go b/apis/vault/v1alpha1/zz_mount_types.go
index db85670b..1b0a5cd7 100755
--- a/apis/vault/v1alpha1/zz_mount_types.go
+++ b/apis/vault/v1alpha1/zz_mount_types.go
@@ -13,103 +13,194 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type MountInitParameters struct {
+
+	// Set of managed key registry entry names that the mount in question is allowed to access
+	// List of managed key registry entry names that the mount in question is allowed to access
+	AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"`
+
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
+
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
+
+	// Default lease duration for tokens and secrets in seconds
+	// Default lease duration for tokens and secrets in seconds
+	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
+
+	// Human-friendly description of the mount
+	// Human-friendly description of the mount
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
+	// Enable the secrets engine to access Vault's external entropy source
+	ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"`
+
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
+	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
+	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
+
+	// Maximum possible lease duration for tokens and secrets in seconds
+	// Maximum possible lease duration for tokens and secrets in seconds
+	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Specifies mount type specific options that are passed to the backend
+	// Specifies mount type specific options that are passed to the backend
+	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
+
+	// Where the secret backend will be mounted
+	// Where the secret backend will be mounted
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+	SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"`
+
+	// Type of the backend, such as "aws"
+	// Type of the backend, such as 'aws'
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+}
+
 type MountObservation struct {
 
+	// The accessor for this mount.
 	// Accessor of the mount
 	Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"`
 
+	// Set of managed key registry entry names that the mount in question is allowed to access
 	// List of managed key registry entry names that the mount in question is allowed to access
 	AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"`
 
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
 	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
 	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
 
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
 	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
 	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
 
+	// Default lease duration for tokens and secrets in seconds
 	// Default lease duration for tokens and secrets in seconds
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// Human-friendly description of the mount
 	// Human-friendly description of the mount
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
 	// Enable the secrets engine to access Vault's external entropy source
 	ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
 	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// Maximum possible lease duration for tokens and secrets in seconds
 	// Maximum possible lease duration for tokens and secrets in seconds
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies mount type specific options that are passed to the backend
 	// Specifies mount type specific options that are passed to the backend
 	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
 
+	// Where the secret backend will be mounted
 	// Where the secret backend will be mounted
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
 	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
 	SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"`
 
+	// Type of the backend, such as "aws"
 	// Type of the backend, such as 'aws'
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type MountParameters struct {
 
+	// Set of managed key registry entry names that the mount in question is allowed to access
 	// List of managed key registry entry names that the mount in question is allowed to access
 	// +kubebuilder:validation:Optional
 	AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"`
 
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
 	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
 	// +kubebuilder:validation:Optional
 	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`
 
+	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
 	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
 	// +kubebuilder:validation:Optional
 	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`
 
+	// Default lease duration for tokens and secrets in seconds
 	// Default lease duration for tokens and secrets in seconds
 	// +kubebuilder:validation:Optional
 	DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"`
 
+	// Human-friendly description of the mount
 	// Human-friendly description of the mount
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
 	// Enable the secrets engine to access Vault's external entropy source
 	// +kubebuilder:validation:Optional
 	ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
 	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
 	// +kubebuilder:validation:Optional
 	Local *bool `json:"local,omitempty" tf:"local,omitempty"`
 
+	// Maximum possible lease duration for tokens and secrets in seconds
 	// Maximum possible lease duration for tokens and secrets in seconds
 	// +kubebuilder:validation:Optional
 	MaxLeaseTTLSeconds *float64 `json:"maxLeaseTtlSeconds,omitempty" tf:"max_lease_ttl_seconds,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Specifies mount type specific options that are passed to the backend
 	// Specifies mount type specific options that are passed to the backend
 	// +kubebuilder:validation:Optional
 	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
 
+	// Where the secret backend will be mounted
 	// Where the secret backend will be mounted
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
 	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
 	// +kubebuilder:validation:Optional
 	SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"`
 
+	// Type of the backend, such as "aws"
 	// Type of the backend, such as 'aws'
 	// +kubebuilder:validation:Optional
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
@@ -119,6 +210,18 @@ type MountParameters struct {
 type MountSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     MountParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider MountInitParameters `json:"initProvider,omitempty"`
 }
 
 // MountStatus defines the observed state of Mount.
@@ -129,7 +232,7 @@ type MountStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Mount is the Schema for the Mounts API. <no value>
+// Mount is the Schema for the Mounts API. Managing the mounting of secret backends in Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -139,8 +242,8 @@ type MountStatus struct {
 type Mount struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter"
 	Spec   MountSpec   `json:"spec"`
 	Status MountStatus `json:"status,omitempty"`
 }
diff --git a/apis/vault/v1alpha1/zz_namespace_types.go b/apis/vault/v1alpha1/zz_namespace_types.go
index 5d05a07c..be659567 100755
--- a/apis/vault/v1alpha1/zz_namespace_types.go
+++ b/apis/vault/v1alpha1/zz_namespace_types.go
@@ -13,32 +13,65 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type NamespaceInitParameters struct {
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The path of the namespace. Must not have a trailing /
+	// Namespace path.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The fully qualified path to the namespace. Useful when provisioning resources in a child namespace.
+	// The fully qualified namespace path.
+	PathFq *string `json:"pathFq,omitempty" tf:"path_fq,omitempty"`
+}
+
 type NamespaceObservation struct {
+
+	// ID of the namespace.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// ID of the namespace.
 	// Namespace ID.
 	NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"`
 
+	// The path of the namespace. Must not have a trailing /
 	// Namespace path.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The fully qualified path to the namespace. Useful when provisioning resources in a child namespace.
 	// The fully qualified namespace path.
 	PathFq *string `json:"pathFq,omitempty" tf:"path_fq,omitempty"`
 }
 
 type NamespaceParameters struct {
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// The path of the namespace. Must not have a trailing /
 	// Namespace path.
 	// +kubebuilder:validation:Optional
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// The fully qualified path to the namespace. Useful when provisioning resources in a child namespace.
 	// The fully qualified namespace path.
 	// +kubebuilder:validation:Optional
 	PathFq *string `json:"pathFq,omitempty" tf:"path_fq,omitempty"`
@@ -48,6 +81,18 @@ type NamespaceParameters struct {
 type NamespaceSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     NamespaceParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider NamespaceInitParameters `json:"initProvider,omitempty"`
 }
 
 // NamespaceStatus defines the observed state of Namespace.
@@ -58,7 +103,7 @@ type NamespaceStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Namespace is the Schema for the Namespaces API. <no value>
+// Namespace is the Schema for the Namespaces API. Writes namespaces for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -68,7 +113,7 @@ type NamespaceStatus struct {
 type Namespace struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)",message="path is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter"
 	Spec   NamespaceSpec   `json:"spec"`
 	Status NamespaceStatus `json:"status,omitempty"`
 }
diff --git a/apis/vault/v1alpha1/zz_policy_types.go b/apis/vault/v1alpha1/zz_policy_types.go
index 37a4ba9b..38679b20 100755
--- a/apis/vault/v1alpha1/zz_policy_types.go
+++ b/apis/vault/v1alpha1/zz_policy_types.go
@@ -13,29 +13,59 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type PolicyInitParameters struct {
+
+	// The name of the policy
+	// Name of the policy
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// String containing a Vault policy
+	// The policy document
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+}
+
 type PolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the policy
 	// Name of the policy
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// String containing a Vault policy
 	// The policy document
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type PolicyParameters struct {
 
+	// The name of the policy
 	// Name of the policy
 	// +kubebuilder:validation:Optional
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// String containing a Vault policy
 	// The policy document
 	// +kubebuilder:validation:Optional
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
@@ -45,6 +75,18 @@ type PolicyParameters struct {
 type PolicySpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     PolicyParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider PolicyInitParameters `json:"initProvider,omitempty"`
 }
 
 // PolicyStatus defines the observed state of Policy.
@@ -55,7 +97,7 @@ type PolicyStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Policy is the Schema for the Policys API. <no value>
+// Policy is the Schema for the Policys API. Writes arbitrary policies for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
@@ -65,8 +107,8 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
-	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || has(self.initProvider.policy)",message="policy is a required parameter"
 	Spec   PolicySpec   `json:"spec"`
 	Status PolicyStatus `json:"status,omitempty"`
 }
diff --git a/apis/vault/v1alpha1/zz_token_types.go b/apis/vault/v1alpha1/zz_token_types.go
index 539e0055..4d01ecdc 100755
--- a/apis/vault/v1alpha1/zz_token_types.go
+++ b/apis/vault/v1alpha1/zz_token_types.go
@@ -13,120 +13,224 @@ import (
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
+type TokenInitParameters struct {
+
+	// String containing the token display name
+	// The display name of the token.
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// The explicit max TTL of this token
+	// The explicit max TTL of the token.
+	ExplicitMaxTTL *string `json:"explicitMaxTtl,omitempty" tf:"explicit_max_ttl,omitempty"`
+
+	// Metadata to be set on this token
+	// Metadata to be associated with the token.
+	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
+
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
+	// Target namespace. (requires Enterprise)
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Flag to not attach the default policy to this token
+	// Flag to disable the default policy.
+	NoDefaultPolicy *bool `json:"noDefaultPolicy,omitempty" tf:"no_default_policy,omitempty"`
+
+	// Flag to create a token without parent
+	// Flag to create a token without parent.
+	NoParent *bool `json:"noParent,omitempty" tf:"no_parent,omitempty"`
+
+	// The number of allowed uses of this token
+	// The number of allowed uses of the token.
+	NumUses *float64 `json:"numUses,omitempty" tf:"num_uses,omitempty"`
+
+	// The period of this token
+	// The period of the token.
+	Period *string `json:"period,omitempty" tf:"period,omitempty"`
+
+	// List of policies to attach to this token
+	// List of policies.
+	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
+
+	// The renew increment
+	// The renew increment.
+	RenewIncrement *float64 `json:"renewIncrement,omitempty" tf:"renew_increment,omitempty"`
+
+	// The minimal lease to renew this token
+	// The minimum lease to renew token.
+	RenewMinLease *float64 `json:"renewMinLease,omitempty" tf:"renew_min_lease,omitempty"`
+
+	// Flag to allow to renew this token
+	// Flag to allow the token to be renewed
+	Renewable *bool `json:"renewable,omitempty" tf:"renewable,omitempty"`
+
+	// The token role name
+	// The token role name.
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	// The TTL period of this token
+	// The TTL period of the token.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// The TTL period of this token
+	// The TTL period of the wrapped token.
+	WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"`
+}
+
 type TokenObservation struct {
 
+	// String containing the token display name
 	// The display name of the token.
 	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
 
+	// The explicit max TTL of this token
 	// The explicit max TTL of the token.
 	ExplicitMaxTTL *string `json:"explicitMaxTtl,omitempty" tf:"explicit_max_ttl,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// String containing the token lease duration if present in state file
 	// The token lease duration.
 	LeaseDuration *float64 `json:"leaseDuration,omitempty" tf:"lease_duration,omitempty"`
 
+	// String containing the token lease started time if present in state file
 	// The token lease started on.
 	LeaseStarted *string `json:"leaseStarted,omitempty" tf:"lease_started,omitempty"`
 
+	// Metadata to be set on this token
 	// Metadata to be associated with the token.
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Flag to not attach the default policy to this token
 	// Flag to disable the default policy.
 	NoDefaultPolicy *bool `json:"noDefaultPolicy,omitempty" tf:"no_default_policy,omitempty"`
 
+	// Flag to create a token without parent
 	// Flag to create a token without parent.
 	NoParent *bool `json:"noParent,omitempty" tf:"no_parent,omitempty"`
 
+	// The number of allowed uses of this token
 	// The number of allowed uses of the token.
 	NumUses *float64 `json:"numUses,omitempty" tf:"num_uses,omitempty"`
 
+	// The period of this token
 	// The period of the token.
 	Period *string `json:"period,omitempty" tf:"period,omitempty"`
 
+	// List of policies to attach to this token
 	// List of policies.
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// The renew increment
 	// The renew increment.
 	RenewIncrement *float64 `json:"renewIncrement,omitempty" tf:"renew_increment,omitempty"`
 
+	// The minimal lease to renew this token
 	// The minimum lease to renew token.
 	RenewMinLease *float64 `json:"renewMinLease,omitempty" tf:"renew_min_lease,omitempty"`
 
+	// Flag to allow to renew this token
 	// Flag to allow the token to be renewed
 	Renewable *bool `json:"renewable,omitempty" tf:"renewable,omitempty"`
 
+	// The token role name
 	// The token role name.
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// The TTL period of this token
 	// The TTL period of the token.
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// The TTL period of this token
 	// The TTL period of the wrapped token.
 	WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"`
 }
 
 type TokenParameters struct {
 
+	// String containing the token display name
 	// The display name of the token.
 	// +kubebuilder:validation:Optional
 	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
 
+	// The explicit max TTL of this token
 	// The explicit max TTL of the token.
 	// +kubebuilder:validation:Optional
 	ExplicitMaxTTL *string `json:"explicitMaxTtl,omitempty" tf:"explicit_max_ttl,omitempty"`
 
+	// Metadata to be set on this token
 	// Metadata to be associated with the token.
 	// +kubebuilder:validation:Optional
 	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// The namespace to provision the resource in.
+	// The value should not contain leading or trailing forward slashes.
+	// The namespace is always relative to the provider's configured namespace.
+	// Available only for Vault Enterprise.
 	// Target namespace. (requires Enterprise)
 	// +kubebuilder:validation:Optional
 	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 
+	// Flag to not attach the default policy to this token
 	// Flag to disable the default policy.
 	// +kubebuilder:validation:Optional
 	NoDefaultPolicy *bool `json:"noDefaultPolicy,omitempty" tf:"no_default_policy,omitempty"`
 
+	// Flag to create a token without parent
 	// Flag to create a token without parent.
 	// +kubebuilder:validation:Optional
 	NoParent *bool `json:"noParent,omitempty" tf:"no_parent,omitempty"`
 
+	// The number of allowed uses of this token
 	// The number of allowed uses of the token.
 	// +kubebuilder:validation:Optional
 	NumUses *float64 `json:"numUses,omitempty" tf:"num_uses,omitempty"`
 
+	// The period of this token
 	// The period of the token.
 	// +kubebuilder:validation:Optional
 	Period *string `json:"period,omitempty" tf:"period,omitempty"`
 
+	// List of policies to attach to this token
 	// List of policies.
 	// +kubebuilder:validation:Optional
 	Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"`
 
+	// The renew increment
 	// The renew increment.
 	// +kubebuilder:validation:Optional
 	RenewIncrement *float64 `json:"renewIncrement,omitempty" tf:"renew_increment,omitempty"`
 
+	// The minimal lease to renew this token
 	// The minimum lease to renew token.
 	// +kubebuilder:validation:Optional
 	RenewMinLease *float64 `json:"renewMinLease,omitempty" tf:"renew_min_lease,omitempty"`
 
+	// Flag to allow to renew this token
 	// Flag to allow the token to be renewed
 	// +kubebuilder:validation:Optional
 	Renewable *bool `json:"renewable,omitempty" tf:"renewable,omitempty"`
 
+	// The token role name
 	// The token role name.
 	// +kubebuilder:validation:Optional
 	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
 
+	// The TTL period of this token
 	// The TTL period of the token.
 	// +kubebuilder:validation:Optional
 	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
+	// The TTL period of this token
 	// The TTL period of the wrapped token.
 	// +kubebuilder:validation:Optional
 	WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"`
@@ -136,6 +240,18 @@ type TokenParameters struct {
 type TokenSpec struct {
 	v1.ResourceSpec `json:",inline"`
 	ForProvider     TokenParameters `json:"forProvider"`
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless the relevant Crossplane feature flag is enabled, and may be
+	// changed or removed without notice.
+	// InitProvider holds the same fields as ForProvider, with the exception
+	// of Identifier and other resource reference fields. The fields that are
+	// in InitProvider are merged into ForProvider when the resource is created.
+	// The same fields are also added to the terraform ignore_changes hook, to
+	// avoid updating them after creation. This is useful for fields that are
+	// required on creation, but we do not desire to update them after creation,
+	// for example because of an external controller is managing them, like an
+	// autoscaler.
+	InitProvider TokenInitParameters `json:"initProvider,omitempty"`
 }
 
 // TokenStatus defines the observed state of Token.
@@ -146,7 +262,7 @@ type TokenStatus struct {
 
 // +kubebuilder:object:root=true
 
-// Token is the Schema for the Tokens API. <no value>
+// Token is the Schema for the Tokens API. Writes token for Vault
 // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
diff --git a/cmd/provider/main.go b/cmd/provider/main.go
index dc100b6b..052c9d37 100644
--- a/cmd/provider/main.go
+++ b/cmd/provider/main.go
@@ -12,10 +12,12 @@ import (
 
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	xpcontroller "github.com/crossplane/crossplane-runtime/pkg/controller"
+	"github.com/crossplane/crossplane-runtime/pkg/feature"
 	"github.com/crossplane/crossplane-runtime/pkg/logging"
 	"github.com/crossplane/crossplane-runtime/pkg/ratelimiter"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	tjcontroller "github.com/upbound/upjet/pkg/controller"
+	"github.com/upbound/upjet/pkg/controller/handler"
 	"github.com/upbound/upjet/pkg/terraform"
 	"gopkg.in/alecthomas/kingpin.v2"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
@@ -34,14 +36,15 @@ import (
 
 func main() {
 	var (
-		app              = kingpin.New(filepath.Base(os.Args[0]), "Terraform based Crossplane provider for Vault").DefaultEnvars()
-		debug            = app.Flag("debug", "Run with debug logging.").Short('d').Bool()
-		syncPeriod       = app.Flag("sync", "Controller manager sync period such as 300ms, 1.5h, or 2h45m").Short('s').Default("1h").Duration()
-		leaderElection   = app.Flag("leader-election", "Use leader election for the controller manager.").Short('l').Default("false").OverrideDefaultFromEnvar("LEADER_ELECTION").Bool()
-		terraformVersion = app.Flag("terraform-version", "Terraform version.").Required().Envar("TERRAFORM_VERSION").String()
-		providerSource   = app.Flag("terraform-provider-source", "Terraform provider source.").Required().Envar("TERRAFORM_PROVIDER_SOURCE").String()
-		providerVersion  = app.Flag("terraform-provider-version", "Terraform provider version.").Required().Envar("TERRAFORM_PROVIDER_VERSION").String()
-		maxReconcileRate = app.Flag("max-reconcile-rate", "The global maximum rate per second at which resources may checked for drift from the desired state.").Default("10").Int()
+		app                  = kingpin.New(filepath.Base(os.Args[0]), "Terraform based Crossplane provider for Vault").DefaultEnvars()
+		debug                = app.Flag("debug", "Run with debug logging.").Short('d').Bool()
+		syncPeriod           = app.Flag("sync", "Controller manager sync period such as 300ms, 1.5h, or 2h45m").Short('s').Default("1h").Duration()
+		pollInterval         = app.Flag("poll", "Poll interval controls how often an individual resource should be checked for drift.").Default("10m").Duration()
+		leaderElection       = app.Flag("leader-election", "Use leader election for the controller manager.").Short('l').Default("false").OverrideDefaultFromEnvar("LEADER_ELECTION").Bool()
+		maxReconcileRate     = app.Flag("max-reconcile-rate", "The global maximum rate per second at which resources may checked for drift from the desired state.").Default("10").Int()
+		nativeProviderSource = app.Flag("terraform-provider-source", "Terraform provider source.").Required().Envar("TERRAFORM_PROVIDER_SOURCE").String()
+		terraformVersion     = app.Flag("terraform-version", "Terraform version.").Required().Envar("TERRAFORM_VERSION").String()
+		providerVersion      = app.Flag("terraform-provider-version", "Terraform provider version.").Required().Envar("TERRAFORM_PROVIDER_VERSION").String()
 
 		namespace                  = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("upbound-system").Envar("POD_NAMESPACE").String()
 		enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool()
@@ -59,7 +62,7 @@ func main() {
 		ctrl.SetLogger(zl)
 	}
 
-	log.Debug("Starting", "sync-period", syncPeriod.String())
+	log.Debug("Starting", "sync-period", syncPeriod.String(), "poll-interval", pollInterval.String(), "max-reconcile-rate", *maxReconcileRate)
 
 	cfg, err := ctrl.GetConfig()
 	kingpin.FatalIfError(err, "Cannot get API server rest config")
@@ -74,18 +77,20 @@ func main() {
 	})
 	kingpin.FatalIfError(err, "Cannot create controller manager")
 	kingpin.FatalIfError(apis.AddToScheme(mgr.GetScheme()), "Cannot add Vault APIs to scheme")
+
+	featureFlags := &feature.Flags{}
 	o := tjcontroller.Options{
 		Options: xpcontroller.Options{
 			Logger:                  log,
 			GlobalRateLimiter:       ratelimiter.NewGlobal(*maxReconcileRate),
-			PollInterval:            1 * time.Minute,
-			MaxConcurrentReconciles: 1,
+			PollInterval:            *pollInterval,
+			MaxConcurrentReconciles: *maxReconcileRate,
+			Features:                featureFlags,
 		},
-		Provider: config.GetProvider(),
-		// use the following WorkspaceStoreOption to enable the shared gRPC mode
-		// terraform.WithProviderRunner(terraform.NewSharedProvider(log, os.Getenv("TERRAFORM_NATIVE_PROVIDER_PATH"), terraform.WithNativeProviderArgs("-debuggable")))
-		WorkspaceStore: terraform.NewWorkspaceStore(log),
-		SetupFn:        clients.TerraformSetupBuilder(*terraformVersion, *providerSource, *providerVersion),
+		Provider:       config.GetProvider(),
+		SetupFn:        clients.TerraformSetupBuilder(*terraformVersion, *nativeProviderSource, *providerVersion),
+		WorkspaceStore: terraform.NewWorkspaceStore(log, terraform.WithFeatures(featureFlags)),
+		EventHandler:   handler.NewEventHandler(),
 	}
 
 	if *enableExternalSecretStores {
diff --git a/config/provider-metadata.yaml b/config/provider-metadata.yaml
index f5ee08b6..7c77a246 100644
--- a/config/provider-metadata.yaml
+++ b/config/provider-metadata.yaml
@@ -41,11 +41,22 @@ resources:
             uri_sans: '- (Optional) List of alternative URIs'
             use_csr_values: '- (Optional) Preserve CSR values'
         importStatements: []
-    vault_ad_secret_backend resource:
+    vault_ad_secret_backend:
         subCategory: ""
         description: Creates an Active Directory secret backend for Vault.
-        name: vault_ad_secret_backend resource
+        name: vault_ad_secret_backend
         title: vault_ad_secret_backend resource
+        examples:
+            - name: config
+              manifest: |-
+                {
+                  "backend": "ad",
+                  "binddn": "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
+                  "bindpass": "SuperSecretPassw0rd",
+                  "insecure_tls": "true",
+                  "url": "ldaps://ad",
+                  "userdn": "CN=Users,DC=corp,DC=example,DC=net"
+                }
         argumentDocs:
             anonymous_group_search: |-
                 - (Optional) Use anonymous binds when performing LDAP group searches
@@ -153,11 +164,32 @@ resources:
                 - (Optional) The password time-to-live in seconds. Defaults to the configuration
                 ttl if not provided.
         importStatements: []
-    vault_ad_secret_role resource:
+    vault_ad_secret_role:
         subCategory: ""
         description: Creates a role on the Active Directory Secret Backend for Vault.
-        name: vault_ad_secret_role resource
+        name: vault_ad_secret_role
         title: vault_ad_secret_role resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "backend": "${vault_ad_secret_backend.config.backend}",
+                  "role": "bob",
+                  "service_account_name": "Bob",
+                  "ttl": 60
+                }
+              references:
+                backend: vault_ad_secret_backend.config.backend
+              dependencies:
+                vault_ad_secret_backend.config: |-
+                    {
+                      "backend": "ad",
+                      "binddn": "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
+                      "bindpass": "SuperSecretPassw0rd",
+                      "insecure_tls": "true",
+                      "url": "ldaps://ad",
+                      "userdn": "CN=Users,DC=corp,DC=example,DC=net"
+                    }
         argumentDocs:
             backend: |-
                 - (Required) The path the AD secret backend is mounted at,
@@ -179,11 +211,27 @@ resources:
                 - (Optional) The password time-to-live in seconds. Defaults to the configuration
                 ttl if not provided.
         importStatements: []
-    vault_alicloud_auth_backend_role resource:
+    vault_alicloud_auth_backend_role:
         subCategory: ""
         description: Managing roles in an AliCloud auth backend in Vault
-        name: vault_alicloud_auth_backend_role resource
+        name: vault_alicloud_auth_backend_role
         title: vault_alicloud_auth_backend_role resource
+        examples:
+            - name: alicloud
+              manifest: |-
+                {
+                  "arn": "acs:ram:123456:tf:role/foobar",
+                  "backend": "${vault_auth_backend.alicloud.path}",
+                  "role": "example"
+                }
+              references:
+                backend: vault_auth_backend.alicloud.path
+              dependencies:
+                vault_auth_backend.alicloud: |-
+                    {
+                      "path": "alicloud",
+                      "type": "alicloud"
+                    }
         argumentDocs:
             arn: '- (Required) The role''s arn.'
             backend: |-
@@ -233,11 +281,43 @@ resources:
                 default-service and default-batch which specify the type to return unless the client
                 requests a different type at generation time.
         importStatements: []
-    vault_approle_auth_backend_login resource:
+    vault_approle_auth_backend_login:
         subCategory: ""
         description: Log into Vault using the AppRole auth backend.
-        name: vault_approle_auth_backend_login resource
+        name: vault_approle_auth_backend_login
         title: vault_approle_auth_backend_login resource
+        examples:
+            - name: login
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.approle.path}",
+                  "role_id": "${vault_approle_auth_backend_role.example.role_id}",
+                  "secret_id": "${vault_approle_auth_backend_role_secret_id.id.secret_id}"
+                }
+              references:
+                backend: vault_auth_backend.approle.path
+                role_id: vault_approle_auth_backend_role.example.role_id
+                secret_id: vault_approle_auth_backend_role_secret_id.id.secret_id
+              dependencies:
+                vault_approle_auth_backend_role.example: |-
+                    {
+                      "backend": "${vault_auth_backend.approle.path}",
+                      "role_name": "test-role",
+                      "token_policies": [
+                        "default",
+                        "dev",
+                        "prod"
+                      ]
+                    }
+                vault_approle_auth_backend_role_secret_id.id: |-
+                    {
+                      "backend": "${vault_auth_backend.approle.path}",
+                      "role_name": "${vault_approle_auth_backend_role.example.role_name}"
+                    }
+                vault_auth_backend.approle: |-
+                    {
+                      "type": "approle"
+                    }
         argumentDocs:
             accessor: '- The accessor for the token.'
             backend: '- The unique path of the Vault backend to log in with.'
@@ -257,11 +337,30 @@ resources:
                 - (Optional) The secret ID of the role to log in with. Required
                 unless bind_secret_id is set to false on the role.
         importStatements: []
-    vault_approle_auth_backend_role resource:
+    vault_approle_auth_backend_role:
         subCategory: ""
         description: Manages AppRole auth backend roles in Vault.
-        name: vault_approle_auth_backend_role resource
+        name: vault_approle_auth_backend_role
         title: vault_approle_auth_backend_role resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.approle.path}",
+                  "role_name": "test-role",
+                  "token_policies": [
+                    "default",
+                    "dev",
+                    "prod"
+                  ]
+                }
+              references:
+                backend: vault_auth_backend.approle.path
+              dependencies:
+                vault_auth_backend.approle: |-
+                    {
+                      "type": "approle"
+                    }
         argumentDocs:
             backend: |-
                 - (Optional) The unique name of the auth backend to configure.
@@ -324,11 +423,37 @@ resources:
                 default-service and default-batch which specify the type to return unless the client
                 requests a different type at generation time.
         importStatements: []
-    vault_approle_auth_backend_role_secret_id resource:
+    vault_approle_auth_backend_role_secret_id:
         subCategory: ""
         description: Manages AppRole auth backend role SecretIDs in Vault.
-        name: vault_approle_auth_backend_role_secret_id resource
+        name: vault_approle_auth_backend_role_secret_id
         title: vault_approle_auth_backend_role_secret_id resource
+        examples:
+            - name: id
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.approle.path}",
+                  "metadata": "${jsonencode(\n    {\n      \"hello\" = \"world\"\n    }\n  )}",
+                  "role_name": "${vault_approle_auth_backend_role.example.role_name}"
+                }
+              references:
+                backend: vault_auth_backend.approle.path
+                role_name: vault_approle_auth_backend_role.example.role_name
+              dependencies:
+                vault_approle_auth_backend_role.example: |-
+                    {
+                      "backend": "${vault_auth_backend.approle.path}",
+                      "role_name": "test-role",
+                      "token_policies": [
+                        "default",
+                        "dev",
+                        "prod"
+                      ]
+                    }
+                vault_auth_backend.approle: |-
+                    {
+                      "type": "approle"
+                    }
         argumentDocs:
             accessor: '- The unique ID for this SecretID that can be safely logged.'
             cidr_list: |-
@@ -360,11 +485,32 @@ resources:
                 and available for the duration specified. Only a single unwrapping of the
                 token is allowed.
         importStatements: []
-    vault_audit resource:
+    vault_audit:
         subCategory: ""
         description: Writes audit backends for Vault
-        name: vault_audit resource
+        name: vault_audit
         title: vault_audit resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "options": {
+                    "file_path": "C:/temp/audit.txt"
+                  },
+                  "type": "file"
+                }
+            - name: test
+              manifest: |-
+                {
+                  "local": false,
+                  "options": {
+                    "address": "127.0.0.1:8000",
+                    "description": "application x socket",
+                    "socket_type": "tcp"
+                  },
+                  "path": "app_socket",
+                  "type": "socket"
+                }
         argumentDocs:
             description: '- (Optional) Human-friendly description of the audit device.'
             local: '- (Optional) Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.'
@@ -377,15 +523,106 @@ resources:
             path: '- (optional) The path to mount the audit device. This defaults to the type.'
             type: '- (Required) Type of the audit device, such as ''file''.'
         importStatements: []
-    vault_audit_request_header resource:
+    vault_audit_request_header:
         subCategory: ""
         description: Manages audited request headers in Vault
-        name: vault_audit_request_header resource
+        name: vault_audit_request_header
         title: vault_audit_request_header resource
+        examples:
+            - name: x_forwarded_for
+              manifest: |-
+                {
+                  "hmac": false,
+                  "name": "X-Forwarded-For"
+                }
         argumentDocs:
             hmac: '- (Optional) Whether this header''s value should be HMAC''d in the audit logs.'
             name: '- (Required) The name of the request header to audit.'
         importStatements: []
+    vault_auth_backend:
+        subCategory: ""
+        description: Managing roles in an Cert auth backend in Vault
+        name: vault_auth_backend
+        title: vault_auth_backend resource
+        examples:
+            - name: cert
+              manifest: |-
+                {
+                  "path": "cert",
+                  "type": "cert"
+                }
+              dependencies:
+                vault_cert_auth_backend_role.cert: |-
+                    {
+                      "allowed_names": [
+                        "foo.example.org",
+                        "baz.example.org"
+                      ],
+                      "backend": "${vault_auth_backend.cert.path}",
+                      "certificate": "${file(\"/path/to/certs/ca-cert.pem\")}",
+                      "name": "foo",
+                      "token_max_ttl": 600,
+                      "token_policies": [
+                        "foo"
+                      ],
+                      "token_ttl": 300
+                    }
+        argumentDocs:
+            allowed_common_names: '- (Optional) Allowed the common names for authenticated client certificates'
+            allowed_dns_sans: '- (Optional) Allowed alternative dns names for authenticated client certificates'
+            allowed_email_sans: '- (Optional) Allowed emails for authenticated client certificates'
+            allowed_names: '- (Optional) Allowed subject names for authenticated client certificates'
+            allowed_organization_units: ', please update accordingly'
+            allowed_organizational_units: |-
+                - (Optional) Allowed organization units for authenticated client certificates.
+                In previous provider releases this field was incorrectly named
+            allowed_uri_sans: '- (Optional) Allowed URIs for authenticated client certificates'
+            backend: '- (Optional) Path to the mounted Cert auth backend'
+            certificate: '- (Required) CA certificate used to validate client certificates'
+            display_name: '- (Optional) The name to display on tokens issued under this role.'
+            name: '- (Required) Name of the role'
+            namespace: |-
+                - (Optional) The namespace to provision the resource in.
+                The value should not contain leading or trailing forward slashes.
+                The namespace is always relative to the provider's configured namespace.
+                Available only for Vault Enterprise.
+            required_extensions: '- (Optional) TLS extensions required on client certificates'
+            token_bound_cidrs: |-
+                - (Optional) List of CIDR blocks; if set, specifies blocks of IP
+                addresses which can authenticate successfully, and ties the resulting token to these blocks
+                as well.
+            token_explicit_max_ttl: |-
+                - (Optional) If set, will encode an
+                explicit max TTL
+                onto the token in number of seconds. This is a hard cap even if token_ttl and
+                token_max_ttl would otherwise allow a renewal.
+            token_max_ttl: |-
+                - (Optional) The maximum lifetime for generated tokens in number of seconds.
+                Its current value will be referenced at renewal time.
+            token_no_default_policy: |-
+                - (Optional) If set, the default policy will not be set on
+                generated tokens; otherwise it will be added to the policies set in token_policies.
+            token_num_uses: |-
+                - (Optional) The maximum number
+                of times a generated token may be used (within its lifetime); 0 means unlimited.
+            token_period: |-
+                - (Optional) If set, indicates that the
+                token generated using this role should never expire. The token should be renewed within the
+                duration specified by this value. At each renewal, the token's TTL will be set to the
+                value of this field. Specified in seconds.
+            token_policies: |-
+                - (Optional) List of policies to encode onto generated tokens. Depending
+                on the auth method, this list may be supplemented by user/group/other values.
+            token_ttl: |-
+                - (Optional) The incremental lifetime for generated tokens in number of seconds.
+                Its current value will be referenced at renewal time.
+            token_type: |-
+                - (Optional) The type of token that should be generated. Can be service,
+                batch, or default to use the mount's tuned default (which unless changed will be
+                service tokens). For token store roles, there are two additional possibilities:
+                default-service and default-batch which specify the type to return unless the client
+                requests a different type at generation time.
+        importStatements: []
     vault_auth_backend resource:
         subCategory: ""
         description: Managing Okta auth backends in Vault
@@ -457,11 +694,24 @@ resources:
             policies: '- (Optional) List of Vault policies to associate with this user'
             username: '- (Required Optional) Name of the user within Okta'
         importStatements: []
-    vault_aws_auth_backend_cert resource:
+    vault_aws_auth_backend_cert:
         subCategory: ""
         description: Manages a certificate for an AWS Auth Backend in Vault.
-        name: vault_aws_auth_backend_cert resource
+        name: vault_aws_auth_backend_cert
         title: vault_aws_auth_backend_cert resource
+        examples:
+            - name: cert
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.aws.path}"
+                }
+              references:
+                backend: vault_auth_backend.aws.path
+              dependencies:
+                vault_auth_backend.aws: |-
+                    {
+                      "type": "aws"
+                    }
         argumentDocs:
             aws_public_cert: |-
                 - (Required) The  Base64 encoded AWS Public key required to
@@ -482,11 +732,26 @@ resources:
                 document which can be verified using the given certificate. Defaults to
                 "pkcs7".
         importStatements: []
-    vault_aws_auth_backend_client resource:
+    vault_aws_auth_backend_client:
         subCategory: ""
         description: Configures the client used by an AWS Auth Backend in Vault.
-        name: vault_aws_auth_backend_client resource
+        name: vault_aws_auth_backend_client
         title: vault_aws_auth_backend_client resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "access_key": "INSERT_AWS_ACCESS_KEY",
+                  "backend": "${vault_auth_backend.example.path}",
+                  "secret_key": "INSERT_AWS_SECRET_KEY"
+                }
+              references:
+                backend: vault_auth_backend.example.path
+              dependencies:
+                vault_auth_backend.example: |-
+                    {
+                      "type": "aws"
+                    }
         argumentDocs:
             access_key: |-
                 - (Optional) The AWS access key that Vault should use for the
@@ -519,11 +784,29 @@ resources:
                 - (Optional) Override the default region when making STS API
                 calls. The sts_endpoint argument must be set when using sts_region.
         importStatements: []
-    vault_aws_auth_backend_config_identity resource:
+    vault_aws_auth_backend_config_identity:
         subCategory: ""
         description: Manages AWS auth backend identity configuration in Vault.
-        name: vault_aws_auth_backend_config_identity resource
+        name: vault_aws_auth_backend_config_identity
         title: vault_aws_auth_backend_config_identity resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.aws.path}",
+                  "iam_alias": "full_arn",
+                  "iam_metadata": [
+                    "canonical_arn",
+                    "account_id"
+                  ]
+                }
+              references:
+                backend: vault_auth_backend.aws.path
+              dependencies:
+                vault_auth_backend.aws: |-
+                    {
+                      "type": "aws"
+                    }
         argumentDocs:
             ec2_alias: |-
                 - (Optional) How to generate the identity alias when using the ec2 auth method. Valid choices are
@@ -543,11 +826,25 @@ resources:
                 The namespace is always relative to the provider's configured namespace.
                 Available only for Vault Enterprise.
         importStatements: []
-    vault_aws_auth_backend_identity_whitelist resource:
+    vault_aws_auth_backend_identity_whitelist:
         subCategory: ""
         description: Configures the periodic tidying operation of the whitelisted identity entries.
-        name: vault_aws_auth_backend_identity_whitelist resource
+        name: vault_aws_auth_backend_identity_whitelist
         title: vault_aws_auth_backend_identity_whitelist resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.example.path}",
+                  "safety_buffer": 3600
+                }
+              references:
+                backend: vault_auth_backend.example.path
+              dependencies:
+                vault_auth_backend.example: |-
+                    {
+                      "type": "aws"
+                    }
         argumentDocs:
             backend: '- (Optional) The path of the AWS backend being configured.'
             disable_periodic_tidy: |-
@@ -563,11 +860,58 @@ resources:
                 have passed beyond the roletag expiration, before it is removed from the
                 backend storage.
         importStatements: []
-    vault_aws_auth_backend_login resource:
+    vault_aws_auth_backend_login:
         subCategory: ""
         description: Manages Vault tokens acquired using the AWS auth backend.
-        name: vault_aws_auth_backend_login resource
+        name: vault_aws_auth_backend_login
         title: vault_aws_auth_backend_login resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.example.path}",
+                  "identity": "BASE64ENCODEDIDENTITYDOCUMENT",
+                  "role": "${vault_aws_auth_backend_role.example.role}",
+                  "signature": "BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE"
+                }
+              references:
+                backend: vault_auth_backend.example.path
+                role: vault_aws_auth_backend_role.example.role
+              dependencies:
+                vault_auth_backend.aws: |-
+                    {
+                      "path": "aws",
+                      "type": "aws"
+                    }
+                vault_aws_auth_backend_client.example: |-
+                    {
+                      "access_key": "123456789012",
+                      "backend": "${vault_auth_backend.aws.path}",
+                      "secret_key": "AWSSECRETKEYGOESHERE"
+                    }
+                vault_aws_auth_backend_role.example: |-
+                    {
+                      "auth_type": "ec2",
+                      "backend": "${vault_auth_backend.aws.path}",
+                      "bound_account_id": "123456789012",
+                      "bound_ami_id": "ami-8c1be5f6",
+                      "bound_iam_instance_profile_arns": [
+                        "arn:aws:iam::123456789012:instance-profile/MyProfile"
+                      ],
+                      "bound_subnet_id": "vpc-133128f1",
+                      "bound_vpc_id": "vpc-b61106d4",
+                      "depends_on": [
+                        "vault_aws_auth_backend_client.example"
+                      ],
+                      "max_ttl": 120,
+                      "role": "test-role",
+                      "token_policies": [
+                        "default",
+                        "dev",
+                        "prod"
+                      ],
+                      "ttl": 60
+                    }
         argumentDocs:
             accessor: '- The token''s accessor.'
             auth_type: '- The authentication type used to generate this token.'
@@ -623,11 +967,53 @@ resources:
                 instance identity document to authenticate with, with all newline characters
                 removed. Can be retrieved from the EC2 metadata server.
         importStatements: []
-    vault_aws_auth_backend_role resource:
+    vault_aws_auth_backend_role:
         subCategory: ""
         description: Manages AWS auth backend roles in Vault.
-        name: vault_aws_auth_backend_role resource
+        name: vault_aws_auth_backend_role
         title: vault_aws_auth_backend_role resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "auth_type": "iam",
+                  "backend": "${vault_auth_backend.aws.path}",
+                  "bound_account_ids": [
+                    "123456789012"
+                  ],
+                  "bound_ami_ids": [
+                    "ami-8c1be5f6"
+                  ],
+                  "bound_iam_instance_profile_arns": [
+                    "arn:aws:iam::123456789012:instance-profile/MyProfile"
+                  ],
+                  "bound_iam_role_arns": [
+                    "arn:aws:iam::123456789012:role/MyRole"
+                  ],
+                  "bound_subnet_ids": [
+                    "vpc-133128f1"
+                  ],
+                  "bound_vpc_ids": [
+                    "vpc-b61106d4"
+                  ],
+                  "inferred_aws_region": "us-east-1",
+                  "inferred_entity_type": "ec2_instance",
+                  "role": "test-role",
+                  "token_max_ttl": 120,
+                  "token_policies": [
+                    "default",
+                    "dev",
+                    "prod"
+                  ],
+                  "token_ttl": 60
+                }
+              references:
+                backend: vault_auth_backend.aws.path
+              dependencies:
+                vault_auth_backend.aws: |-
+                    {
+                      "type": "aws"
+                    }
         argumentDocs:
             allow_instance_migration: |-
                 - (Optional) If set to true, allows migration of
@@ -753,11 +1139,48 @@ resources:
                 default-service and default-batch which specify the type to return unless the client
                 requests a different type at generation time.
         importStatements: []
-    vault_aws_auth_backend_role_tag resource:
+    vault_aws_auth_backend_role_tag:
         subCategory: ""
         description: Reads role tags from a Vault AWS auth backend.
-        name: vault_aws_auth_backend_role_tag resource
+        name: vault_aws_auth_backend_role_tag
         title: vault_aws_auth_backend_role_tag resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.aws.path}",
+                  "instance_id": "i-1234567",
+                  "max_ttl": "1h",
+                  "policies": [
+                    "prod",
+                    "dev",
+                    "test"
+                  ],
+                  "role": "${vault_aws_auth_backend_role.role.role}"
+                }
+              references:
+                backend: vault_auth_backend.aws.path
+                role: vault_aws_auth_backend_role.role.role
+              dependencies:
+                vault_auth_backend.aws: |-
+                    {
+                      "path": "%s",
+                      "type": "aws"
+                    }
+                vault_aws_auth_backend_role.role: |-
+                    {
+                      "auth_type": "ec2",
+                      "backend": "${vault_auth_backend.aws.path}",
+                      "bound_account_id": "123456789012",
+                      "policies": [
+                        "dev",
+                        "prod",
+                        "qa",
+                        "test"
+                      ],
+                      "role": "%s",
+                      "role_tag": "VaultRoleTag"
+                    }
         argumentDocs:
             allow_instance_migration: '- (Optional) If set, allows migration of the underlying instances where the client resides. Use with caution.'
             backend: |-
@@ -778,11 +1201,25 @@ resources:
             tag_key: '- The key of the role tag.'
             tag_value: '- The value to set the role key.'
         importStatements: []
-    vault_aws_auth_backend_roletag_blacklist resource:
+    vault_aws_auth_backend_roletag_blacklist:
         subCategory: ""
         description: Configures the periodic tidying operation of the blacklisted role tag entries.
-        name: vault_aws_auth_backend_roletag_blacklist resource
+        name: vault_aws_auth_backend_roletag_blacklist
         title: vault_aws_auth_backend_roletag_blacklist resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.example.path}",
+                  "safety_buffer": 360
+                }
+              references:
+                backend: vault_auth_backend.example.path
+              dependencies:
+                vault_auth_backend.example: |-
+                    {
+                      "type": "aws"
+                    }
         argumentDocs:
             backend: |-
                 - (Required) The path the AWS auth backend being configured was
@@ -800,11 +1237,26 @@ resources:
                 beyond the roletag expiration, before it is removed from the backend storage.
                 Defaults to 259,200 seconds, or 72 hours.
         importStatements: []
-    vault_aws_auth_backend_sts_role resource:
+    vault_aws_auth_backend_sts_role:
         subCategory: ""
         description: Configures an STS role in the Vault AWS Auth backend.
-        name: vault_aws_auth_backend_sts_role resource
+        name: vault_aws_auth_backend_sts_role
         title: vault_aws_auth_backend_sts_role resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "account_id": "1234567890",
+                  "backend": "${vault_auth_backend.aws.path}",
+                  "sts_role": "arn:aws:iam::1234567890:role/my-role"
+                }
+              references:
+                backend: vault_auth_backend.aws.path
+              dependencies:
+                vault_auth_backend.aws: |-
+                    {
+                      "type": "aws"
+                    }
         argumentDocs:
             account_id: '- (Optional) The AWS account ID to configure the STS role for.'
             backend: |-
@@ -819,11 +1271,18 @@ resources:
                 - (Optional) The STS role to assume when verifying requests made
                 by EC2 instances in the account specified by account_id.
         importStatements: []
-    vault_aws_secret_backend resource:
+    vault_aws_secret_backend:
         subCategory: ""
         description: Creates an AWS secret backend for Vault.
-        name: vault_aws_secret_backend resource
+        name: vault_aws_secret_backend
         title: vault_aws_secret_backend resource
+        examples:
+            - name: aws
+              manifest: |-
+                {
+                  "access_key": "AKIA.....",
+                  "secret_key": "AWS secret key"
+                }
         argumentDocs:
             access_key: |-
                 - (Optional) The AWS Access Key ID this backend should use to
@@ -854,11 +1313,28 @@ resources:
             sts_endpoint: '- (Optional) Specifies a custom HTTP STS endpoint to use.'
             username_template: '- (Optional)  Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:'
         importStatements: []
-    vault_aws_secret_backend_role resource:
+    vault_aws_secret_backend_role:
         subCategory: ""
         description: Creates a role on an AWS Secret Backend for Vault.
-        name: vault_aws_secret_backend_role resource
+        name: vault_aws_secret_backend_role
         title: vault_aws_secret_backend_role resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "backend": "${vault_aws_secret_backend.aws.path}",
+                  "credential_type": "iam_user",
+                  "name": "deploy",
+                  "policy_document": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"iam:*\",\n      \"Resource\": \"*\"\n    }\n  ]\n}\n"
+                }
+              references:
+                backend: vault_aws_secret_backend.aws.path
+              dependencies:
+                vault_aws_secret_backend.aws: |-
+                    {
+                      "access_key": "AKIA.....",
+                      "secret_key": "AWS secret key"
+                    }
         argumentDocs:
             backend: |-
                 - (Required) The path the AWS secret backend is mounted at,
@@ -919,11 +1395,28 @@ resources:
                 - (Optional) The path for the user name. Valid only when
                 credential_type is iam_user. Default is /.
         importStatements: []
-    vault_azure_auth_backend_config resource:
+    vault_azure_auth_backend_config:
         subCategory: ""
         description: Configures the Azure Auth Backend in Vault.
-        name: vault_azure_auth_backend_config resource
+        name: vault_azure_auth_backend_config
         title: vault_azure_auth_backend_config resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.example.path}",
+                  "client_id": "11111111-2222-3333-4444-555555555555",
+                  "client_secret": "01234567890123456789",
+                  "resource": "https://vault.hashicorp.com",
+                  "tenant_id": "11111111-2222-3333-4444-555555555555"
+                }
+              references:
+                backend: vault_auth_backend.example.path
+              dependencies:
+                vault_auth_backend.example: |-
+                    {
+                      "type": "azure"
+                    }
         argumentDocs:
             backend: |-
                 - (Optional) The path the Azure auth backend being configured was
@@ -950,11 +1443,38 @@ resources:
                 - (Required) The tenant id for the Azure Active Directory
                 organization.
         importStatements: []
-    vault_azure_auth_backend_role resource:
+    vault_azure_auth_backend_role:
         subCategory: ""
         description: Manages Azure auth backend roles in Vault.
-        name: vault_azure_auth_backend_role resource
+        name: vault_azure_auth_backend_role
         title: vault_azure_auth_backend_role resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.azure.path}",
+                  "bound_resource_groups": [
+                    "123456789012"
+                  ],
+                  "bound_subscription_ids": [
+                    "11111111-2222-3333-4444-555555555555"
+                  ],
+                  "role": "test-role",
+                  "token_max_ttl": 120,
+                  "token_policies": [
+                    "default",
+                    "dev",
+                    "prod"
+                  ],
+                  "token_ttl": 60
+                }
+              references:
+                backend: vault_auth_backend.azure.path
+              dependencies:
+                vault_auth_backend.azure: |-
+                    {
+                      "type": "azure"
+                    }
         argumentDocs:
             bound_group_ids: |-
                 - (Optional) If set, defines a constraint on the groups
@@ -1022,11 +1542,32 @@ resources:
                 default-service and default-batch which specify the type to return unless the client
                 requests a different type at generation time.
         importStatements: []
-    vault_azure_secret_backend resource:
+    vault_azure_secret_backend:
         subCategory: ""
         description: Creates an azure secret backend for Vault.
-        name: vault_azure_secret_backend resource
+        name: vault_azure_secret_backend
         title: vault_azure_secret_backend resource
+        examples:
+            - name: azure
+              manifest: |-
+                {
+                  "client_id": "11111111-2222-3333-4444-333333333333",
+                  "client_secret": "12345678901234567890",
+                  "environment": "AzurePublicCloud",
+                  "subscription_id": "11111111-2222-3333-4444-111111111111",
+                  "tenant_id": "11111111-2222-3333-4444-222222222222",
+                  "use_microsoft_graph_api": true
+                }
+            - name: azure
+              manifest: |-
+                {
+                  "client_id": "11111111-2222-3333-4444-333333333333",
+                  "client_secret": "12345678901234567890",
+                  "environment": "AzurePublicCloud",
+                  "subscription_id": "11111111-2222-3333-4444-111111111111",
+                  "tenant_id": "11111111-2222-3333-4444-222222222222",
+                  "use_microsoft_graph_api": false
+                }
         argumentDocs:
             client_id: (string:"") - The OAuth2 client id to connect to Azure.
             client_secret: (string:"") - The OAuth2 client secret to connect to Azure.
@@ -1047,11 +1588,55 @@ resources:
                 the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+.
                 For more information, please refer to the Vault docs
         importStatements: []
-    vault_azure_secret_backend_role resource:
+    vault_azure_secret_backend_role:
         subCategory: ""
         description: Creates an azure secret backend role for Vault.
-        name: vault_azure_secret_backend_role resource
+        name: vault_azure_secret_backend_role
         title: vault_azure_secret_backend_role resource
+        examples:
+            - name: generated_role
+              manifest: |-
+                {
+                  "azure_roles": [
+                    {
+                      "role_name": "Reader",
+                      "scope": "/subscriptions/${var.subscription_id}/resourceGroups/azure-vault-group"
+                    }
+                  ],
+                  "backend": "${vault_azure_secret_backend.azure.path}",
+                  "max_ttl": 600,
+                  "role": "generated_role",
+                  "ttl": 300
+                }
+              references:
+                backend: vault_azure_secret_backend.azure.path
+              dependencies:
+                vault_azure_secret_backend.azure: |-
+                    {
+                      "client_id": "${var.client_id}",
+                      "client_secret": "${var.client_secret}",
+                      "subscription_id": "${var.subscription_id}",
+                      "tenant_id": "${var.tenant_id}"
+                    }
+            - name: existing_object_id
+              manifest: |-
+                {
+                  "application_object_id": "11111111-2222-3333-4444-44444444444",
+                  "backend": "${vault_azure_secret_backend.azure.path}",
+                  "max_ttl": 600,
+                  "role": "existing_object_id",
+                  "ttl": 300
+                }
+              references:
+                backend: vault_azure_secret_backend.azure.path
+              dependencies:
+                vault_azure_secret_backend.azure: |-
+                    {
+                      "client_id": "${var.client_id}",
+                      "client_secret": "${var.client_secret}",
+                      "subscription_id": "${var.subscription_id}",
+                      "tenant_id": "${var.tenant_id}"
+                    }
         argumentDocs:
             application_object_id: |-
                 - Application Object ID for an existing service principal that will
@@ -1072,11 +1657,28 @@ resources:
                 – (Optional) Specifies the default TTL for service principals generated using this role.
                 Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         importStatements: []
-    vault_consul_secret_backend resource:
+    vault_consul_secret_backend:
         subCategory: ""
         description: Creates a Consul secret backend for Vault.
-        name: vault_consul_secret_backend resource
+        name: vault_consul_secret_backend
         title: vault_consul_secret_backend resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "address": "127.0.0.1:8500",
+                  "description": "Manages the Consul backend",
+                  "path": "consul",
+                  "token": "4240861b-ce3d-8530-115a-521ff070dd29"
+                }
+            - name: test
+              manifest: |-
+                {
+                  "address": "127.0.0.1:8500",
+                  "bootstrap": true,
+                  "description": "Bootstrap the Consul backend",
+                  "path": "consul"
+                }
         argumentDocs:
             address: '- (Required) Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500".'
             bootstrap: '- (Optional) Denotes that the resource is used to bootstrap the Consul ACL system.'
@@ -1109,11 +1711,31 @@ resources:
                 - (Optional) The Consul management token this backend should use to issue new tokens. This field is required
                 when bootstrap is false.
         importStatements: []
-    vault_consul_secret_backend_role resource:
+    vault_consul_secret_backend_role:
         subCategory: ""
         description: Manages a Consul secrets role for a Consul secrets engine in Vault.
-        name: vault_consul_secret_backend_role resource
+        name: vault_consul_secret_backend_role
         title: vault_consul_secret_backend_role resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_consul_secret_backend.test.path}",
+                  "consul_policies": [
+                    "example-policy"
+                  ],
+                  "name": "test-role"
+                }
+              references:
+                backend: vault_consul_secret_backend.test.path
+              dependencies:
+                vault_consul_secret_backend.test: |-
+                    {
+                      "address": "127.0.0.1:8500",
+                      "description": "Manages the Consul backend",
+                      "path": "consul",
+                      "token": "4240861b-ce3d-8530-115a-521ff070dd29"
+                    }
         argumentDocs:
             backend: '- (Optional) The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required.'
             consul_namespace: |-
@@ -1149,11 +1771,35 @@ resources:
                 Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field.
             ttl: '- (Optional) Specifies the TTL for this role.'
         importStatements: []
-    vault_database_secret_backend_connection resource:
+    vault_database_secret_backend_connection:
         subCategory: ""
         description: Configures a database secret backend connection for Vault.
-        name: vault_database_secret_backend_connection resource
+        name: vault_database_secret_backend_connection
         title: vault_database_secret_backend_connection resource
+        examples:
+            - name: postgres
+              manifest: |-
+                {
+                  "allowed_roles": [
+                    "dev",
+                    "prod"
+                  ],
+                  "backend": "${vault_mount.db.path}",
+                  "name": "postgres",
+                  "postgresql": [
+                    {
+                      "connection_url": "postgres://username:password@host:port/database"
+                    }
+                  ]
+                }
+              references:
+                backend: vault_mount.db.path
+              dependencies:
+                vault_mount.db: |-
+                    {
+                      "path": "postgres",
+                      "type": "database"
+                    }
         argumentDocs:
             allowed_roles: |-
                 - (Optional) A list of roles that are allowed to use this
@@ -1244,11 +1890,45 @@ resources:
                 - (Optional) Whether the connection should be verified on
                 initial configuration or not.
         importStatements: []
-    vault_database_secret_backend_role resource:
+    vault_database_secret_backend_role:
         subCategory: ""
         description: Configures a database secret backend role for Vault.
-        name: vault_database_secret_backend_role resource
+        name: vault_database_secret_backend_role
         title: vault_database_secret_backend_role resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "backend": "${vault_mount.db.path}",
+                  "creation_statements": [
+                    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
+                  ],
+                  "db_name": "${vault_database_secret_backend_connection.postgres.name}",
+                  "name": "dev"
+                }
+              references:
+                backend: vault_mount.db.path
+                db_name: vault_database_secret_backend_connection.postgres.name
+              dependencies:
+                vault_database_secret_backend_connection.postgres: |-
+                    {
+                      "allowed_roles": [
+                        "dev",
+                        "prod"
+                      ],
+                      "backend": "${vault_mount.db.path}",
+                      "name": "postgres",
+                      "postgresql": [
+                        {
+                          "connection_url": "postgres://username:password@host:port/database"
+                        }
+                      ]
+                    }
+                vault_mount.db: |-
+                    {
+                      "path": "postgres",
+                      "type": "database"
+                    }
         argumentDocs:
             backend: '- (Required) The unique name of the Vault mount to configure.'
             creation_statements: |-
@@ -1279,11 +1959,46 @@ resources:
                 - (Optional) The database statements to execute when
                 rolling back creation due to an error.
         importStatements: []
-    vault_database_secret_backend_static_role resource:
+    vault_database_secret_backend_static_role:
         subCategory: ""
         description: Configures a database secret backend static role for Vault.
-        name: vault_database_secret_backend_static_role resource
+        name: vault_database_secret_backend_static_role
         title: vault_database_secret_backend_static_role resource
+        examples:
+            - name: static_role
+              manifest: |-
+                {
+                  "backend": "${vault_mount.db.path}",
+                  "db_name": "${vault_database_secret_backend_connection.postgres.name}",
+                  "name": "my-static-role",
+                  "rotation_period": "3600",
+                  "rotation_statements": [
+                    "ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"
+                  ],
+                  "username": "example"
+                }
+              references:
+                backend: vault_mount.db.path
+                db_name: vault_database_secret_backend_connection.postgres.name
+              dependencies:
+                vault_database_secret_backend_connection.postgres: |-
+                    {
+                      "allowed_roles": [
+                        "*"
+                      ],
+                      "backend": "${vault_mount.db.path}",
+                      "name": "postgres",
+                      "postgresql": [
+                        {
+                          "connection_url": "postgres://username:password@host:port/database"
+                        }
+                      ]
+                    }
+                vault_mount.db: |-
+                    {
+                      "path": "postgres",
+                      "type": "database"
+                    }
         argumentDocs:
             backend: '- (Required) The unique name of the Vault mount to configure.'
             db_name: '- (Required) The unique name of the database connection to use for the static role.'
@@ -1297,11 +2012,62 @@ resources:
             rotation_statements: '- (Optional) Database statements to execute to rotate the password for the configured database user.'
             username: '- (Required) The database username that this static role corresponds to.'
         importStatements: []
-    vault_database_secrets_mount resource:
+    vault_database_secrets_mount:
         subCategory: ""
         description: Configures any number of database secrets engines under a single mount resource
-        name: vault_database_secrets_mount resource
+        name: vault_database_secrets_mount
         title: vault_database_secrets_mount resource
+        examples:
+            - name: db
+              manifest: |-
+                {
+                  "mssql": [
+                    {
+                      "allowed_roles": [
+                        "dev1"
+                      ],
+                      "connection_url": "sqlserver://{{username}}:{{password}}@127.0.0.1:1433",
+                      "name": "db1",
+                      "password": "super_secret_1",
+                      "username": "sa"
+                    }
+                  ],
+                  "path": "db",
+                  "postgresql": [
+                    {
+                      "allowed_roles": [
+                        "dev2"
+                      ],
+                      "connection_url": "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres",
+                      "name": "db2",
+                      "password": "super_secret_2",
+                      "username": "postgres",
+                      "verify_connection": true
+                    }
+                  ]
+                }
+              dependencies:
+                vault_database_secret_backend_role.dev1: |-
+                    {
+                      "backend": "${vault_database_secrets_mount.db.path}",
+                      "creation_statements": [
+                        "CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
+                        "CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
+                        "GRANT SELECT ON SCHEMA::dbo TO [{{name}}];"
+                      ],
+                      "db_name": "${vault_database_secrets_mount.db.mssql[0].name}",
+                      "name": "dev1"
+                    }
+                vault_database_secret_backend_role.dev2: |-
+                    {
+                      "backend": "${vault_database_secrets_mount.db.path}",
+                      "creation_statements": [
+                        "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
+                        "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
+                      ],
+                      "db_name": "${vault_database_secrets_mount.db.postgresql[0].name}",
+                      "name": "dev2"
+                    }
         argumentDocs:
             allowed_managed_keys: '- (Optional) Set of managed key registry entry names that the mount in question is allowed to access'
             allowed_roles: |-
@@ -1436,11 +2202,22 @@ resources:
                 - (Optional) Whether the connection should be verified on
                 initial configuration or not.
         importStatements: []
-    vault_egp_policy resource:
+    vault_egp_policy:
         subCategory: ""
         description: Writes Sentinel endpoint governing policies for Vault
-        name: vault_egp_policy resource
+        name: vault_egp_policy
         title: vault_egp_policy resource
+        examples:
+            - name: allow-all
+              manifest: |-
+                {
+                  "enforcement_level": "soft-mandatory",
+                  "name": "allow-all",
+                  "paths": [
+                    "*"
+                  ],
+                  "policy": "main = rule {\n  true\n}\n"
+                }
         argumentDocs:
             enforcement_level: '- (Required) Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory'
             name: '- (Required) The name of the policy'
@@ -1452,11 +2229,32 @@ resources:
             paths: '- (Required) List of paths to which the policy will be applied to'
             policy: '- (Required) String containing a Sentinel policy'
         importStatements: []
-    vault_gcp_auth_backend_role resource:
+    vault_gcp_auth_backend_role:
         subCategory: ""
         description: Managing roles in an GCP auth backend in Vault
-        name: vault_gcp_auth_backend_role resource
+        name: vault_gcp_auth_backend_role
         title: vault_gcp_auth_backend_role resource
+        examples:
+            - name: gcp
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.gcp.path}",
+                  "bound_service_accounts": [
+                    "database-server@foo-bar-baz.iam.gserviceaccount.com"
+                  ],
+                  "project_id": "foo-bar-baz",
+                  "token_policies": [
+                    "database-server"
+                  ]
+                }
+              references:
+                backend: vault_auth_backend.gcp.path
+              dependencies:
+                vault_auth_backend.gcp: |-
+                    {
+                      "path": "gcp",
+                      "type": "gcp"
+                    }
         argumentDocs:
             allow_gce_inference: '- (Optional) A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.'
             backend: '- (Optional) Path to the mounted GCP auth backend'
@@ -1510,11 +2308,17 @@ resources:
                 requests a different type at generation time.
             type: '- (Required) Type of GCP authentication role (either gce or iam)'
         importStatements: []
-    vault_gcp_secret_backend resource:
+    vault_gcp_secret_backend:
         subCategory: ""
         description: Creates an GCP secret backend for Vault.
-        name: vault_gcp_secret_backend resource
+        name: vault_gcp_secret_backend
         title: vault_gcp_secret_backend resource
+        examples:
+            - name: gcp
+              manifest: |-
+                {
+                  "credentials": "${file(\"credentials.json\")}"
+                }
         argumentDocs:
             credentials: '- (Optional) The GCP service account credentials in JSON format.'
             default_lease_ttl_seconds: |-
@@ -1537,11 +2341,35 @@ resources:
                 - (Optional) The unique path this backend should be mounted at. Must
                 not begin or end with a /. Defaults to gcp.
         importStatements: []
-    vault_gcp_secret_impersonated_account resource:
+    vault_gcp_secret_impersonated_account:
         subCategory: ""
         description: Creates a Impersonated Account for the GCP Secret Backend for Vault.
-        name: vault_gcp_secret_impersonated_account resource
+        name: vault_gcp_secret_impersonated_account
         title: vault_gcp_secret_impersonated_account resource
+        examples:
+            - name: impersonated_account
+              manifest: |-
+                {
+                  "backend": "${vault_gcp_secret_backend.gcp.path}",
+                  "impersonated_account": "this",
+                  "service_account_email": "${google_service_account.this.email}",
+                  "token_scopes": [
+                    "https://www.googleapis.com/auth/cloud-platform"
+                  ]
+                }
+              references:
+                backend: vault_gcp_secret_backend.gcp.path
+                service_account_email: google_service_account.this.email
+              dependencies:
+                google_service_account.this: |-
+                    {
+                      "account_id": "my-awesome-account"
+                    }
+                vault_gcp_secret_backend.gcp: |-
+                    {
+                      "credentials": "${file(\"credentials.json\")}",
+                      "path": "gcp"
+                    }
         argumentDocs:
             backend: '- (Required, Forces new resource) Path where the GCP Secrets Engine is mounted'
             impersonated_account: '- (Required, Forces new resource) Name of the Impersonated Account to create'
@@ -1549,11 +2377,40 @@ resources:
             service_account_project: '- Project the service account belongs to.'
             token_scopes: '- (Required) List of OAuth scopes to assign to access tokens generated under this impersonated account.'
         importStatements: []
-    vault_gcp_secret_roleset resource:
+    vault_gcp_secret_roleset:
         subCategory: ""
         description: Creates a Roleset for the GCP Secret Backend for Vault.
-        name: vault_gcp_secret_roleset resource
+        name: vault_gcp_secret_roleset
         title: vault_gcp_secret_roleset resource
+        examples:
+            - name: roleset
+              manifest: |-
+                {
+                  "backend": "${vault_gcp_secret_backend.gcp.path}",
+                  "binding": [
+                    {
+                      "resource": "//cloudresourcemanager.googleapis.com/projects/${local.project}",
+                      "roles": [
+                        "roles/viewer"
+                      ]
+                    }
+                  ],
+                  "project": "${local.project}",
+                  "roleset": "project_viewer",
+                  "secret_type": "access_token",
+                  "token_scopes": [
+                    "https://www.googleapis.com/auth/cloud-platform"
+                  ]
+                }
+              references:
+                backend: vault_gcp_secret_backend.gcp.path
+                project: local.project
+              dependencies:
+                vault_gcp_secret_backend.gcp: |-
+                    {
+                      "credentials": "${file(\"credentials.json\")}",
+                      "path": "gcp"
+                    }
         argumentDocs:
             backend: '- (Required, Forces new resource) Path where the GCP Secrets Engine is mounted'
             binding: '- (Required) Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.'
@@ -1570,11 +2427,44 @@ resources:
             service_account_email: Email of the service account created by Vault for this Roleset.
             token_scopes: '- (Optional, Required for secret_type = "access_token") List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).'
         importStatements: []
-    vault_gcp_secret_static_account resource:
+    vault_gcp_secret_static_account:
         subCategory: ""
         description: Creates a Static Account for the GCP Secret Backend for Vault.
-        name: vault_gcp_secret_static_account resource
+        name: vault_gcp_secret_static_account
         title: vault_gcp_secret_static_account resource
+        examples:
+            - name: static_account
+              manifest: |-
+                {
+                  "backend": "${vault_gcp_secret_backend.gcp.path}",
+                  "binding": [
+                    {
+                      "resource": "//cloudresourcemanager.googleapis.com/projects/${google_service_account.this.project}",
+                      "roles": [
+                        "roles/viewer"
+                      ]
+                    }
+                  ],
+                  "secret_type": "access_token",
+                  "service_account_email": "${google_service_account.this.email}",
+                  "static_account": "project_viewer",
+                  "token_scopes": [
+                    "https://www.googleapis.com/auth/cloud-platform"
+                  ]
+                }
+              references:
+                backend: vault_gcp_secret_backend.gcp.path
+                service_account_email: google_service_account.this.email
+              dependencies:
+                google_service_account.this: |-
+                    {
+                      "account_id": "my-awesome-account"
+                    }
+                vault_gcp_secret_backend.gcp: |-
+                    {
+                      "credentials": "${file(\"credentials.json\")}",
+                      "path": "gcp"
+                    }
         argumentDocs:
             backend: '- (Required, Forces new resource) Path where the GCP Secrets Engine is mounted'
             binding: '- (Optional) Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.'
@@ -1591,11 +2481,63 @@ resources:
             static_account: '- (Required, Forces new resource) Name of the Static Account to create'
             token_scopes: '- (Optional, Required for secret_type = "access_token") List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).'
         importStatements: []
-    vault_generic_endpoint resource:
+    vault_generic_endpoint:
         subCategory: ""
         description: Writes arbitrary data to a given path in Vault
-        name: vault_generic_endpoint resource
+        name: vault_generic_endpoint
         title: vault_generic_endpoint resource
+        examples:
+            - name: u1
+              manifest: |-
+                {
+                  "data_json": "{\n  \"policies\": [\"p1\"],\n  \"password\": \"changeme\"\n}\n",
+                  "depends_on": [
+                    "${vault_auth_backend.userpass}"
+                  ],
+                  "ignore_absent_fields": true,
+                  "path": "auth/userpass/users/u1"
+                }
+              dependencies:
+                vault_auth_backend.userpass: |-
+                    {
+                      "type": "userpass"
+                    }
+            - name: u1_token
+              manifest: |-
+                {
+                  "data_json": "{\n  \"password\": \"changeme\"\n}\n",
+                  "depends_on": [
+                    "${vault_generic_endpoint.u1}"
+                  ],
+                  "disable_delete": true,
+                  "disable_read": true,
+                  "path": "auth/userpass/login/u1"
+                }
+              dependencies:
+                vault_auth_backend.userpass: |-
+                    {
+                      "type": "userpass"
+                    }
+            - name: u1_entity
+              manifest: |-
+                {
+                  "data_json": "{\n  \"alias_name\": \"u1\",\n  \"alias_mount_accessor\": vault_auth_backend.userpass.accessor\n}\n",
+                  "depends_on": [
+                    "${vault_generic_endpoint.u1_token}"
+                  ],
+                  "disable_delete": true,
+                  "disable_read": true,
+                  "ignore_absent_fields": true,
+                  "path": "identity/lookup/entity",
+                  "write_fields": [
+                    "id"
+                  ]
+                }
+              dependencies:
+                vault_auth_backend.userpass: |-
+                    {
+                      "type": "userpass"
+                    }
         argumentDocs:
             data_json: |-
                 - (Required) String containing a JSON-encoded object that will be
@@ -1646,11 +2588,18 @@ resources:
                 data from writing to an endpoint rather than reading it. You should
                 use write_fields if you need information returned in this way.
         importStatements: []
-    vault_generic_secret resource:
+    vault_generic_secret:
         subCategory: ""
         description: Writes arbitrary data to a given path in Vault
-        name: vault_generic_secret resource
+        name: vault_generic_secret
         title: vault_generic_secret resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "data_json": "{\n  \"foo\":   \"bar\",\n  \"pizza\": \"cheese\"\n}\n",
+                  "path": "secret/foo"
+                }
         argumentDocs:
             data: |-
                 - A mapping whose keys are the top-level data keys returned from
@@ -1681,11 +2630,17 @@ resources:
                 resource is possible; consult each backend's documentation to see which
                 endpoints support the PUT and DELETE methods.
         importStatements: []
-    vault_github_auth_backend resource:
+    vault_github_auth_backend:
         subCategory: ""
         description: Manages GitHub Auth mounts in Vault.
-        name: vault_github_auth_backend resource
+        name: vault_github_auth_backend
         title: vault_github_auth_backend resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "organization": "myorg"
+                }
         argumentDocs:
             accessor: '- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.'
             base_url: |-
@@ -1772,11 +2727,29 @@ resources:
                 - (Optional) Specifies the type of tokens that should be returned by
                 the mount. Valid values are "default-service", "default-batch", "service", "batch".
         importStatements: []
-    vault_github_team resource:
+    vault_github_team:
         subCategory: ""
         description: Manages Team mappings for Github Auth backend mounts in Vault.
-        name: vault_github_team resource
+        name: vault_github_team
         title: vault_github_team resource
+        examples:
+            - name: tf_devs
+              manifest: |-
+                {
+                  "backend": "${vault_github_auth_backend.example.id}",
+                  "policies": [
+                    "developer",
+                    "read-only"
+                  ],
+                  "team": "terraform-developers"
+                }
+              references:
+                backend: vault_github_auth_backend.example.id
+              dependencies:
+                vault_github_auth_backend.example: |-
+                    {
+                      "organization": "myorg"
+                    }
         argumentDocs:
             backend: |-
                 - (Required) Path where the github auth backend is mounted. Defaults to github
@@ -1793,11 +2766,29 @@ resources:
                 - (Required) GitHub team name in "slugified" format, for example: Terraform
                 Developers -> terraform-developers.
         importStatements: []
-    vault_github_user resource:
+    vault_github_user:
         subCategory: ""
         description: Manages User mappings for Github Auth backend mounts in Vault.
-        name: vault_github_user resource
+        name: vault_github_user
         title: vault_github_user resource
+        examples:
+            - name: tf_user
+              manifest: |-
+                {
+                  "backend": "${vault_github_auth_backend.example.id}",
+                  "policies": [
+                    "developer",
+                    "read-only"
+                  ],
+                  "user": "john.doe"
+                }
+              references:
+                backend: vault_github_auth_backend.example.id
+              dependencies:
+                vault_github_auth_backend.example: |-
+                    {
+                      "organization": "myorg"
+                    }
         argumentDocs:
             backend: |-
                 - (Required) Path where the github auth backend is mounted. Defaults to github
@@ -1812,11 +2803,23 @@ resources:
                 using this role.
             user: '- (Required) GitHub user name.'
         importStatements: []
-    vault_identity_entity resource:
+    vault_identity_entity:
         subCategory: ""
         description: Creates an Identity Entity for Vault.
-        name: vault_identity_entity resource
+        name: vault_identity_entity
         title: vault_identity_entity resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "metadata": {
+                    "foo": "bar"
+                  },
+                  "name": "tester1",
+                  "policies": [
+                    "test"
+                  ]
+                }
         argumentDocs:
             disabled: '- (Optional) True/false Is this entity currently disabled. Defaults to false'
             external_policies: '- (Optional) false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner.'
@@ -1830,11 +2833,19 @@ resources:
                 Available only for Vault Enterprise.
             policies: '- (Optional) A list of policies to apply to the entity.'
         importStatements: []
-    vault_identity_entity_alias resource:
+    vault_identity_entity_alias:
         subCategory: ""
         description: Creates an Identity Entity Alias for Vault.
-        name: vault_identity_entity_alias resource
+        name: vault_identity_entity_alias
         title: vault_identity_entity_alias resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "canonical_id": "49877D63-07AD-4B85-BDA8-B61626C477E8",
+                  "mount_accessor": "token_1f2bd5",
+                  "name": "user_1"
+                }
         argumentDocs:
             canonical_id: '- (Required) Entity ID to which this alias belongs to.'
             id: '- ID of the entity alias.'
@@ -1846,11 +2857,65 @@ resources:
                 The namespace is always relative to the provider's configured namespace.
                 Available only for Vault Enterprise.
         importStatements: []
-    vault_identity_entity_policies resource:
+    vault_identity_entity_policies:
         subCategory: ""
         description: Manages policies for an Identity Entity for Vault.
-        name: vault_identity_entity_policies resource
+        name: vault_identity_entity_policies
         title: vault_identity_entity_policies resource
+        examples:
+            - name: policies
+              manifest: |-
+                {
+                  "entity_id": "${vault_identity_entity.entity.id}",
+                  "exclusive": true,
+                  "policies": [
+                    "default",
+                    "test"
+                  ]
+                }
+              references:
+                entity_id: vault_identity_entity.entity.id
+              dependencies:
+                vault_identity_entity.entity: |-
+                    {
+                      "external_policies": true,
+                      "name": "entity"
+                    }
+            - name: default
+              manifest: |-
+                {
+                  "entity_id": "${vault_identity_entity.entity.id}",
+                  "exclusive": false,
+                  "policies": [
+                    "default",
+                    "test"
+                  ]
+                }
+              references:
+                entity_id: vault_identity_entity.entity.id
+              dependencies:
+                vault_identity_entity.entity: |-
+                    {
+                      "external_policies": true,
+                      "name": "entity"
+                    }
+            - name: others
+              manifest: |-
+                {
+                  "entity_id": "${vault_identity_entity.entity.id}",
+                  "exclusive": false,
+                  "policies": [
+                    "others"
+                  ]
+                }
+              references:
+                entity_id: vault_identity_entity.entity.id
+              dependencies:
+                vault_identity_entity.entity: |-
+                    {
+                      "external_policies": true,
+                      "name": "entity"
+                    }
         argumentDocs:
             entity_id: '- (Required) Entity ID to assign policies to.'
             entity_name: '- The name of the entity that are assigned the policies.'
@@ -1864,11 +2929,63 @@ resources:
             policies: '- (Required) List of policies to assign to the entity'
             "true": ', this resource will take exclusive control of the policies assigned to the entity and will set it equal to what is specified in the resource.'
         importStatements: []
-    vault_identity_group resource:
+    vault_identity_group:
         subCategory: ""
         description: Creates an Identity Group for Vault.
-        name: vault_identity_group resource
+        name: vault_identity_group
         title: vault_identity_group resource
+        examples:
+            - name: internal
+              manifest: |-
+                {
+                  "metadata": {
+                    "version": "2"
+                  },
+                  "name": "internal",
+                  "policies": [
+                    "dev",
+                    "test"
+                  ],
+                  "type": "internal"
+                }
+            - name: group
+              manifest: |-
+                {
+                  "metadata": {
+                    "version": "1"
+                  },
+                  "name": "external",
+                  "policies": [
+                    "test"
+                  ],
+                  "type": "external"
+                }
+            - name: internal
+              manifest: |-
+                {
+                  "metadata": {
+                    "version": "2"
+                  },
+                  "name": "internal",
+                  "policies": [
+                    "dev",
+                    "test"
+                  ],
+                  "type": "internal"
+                }
+            - name: Internal
+              manifest: |-
+                {
+                  "metadata": {
+                    "version": "2"
+                  },
+                  "name": "Internal",
+                  "policies": [
+                    "dev",
+                    "test"
+                  ],
+                  "type": "internal"
+                }
         argumentDocs:
             external_member_entity_ids: |-
                 - (Optional) false by default. If set to true, this resource will ignore any Entity IDs
@@ -1897,11 +3014,36 @@ resources:
             policies: '- (Optional) A list of policies to apply to the group.'
             type: '- (Optional, Forces new resource) Type of the group, internal or external. Defaults to internal.'
         importStatements: []
-    vault_identity_group_alias resource:
+    vault_identity_group_alias:
         subCategory: ""
         description: Creates an Identity Group Alias for Vault.
-        name: vault_identity_group_alias resource
+        name: vault_identity_group_alias
         title: vault_identity_group_alias resource
+        examples:
+            - name: group-alias
+              manifest: |-
+                {
+                  "canonical_id": "${vault_identity_group.group.id}",
+                  "mount_accessor": "${vault_auth_backend.github.accessor}",
+                  "name": "Github_Team_Slug"
+                }
+              references:
+                canonical_id: vault_identity_group.group.id
+                mount_accessor: vault_auth_backend.github.accessor
+              dependencies:
+                vault_auth_backend.github: |-
+                    {
+                      "path": "github",
+                      "type": "github"
+                    }
+                vault_identity_group.group: |-
+                    {
+                      "name": "test",
+                      "policies": [
+                        "test"
+                      ],
+                      "type": "external"
+                    }
         argumentDocs:
             canonical_id: '- (Required) ID of the group to which this is an alias.'
             id: '- The id of the created group alias.'
@@ -1915,11 +3057,104 @@ resources:
         importStatements:
             - $ terraform import vault_identity_group_alias.group-alias id
             - terraform import vault_identity_group_alias.alias_name 63104e20-88e4-11eb-8d04-cf7ac9d60157
-    vault_identity_group_member_entity_ids resource:
+    vault_identity_group_member_entity_ids:
         subCategory: ""
         description: Manages member entities for an Identity Group for Vault.
-        name: vault_identity_group_member_entity_ids resource
+        name: vault_identity_group_member_entity_ids
         title: vault_identity_group_member_entity_ids resource
+        examples:
+            - name: members
+              manifest: |-
+                {
+                  "exclusive": true,
+                  "group_id": "${vault_identity_group.internal.id}",
+                  "member_entity_ids": [
+                    "${vault_identity_entity.user.id}"
+                  ]
+                }
+              references:
+                group_id: vault_identity_group.internal.id
+              dependencies:
+                vault_identity_entity.user: |-
+                    {
+                      "name": "user"
+                    }
+                vault_identity_group.internal: |-
+                    {
+                      "external_member_entity_ids": true,
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "internal",
+                      "type": "internal"
+                    }
+            - name: test
+              manifest: |-
+                {
+                  "exclusive": false,
+                  "group_id": "${vault_identity_group.internal.id}",
+                  "member_entity_ids": [
+                    "${vault_identity_entity.test_user.id}",
+                    "${vault_identity_entity.second_test_user.id}"
+                  ]
+                }
+              references:
+                group_id: vault_identity_group.internal.id
+              dependencies:
+                vault_identity_entity.dev_user: |-
+                    {
+                      "name": "dev"
+                    }
+                vault_identity_entity.second_test_user: |-
+                    {
+                      "name": "second_test"
+                    }
+                vault_identity_entity.test_user: |-
+                    {
+                      "name": "test"
+                    }
+                vault_identity_group.internal: |-
+                    {
+                      "external_member_entity_ids": true,
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "internal",
+                      "type": "internal"
+                    }
+            - name: others
+              manifest: |-
+                {
+                  "exclusive": false,
+                  "group_id": "${vault_identity_group.internal.id}",
+                  "member_entity_ids": [
+                    "${vault_identity_entity.dev_user.id}"
+                  ]
+                }
+              references:
+                group_id: vault_identity_group.internal.id
+              dependencies:
+                vault_identity_entity.dev_user: |-
+                    {
+                      "name": "dev"
+                    }
+                vault_identity_entity.second_test_user: |-
+                    {
+                      "name": "second_test"
+                    }
+                vault_identity_entity.test_user: |-
+                    {
+                      "name": "test"
+                    }
+                vault_identity_group.internal: |-
+                    {
+                      "external_member_entity_ids": true,
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "internal",
+                      "type": "internal"
+                    }
         argumentDocs:
             exclusive: '- (Optional) Defaults to true.'
             "false": ', this resource will simply ensure that the member entities specified in the resource are present in the group. When destroying the resource, the resource will ensure that the member entities specified in the resource are removed.'
@@ -1936,11 +3171,68 @@ resources:
                 Available only for Vault Enterprise.
             "true": ', this resource will take exclusive control of the member entities that belong to the group and will set it equal to what is specified in the resource.'
         importStatements: []
-    vault_identity_group_member_group_ids resource:
+    vault_identity_group_member_group_ids:
         subCategory: ""
         description: Manages member groups for an Identity Group for Vault.
-        name: vault_identity_group_member_group_ids resource
+        name: vault_identity_group_member_group_ids
         title: vault_identity_group_member_group_ids resource
+        examples:
+            - name: members
+              manifest: |-
+                {
+                  "exclusive": true,
+                  "group_id": "${vault_identity_group.internal.id}",
+                  "member_group_ids": [
+                    "${vault_identity_group.users.id}"
+                  ]
+                }
+              references:
+                group_id: vault_identity_group.internal.id
+              dependencies:
+                vault_identity_group.internal: |-
+                    {
+                      "external_member_group_ids": true,
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "internal",
+                      "type": "internal"
+                    }
+                vault_identity_group.users: |-
+                    {
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "users"
+                    }
+            - name: members
+              manifest: |-
+                {
+                  "exclusive": false,
+                  "group_id": "${vault_identity_group.internal.id}",
+                  "member_group_ids": [
+                    "${vault_identity_group.users.id}"
+                  ]
+                }
+              references:
+                group_id: vault_identity_group.internal.id
+              dependencies:
+                vault_identity_group.internal: |-
+                    {
+                      "external_member_group_ids": true,
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "internal",
+                      "type": "internal"
+                    }
+                vault_identity_group.users: |-
+                    {
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "users"
+                    }
         argumentDocs:
             exclusive: '- (Optional) Defaults to true.'
             "false": |-
@@ -1958,11 +3250,77 @@ resources:
                 , this resource will take exclusive control of the member groups that belong to the group and will set
                 it equal to what is specified in the resource.
         importStatements: []
-    vault_identity_group_policies resource:
+    vault_identity_group_policies:
         subCategory: ""
         description: Manages policies for an Identity Group for Vault.
-        name: vault_identity_group_policies resource
+        name: vault_identity_group_policies
         title: vault_identity_group_policies resource
+        examples:
+            - name: policies
+              manifest: |-
+                {
+                  "exclusive": true,
+                  "group_id": "${vault_identity_group.internal.id}",
+                  "policies": [
+                    "default",
+                    "test"
+                  ]
+                }
+              references:
+                group_id: vault_identity_group.internal.id
+              dependencies:
+                vault_identity_group.internal: |-
+                    {
+                      "external_policies": true,
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "internal",
+                      "type": "internal"
+                    }
+            - name: default
+              manifest: |-
+                {
+                  "exclusive": false,
+                  "group_id": "${vault_identity_group.internal.id}",
+                  "policies": [
+                    "default",
+                    "test"
+                  ]
+                }
+              references:
+                group_id: vault_identity_group.internal.id
+              dependencies:
+                vault_identity_group.internal: |-
+                    {
+                      "external_policies": true,
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "internal",
+                      "type": "internal"
+                    }
+            - name: others
+              manifest: |-
+                {
+                  "exclusive": false,
+                  "group_id": "${vault_identity_group.internal.id}",
+                  "policies": [
+                    "others"
+                  ]
+                }
+              references:
+                group_id: vault_identity_group.internal.id
+              dependencies:
+                vault_identity_group.internal: |-
+                    {
+                      "external_policies": true,
+                      "metadata": {
+                        "version": "2"
+                      },
+                      "name": "internal",
+                      "type": "internal"
+                    }
         argumentDocs:
             exclusive: '- (Optional) Defaults to true.'
             "false": ', this resource will simply ensure that the policies specified in the resource are present in the group. When destroying the resource, the resource will ensure that the policies specified in the resource are removed.'
@@ -1976,11 +3334,19 @@ resources:
             policies: '- (Required) List of policies to assign to the group'
             "true": ', this resource will take exclusive control of the policies assigned to the group and will set it equal to what is specified in the resource.'
         importStatements: []
-    vault_identity_mfa_duo resource:
+    vault_identity_mfa_duo:
         subCategory: ""
         description: Resource for configuring the duo MFA method.
-        name: vault_identity_mfa_duo resource
+        name: vault_identity_mfa_duo
         title: vault_identity_mfa_duo resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "api_hostname": "api-xxxxxxxx.duosecurity.com",
+                  "integration_key": "secret-int-key",
+                  "secret_key": "secret-key"
+                }
         argumentDocs:
             api_hostname: '- (Required) API hostname for Duo'
             integration_key: '- (Required) Integration key for Duo'
@@ -1996,11 +3362,28 @@ resources:
             username_format: '- (Optional) A template string for mapping Identity names to MFA methods.'
             uuid: '- (Optional) Resource UUID.'
         importStatements: []
-    vault_identity_mfa_login_enforcement resource:
+    vault_identity_mfa_login_enforcement:
         subCategory: ""
         description: Resource for configuring MFA login-enforcement
-        name: vault_identity_mfa_login_enforcement resource
+        name: vault_identity_mfa_login_enforcement
         title: vault_identity_mfa_login_enforcement resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "mfa_method_ids": [
+                    "${vault_identity_mfa_duo.example.method_id}"
+                  ],
+                  "name": "default"
+                }
+              dependencies:
+                vault_identity_mfa_duo.example: |-
+                    {
+                      "api_hostname": "foo.baz",
+                      "integration_key": "int-key",
+                      "push_info": "push-info",
+                      "secret_key": "secret-key"
+                    }
         argumentDocs:
             auth_method_accessors: '- (Optional) Set of auth method accessor IDs.'
             auth_method_types: '- (Optional) Set of auth method types.'
@@ -2013,11 +3396,19 @@ resources:
             namespace_path: '- Method''s namespace path.'
             uuid: '- (Optional) Resource UUID.'
         importStatements: []
-    vault_identity_mfa_okta resource:
+    vault_identity_mfa_okta:
         subCategory: ""
         description: Resource for configuring the okta MFA method.
-        name: vault_identity_mfa_okta resource
+        name: vault_identity_mfa_okta
         title: vault_identity_mfa_okta resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "api_token": "token1",
+                  "base_url": "qux.baz.com",
+                  "org_name": "org1"
+                }
         argumentDocs:
             api_token: '- (Required) Okta API token.'
             base_url: '- (Optional) The base domain to use for API requests.'
@@ -2053,11 +3444,17 @@ resources:
             username_format: '- (Optional) A template string for mapping Identity names to MFA methods.'
             uuid: '- (Optional) Resource UUID.'
         importStatements: []
-    vault_identity_mfa_totp resource:
+    vault_identity_mfa_totp:
         subCategory: ""
         description: Resource for configuring the totp MFA method.
-        name: vault_identity_mfa_totp resource
+        name: vault_identity_mfa_totp
         title: vault_identity_mfa_totp resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "issuer": "issuer1"
+                }
         argumentDocs:
             algorithm: '- (Optional) Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.'
             digits: '- (Optional) The number of digits in the generated TOTP token. This value can either be 6 or 8'
@@ -2075,11 +3472,17 @@ resources:
             type: '- MFA type.'
             uuid: '- (Optional) Resource UUID.'
         importStatements: []
-    vault_identity_oidc resource:
+    vault_identity_oidc:
         subCategory: ""
         description: Configure the Identity Tokens Backend for Vault
-        name: vault_identity_oidc resource
+        name: vault_identity_oidc
         title: vault_identity_oidc resource
+        examples:
+            - name: server
+              manifest: |-
+                {
+                  "issuer": "https://www.acme.com"
+                }
         argumentDocs:
             issuer: |-
                 - (Optional) Issuer URL to be used in the iss claim of the token. If not set, Vault's
@@ -2092,11 +3495,40 @@ resources:
                 The namespace is always relative to the provider's configured namespace.
                 Available only for Vault Enterprise.
         importStatements: []
-    vault_identity_oidc_assignment resource:
+    vault_identity_oidc_assignment:
         subCategory: ""
         description: Provision OIDC Assignments in Vault.
-        name: vault_identity_oidc_assignment resource
+        name: vault_identity_oidc_assignment
         title: vault_identity_oidc_assignment resource
+        examples:
+            - name: default
+              manifest: |-
+                {
+                  "entity_ids": [
+                    "${vault_identity_entity.test.id}"
+                  ],
+                  "group_ids": [
+                    "${vault_identity_group.internal.id}"
+                  ],
+                  "name": "assignment"
+                }
+              dependencies:
+                vault_identity_entity.test: |-
+                    {
+                      "name": "test",
+                      "policies": [
+                        "test"
+                      ]
+                    }
+                vault_identity_group.internal: |-
+                    {
+                      "name": "internal",
+                      "policies": [
+                        "dev",
+                        "test"
+                      ],
+                      "type": "internal"
+                    }
         argumentDocs:
             entity_ids: '- (Optional) A set of Vault entity IDs.'
             group_ids: '- (Optional) A set of Vault group IDs.'
@@ -2107,11 +3539,38 @@ resources:
                 The namespace is always relative to the provider's configured namespace.
                 Available only for Vault Enterprise.
         importStatements: []
-    vault_identity_oidc_client resource:
+    vault_identity_oidc_client:
         subCategory: ""
         description: Provision OIDC Clients in Vault.
-        name: vault_identity_oidc_client resource
+        name: vault_identity_oidc_client
         title: vault_identity_oidc_client resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "access_token_ttl": 7200,
+                  "assignments": [
+                    "${vault_identity_oidc_assignment.test.name}"
+                  ],
+                  "id_token_ttl": 2400,
+                  "name": "my-app",
+                  "redirect_uris": [
+                    "http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
+                    "http://127.0.0.1:8251/callback",
+                    "http://127.0.0.1:8080/callback"
+                  ]
+                }
+              dependencies:
+                vault_identity_oidc_assignment.test: |-
+                    {
+                      "entity_ids": [
+                        "ascbascas-2231a-sdfaa"
+                      ],
+                      "group_ids": [
+                        "sajkdsad-32414-sfsada"
+                      ],
+                      "name": "my-assignment"
+                    }
         argumentDocs:
             access_token_ttl: '- (Optional) The time-to-live for access tokens obtained by the client.'
             assignments: '- (Optional) A list of assignment resources associated with the client.'
@@ -2136,11 +3595,29 @@ resources:
                 One of these values must exactly match the redirect_uri parameter value
                 used in each authentication request.
         importStatements: []
-    vault_identity_oidc_key resource:
+    vault_identity_oidc_key:
         subCategory: ""
         description: Creates an Identity OIDC Named Key for Vault
-        name: vault_identity_oidc_key resource
+        name: vault_identity_oidc_key
         title: vault_identity_oidc_key resource
+        examples:
+            - name: key
+              manifest: |-
+                {
+                  "algorithm": "RS256",
+                  "name": "key"
+                }
+              dependencies:
+                vault_identity_oidc_key_allowed_client_id.role: |-
+                    {
+                      "allowed_client_id": "${vault_identity_oidc_role.role.client_id}",
+                      "key_name": "${vault_identity_oidc_key.key.name}"
+                    }
+                vault_identity_oidc_role.role: |-
+                    {
+                      "key": "${vault_identity_oidc_key.key.name}",
+                      "name": "role"
+                    }
         argumentDocs:
             algorithm: |-
                 - (Optional) Signing algorithm to use. Signing algorithm to use.
@@ -2160,11 +3637,32 @@ resources:
                 - (Optional) "Controls how long the public portion of a signing key will be
                 available for verification after being rotated in seconds.
         importStatements: []
-    vault_identity_oidc_key_allowed_client_id resource:
+    vault_identity_oidc_key_allowed_client_id:
         subCategory: ""
         description: Allows an Identity OIDC Role to use an OIDC Named key.
-        name: vault_identity_oidc_key_allowed_client_id resource
+        name: vault_identity_oidc_key_allowed_client_id
         title: vault_identity_oidc_key_allowed_client_id resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "allowed_client_id": "${vault_identity_oidc_role.role.client_id}",
+                  "key_name": "${vault_identity_oidc_key.key.name}"
+                }
+              references:
+                allowed_client_id: vault_identity_oidc_role.role.client_id
+                key_name: vault_identity_oidc_key.key.name
+              dependencies:
+                vault_identity_oidc_key.key: |-
+                    {
+                      "algorithm": "RS256",
+                      "name": "key"
+                    }
+                vault_identity_oidc_role.role: |-
+                    {
+                      "key": "${vault_identity_oidc_key.key.name}",
+                      "name": "role"
+                    }
         argumentDocs:
             allowed_client_id: '- (Required; Forces new resource) Client ID to allow usage with the OIDC named key'
             key_name: '- (Required; Forces new resource) Name of the OIDC Key allow the Client ID.'
@@ -2174,11 +3672,66 @@ resources:
                 The namespace is always relative to the provider's configured namespace.
                 Available only for Vault Enterprise.
         importStatements: []
-    vault_identity_oidc_provider resource:
+    vault_identity_oidc_provider:
         subCategory: ""
         description: Provision OIDC Providers in Vault.
-        name: vault_identity_oidc_provider resource
+        name: vault_identity_oidc_provider
         title: vault_identity_oidc_provider resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "allowed_client_ids": [
+                    "${vault_identity_oidc_client.test.client_id}"
+                  ],
+                  "https_enabled": false,
+                  "issuer_host": "127.0.0.1:8200",
+                  "name": "my-provider",
+                  "scopes_supported": [
+                    "${vault_identity_oidc_scope.test.name}"
+                  ]
+                }
+              dependencies:
+                vault_identity_oidc_assignment.test: |-
+                    {
+                      "entity_ids": [
+                        "fake-ascbascas-2231a-sdfaa"
+                      ],
+                      "group_ids": [
+                        "fake-sajkdsad-32414-sfsada"
+                      ],
+                      "name": "my-assignment"
+                    }
+                vault_identity_oidc_client.test: |-
+                    {
+                      "access_token_ttl": 7200,
+                      "assignments": [
+                        "${vault_identity_oidc_assignment.test.name}"
+                      ],
+                      "id_token_ttl": 2400,
+                      "key": "${vault_identity_oidc_key.test.name}",
+                      "name": "application",
+                      "redirect_uris": [
+                        "http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
+                        "http://127.0.0.1:8251/callback",
+                        "http://127.0.0.1:8080/callback"
+                      ]
+                    }
+                vault_identity_oidc_key.test: |-
+                    {
+                      "allowed_client_ids": [
+                        "*"
+                      ],
+                      "name": "my-key",
+                      "rotation_period": 3600,
+                      "verification_ttl": 3600
+                    }
+                vault_identity_oidc_scope.test: |-
+                    {
+                      "description": "Groups scope.",
+                      "name": "groups",
+                      "template": "${jsonencode(\n  {\n    groups = \"{{identity.entity.groups.names}}\",\n  }\n  )}"
+                    }
         argumentDocs:
             allowed_client_ids: |-
                 - (Optional) The client IDs that are permitted to use the provider.
@@ -2197,11 +3750,48 @@ resources:
                 Available only for Vault Enterprise.
             scopes_supported: '- (Optional) The scopes available for requesting on the provider.'
         importStatements: []
-    vault_identity_oidc_role resource:
+    vault_identity_oidc_role:
         subCategory: ""
         description: Creates an Identity OIDC Role for Vault
-        name: vault_identity_oidc_role resource
+        name: vault_identity_oidc_role
         title: vault_identity_oidc_role resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "key": "${var.key}",
+                  "name": "role"
+                }
+              references:
+                key: var.key
+              dependencies:
+                vault_identity_oidc_key.key: |-
+                    {
+                      "algorithm": "RS256",
+                      "allowed_client_ids": [
+                        "${vault_identity_oidc_role.role.client_id}"
+                      ],
+                      "name": "${var.key}"
+                    }
+            - name: role
+              manifest: |-
+                {
+                  "key": "${vault_identity_oidc_key.key.name}",
+                  "name": "role"
+                }
+              references:
+                key: vault_identity_oidc_key.key.name
+              dependencies:
+                vault_identity_oidc_key.key: |-
+                    {
+                      "algorithm": "RS256",
+                      "name": "key"
+                    }
+                vault_identity_oidc_key_allowed_client_id.role: |-
+                    {
+                      "allowed_client_id": "${vault_identity_oidc_role.role.client_id}",
+                      "key_name": "${vault_identity_oidc_key.key.name}"
+                    }
         argumentDocs:
             client_id: |-
                 - (Optional) The value that will be included in the aud field of all the OIDC identity
@@ -2223,11 +3813,19 @@ resources:
                 for the template format.
             ttl: '- (Optional) TTL of the tokens generated against the role in number of seconds.'
         importStatements: []
-    vault_identity_oidc_scope resource:
+    vault_identity_oidc_scope:
         subCategory: ""
         description: Provision OIDC Scopes in Vault.
-        name: vault_identity_oidc_scope resource
+        name: vault_identity_oidc_scope
         title: vault_identity_oidc_scope resource
+        examples:
+            - name: groups
+              manifest: |-
+                {
+                  "description": "Vault OIDC Groups Scope",
+                  "name": "groups",
+                  "template": "{\"groups\":{{identity.entity.groups.names}}}"
+                }
         argumentDocs:
             description: '- (Optional) A description of the scope.'
             name: '- (Required) The name of the scope. The openid scope name is reserved.'
@@ -2238,11 +3836,50 @@ resources:
                 Available only for Vault Enterprise.
             template: '- (Optional) The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.'
         importStatements: []
-    vault_jwt_auth_backend resource:
+    vault_jwt_auth_backend:
         subCategory: ""
         description: Managing JWT/OIDC auth backends in Vault
-        name: vault_jwt_auth_backend resource
+        name: vault_jwt_auth_backend
         title: vault_jwt_auth_backend resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "bound_issuer": "https://myco.auth0.com/",
+                  "description": "Demonstration of the Terraform JWT auth backend",
+                  "oidc_discovery_url": "https://myco.auth0.com/",
+                  "path": "jwt"
+                }
+            - name: example
+              manifest: |-
+                {
+                  "bound_issuer": "https://myco.auth0.com/",
+                  "description": "Demonstration of the Terraform JWT auth backend",
+                  "oidc_client_id": "1234567890",
+                  "oidc_client_secret": "secret123456",
+                  "oidc_discovery_url": "https://myco.auth0.com/",
+                  "path": "oidc",
+                  "tune": [
+                    {
+                      "listing_visibility": "unauth"
+                    }
+                  ],
+                  "type": "oidc"
+                }
+            - name: gsuite
+              manifest: |-
+                {
+                  "description": "OIDC backend",
+                  "oidc_discovery_url": "https://accounts.google.com",
+                  "path": "oidc",
+                  "provider_config": {
+                    "fetch_groups": true,
+                    "fetch_user_info": true,
+                    "groups_recurse_max_depth": 1,
+                    "provider": "gsuite"
+                  },
+                  "type": "oidc"
+                }
         argumentDocs:
             accessor: '- The accessor for this auth method'
             bound_issuer: '- (Optional) The value against which to match the iss claim in a JWT'
@@ -2298,11 +3935,62 @@ resources:
                 the mount. Valid values are "default-service", "default-batch", "service", "batch".
             type: '- (Optional) Type of auth backend. Should be one of jwt or oidc. Default - jwt'
         importStatements: []
-    vault_jwt_auth_backend_role resource:
+    vault_jwt_auth_backend_role:
         subCategory: ""
         description: Manages JWT/OIDC auth backend roles in Vault.
-        name: vault_jwt_auth_backend_role resource
+        name: vault_jwt_auth_backend_role
         title: vault_jwt_auth_backend_role resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_jwt_auth_backend.jwt.path}",
+                  "bound_audiences": [
+                    "https://myco.test"
+                  ],
+                  "bound_claims": {
+                    "color": "red,green,blue"
+                  },
+                  "role_name": "test-role",
+                  "role_type": "jwt",
+                  "token_policies": [
+                    "default",
+                    "dev",
+                    "prod"
+                  ],
+                  "user_claim": "https://vault/user"
+                }
+              references:
+                backend: vault_jwt_auth_backend.jwt.path
+              dependencies:
+                vault_jwt_auth_backend.jwt: |-
+                    {
+                      "path": "jwt"
+                    }
+            - name: example
+              manifest: |-
+                {
+                  "allowed_redirect_uris": [
+                    "http://localhost:8200/ui/vault/auth/oidc/oidc/callback"
+                  ],
+                  "backend": "${vault_jwt_auth_backend.oidc.path}",
+                  "role_name": "test-role",
+                  "role_type": "oidc",
+                  "token_policies": [
+                    "default",
+                    "dev",
+                    "prod"
+                  ],
+                  "user_claim": "https://vault/user"
+                }
+              references:
+                backend: vault_jwt_auth_backend.oidc.path
+              dependencies:
+                vault_jwt_auth_backend.oidc: |-
+                    {
+                      "default_role": "test-role",
+                      "path": "oidc"
+                    }
         argumentDocs:
             allowed_redirect_uris: |-
                 - (Optional) The list of allowed values for redirect_uri during OIDC logins.
@@ -2407,11 +4095,27 @@ resources:
                 logging is active. Not recommended in production since sensitive information may be present
                 in OIDC responses.
         importStatements: []
-    vault_kmip_secret_backend resource:
+    vault_kmip_secret_backend:
         subCategory: ""
         description: Provision KMIP Secret backends in Vault.
-        name: vault_kmip_secret_backend resource
+        name: vault_kmip_secret_backend
         title: vault_kmip_secret_backend resource
+        examples:
+            - name: default
+              manifest: |-
+                {
+                  "default_tls_client_key_bits": 4096,
+                  "default_tls_client_key_type": "rsa",
+                  "default_tls_client_ttl": 86400,
+                  "description": "Vault KMIP backend",
+                  "listen_addrs": [
+                    "127.0.0.1:5696",
+                    "127.0.0.1:8080"
+                  ],
+                  "path": "kmip",
+                  "tls_ca_key_bits": 4096,
+                  "tls_ca_key_type": "rsa"
+                }
         argumentDocs:
             default_tls_client_key_bits: '- (Optional) Client certificate key bits, valid values depend on key type.'
             default_tls_client_key_type: '- (Optional) Client certificate key type, rsa or ec.'
@@ -2434,11 +4138,41 @@ resources:
             tls_ca_key_type: '- (Optional) CA key type, rsa or ec.'
             tls_min_version: '- (Optional) Minimum TLS version to accept.'
         importStatements: []
-    vault_kmip_secret_role resource:
+    vault_kmip_secret_role:
         subCategory: ""
         description: Provision KMIP Secret roles in Vault.
-        name: vault_kmip_secret_role resource
+        name: vault_kmip_secret_role
         title: vault_kmip_secret_role resource
+        examples:
+            - name: admin
+              manifest: |-
+                {
+                  "operation_activate": true,
+                  "operation_create": true,
+                  "operation_destroy": true,
+                  "operation_get": true,
+                  "operation_get_attributes": true,
+                  "path": "${vault_kmip_secret_scope.dev.path}",
+                  "role": "admin",
+                  "scope": "${vault_kmip_secret_scope.dev.scope}",
+                  "tls_client_key_bits": 256,
+                  "tls_client_key_type": "ec"
+                }
+              references:
+                path: vault_kmip_secret_scope.dev.path
+                scope: vault_kmip_secret_scope.dev.scope
+              dependencies:
+                vault_kmip_secret_backend.default: |-
+                    {
+                      "description": "Vault KMIP backend",
+                      "path": "kmip"
+                    }
+                vault_kmip_secret_scope.dev: |-
+                    {
+                      "force": true,
+                      "path": "${vault_kmip_secret_backend.default.path}",
+                      "scope": "dev"
+                    }
         argumentDocs:
             namespace: |-
                 - (Optional) The namespace to provision the resource in.
@@ -2468,11 +4202,27 @@ resources:
             tls_client_key_type: '- (Optional) Client certificate key type, rsa or ec.'
             tls_client_ttl: '- (Optional) Client certificate TTL in seconds.'
         importStatements: []
-    vault_kmip_secret_scope resource:
+    vault_kmip_secret_scope:
         subCategory: ""
         description: Provision KMIP Secret scopes in Vault.
-        name: vault_kmip_secret_scope resource
+        name: vault_kmip_secret_scope
         title: vault_kmip_secret_scope resource
+        examples:
+            - name: dev
+              manifest: |-
+                {
+                  "force": true,
+                  "path": "${vault_kmip_secret_backend.default.path}",
+                  "scope": "dev"
+                }
+              references:
+                path: vault_kmip_secret_backend.default.path
+              dependencies:
+                vault_kmip_secret_backend.default: |-
+                    {
+                      "description": "Vault KMIP backend",
+                      "path": "kmip"
+                    }
         argumentDocs:
             force: '- (Optional) Boolean field to force deletion even if there are managed objects in the scope.'
             namespace: |-
@@ -2485,11 +4235,29 @@ resources:
                 not begin or end with a /. Defaults to kmip.
             scope: '- (Required) Name of the scope.'
         importStatements: []
-    vault_kubernetes_auth_backend_config resource:
+    vault_kubernetes_auth_backend_config:
         subCategory: ""
         description: Manages Kubernetes auth backend configs in Vault.
-        name: vault_kubernetes_auth_backend_config resource
+        name: vault_kubernetes_auth_backend_config
         title: vault_kubernetes_auth_backend_config resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_auth_backend.kubernetes.path}",
+                  "disable_iss_validation": "true",
+                  "issuer": "api",
+                  "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----",
+                  "kubernetes_host": "http://example.com:443",
+                  "token_reviewer_jwt": "ZXhhbXBsZQo="
+                }
+              references:
+                backend: vault_auth_backend.kubernetes.path
+              dependencies:
+                vault_auth_backend.kubernetes: |-
+                    {
+                      "type": "kubernetes"
+                    }
         argumentDocs:
             disable_iss_validation: '- (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+'
             disable_local_ca_jwt: '- (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+'
@@ -2504,11 +4272,38 @@ resources:
             pem_keys: '- (Optional) List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.'
             token_reviewer_jwt: '- (Optional) A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.'
         importStatements: []
-    vault_kubernetes_auth_backend_role resource:
+    vault_kubernetes_auth_backend_role:
         subCategory: ""
         description: Manages Kubernetes auth backend roles in Vault.
-        name: vault_kubernetes_auth_backend_role resource
+        name: vault_kubernetes_auth_backend_role
         title: vault_kubernetes_auth_backend_role resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "audience": "vault",
+                  "backend": "${vault_auth_backend.kubernetes.path}",
+                  "bound_service_account_names": [
+                    "example"
+                  ],
+                  "bound_service_account_namespaces": [
+                    "example"
+                  ],
+                  "role_name": "example-role",
+                  "token_policies": [
+                    "default",
+                    "dev",
+                    "prod"
+                  ],
+                  "token_ttl": 3600
+                }
+              references:
+                backend: vault_auth_backend.kubernetes.path
+              dependencies:
+                vault_auth_backend.kubernetes: |-
+                    {
+                      "type": "kubernetes"
+                    }
         argumentDocs:
             alias_name_source: |-
                 - (Optional, default: serviceaccount_uid) Configures how identity aliases are generated.
@@ -2556,11 +4351,24 @@ resources:
                 default-service and default-batch which specify the type to return unless the client
                 requests a different type at generation time.
         importStatements: []
-    vault_kubernetes_secret_backend resource:
+    vault_kubernetes_secret_backend:
         subCategory: ""
         description: Creates a Kubernetes Secrets Engine in Vault.
-        name: vault_kubernetes_secret_backend resource
+        name: vault_kubernetes_secret_backend
         title: vault_kubernetes_secret_backend resource
+        examples:
+            - name: config
+              manifest: |-
+                {
+                  "default_lease_ttl_seconds": 43200,
+                  "description": "kubernetes secrets engine description",
+                  "disable_local_ca_jwt": false,
+                  "kubernetes_ca_cert": "${file(\"/path/to/cert\")}",
+                  "kubernetes_host": "https://127.0.0.1:61233",
+                  "max_lease_ttl_seconds": 86400,
+                  "path": "kubernetes",
+                  "service_account_jwt": "${file(\"/path/to/token\")}"
+                }
         argumentDocs:
             disable_local_ca_jwt: |-
                 - (Optional) Disable defaulting to the local CA certificate and
@@ -2584,11 +4392,109 @@ resources:
                 secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
                 is running in Kubernetes.
         importStatements: []
-    vault_kubernetes_secret_backend_role resource:
+    vault_kubernetes_secret_backend_role:
         subCategory: ""
         description: Creates a role for the Kubernetes Secrets Engine in Vault.
-        name: vault_kubernetes_secret_backend_role resource
+        name: vault_kubernetes_secret_backend_role
         title: vault_kubernetes_secret_backend_role resource
+        examples:
+            - name: sa-example
+              manifest: |-
+                {
+                  "allowed_kubernetes_namespaces": [
+                    "*"
+                  ],
+                  "backend": "${vault_kubernetes_secret_backend.config.path}",
+                  "extra_annotations": {
+                    "env": "development",
+                    "location": "earth"
+                  },
+                  "extra_labels": {
+                    "id": "abc123",
+                    "name": "some_name"
+                  },
+                  "name": "service-account-name-role",
+                  "service_account_name": "test-service-account-with-generated-token",
+                  "token_default_ttl": 21600,
+                  "token_max_ttl": 43200
+                }
+              references:
+                backend: vault_kubernetes_secret_backend.config.path
+              dependencies:
+                vault_kubernetes_secret_backend.config: |-
+                    {
+                      "description": "kubernetes secrets engine description",
+                      "disable_local_ca_jwt": false,
+                      "kubernetes_ca_cert": "${file(\"/path/to/cert\")}",
+                      "kubernetes_host": "https://127.0.0.1:61233",
+                      "path": "kubernetes",
+                      "service_account_jwt": "${file(\"/path/to/token\")}"
+                    }
+            - name: name-example
+              manifest: |-
+                {
+                  "allowed_kubernetes_namespaces": [
+                    "*"
+                  ],
+                  "backend": "${vault_kubernetes_secret_backend.config.path}",
+                  "extra_annotations": {
+                    "env": "development",
+                    "location": "earth"
+                  },
+                  "extra_labels": {
+                    "id": "abc123",
+                    "name": "some_name"
+                  },
+                  "kubernetes_role_name": "vault-k8s-secrets-role",
+                  "name": "service-account-name-role",
+                  "token_default_ttl": 21600,
+                  "token_max_ttl": 43200
+                }
+              references:
+                backend: vault_kubernetes_secret_backend.config.path
+              dependencies:
+                vault_kubernetes_secret_backend.config: |-
+                    {
+                      "description": "kubernetes secrets engine description",
+                      "disable_local_ca_jwt": false,
+                      "kubernetes_ca_cert": "${file(\"/path/to/cert\")}",
+                      "kubernetes_host": "https://127.0.0.1:61233",
+                      "path": "kubernetes",
+                      "service_account_jwt": "${file(\"/path/to/token\")}"
+                    }
+            - name: rules-example
+              manifest: |-
+                {
+                  "allowed_kubernetes_namespaces": [
+                    "*"
+                  ],
+                  "backend": "${vault_kubernetes_secret_backend.config.path}",
+                  "extra_annotations": {
+                    "env": "development",
+                    "location": "earth"
+                  },
+                  "extra_labels": {
+                    "id": "abc123",
+                    "name": "some_name"
+                  },
+                  "generated_role_rules": "rules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"list\"]\n",
+                  "kubernetes_role_type": "Role",
+                  "name": "service-account-name-role",
+                  "token_default_ttl": 21600,
+                  "token_max_ttl": 43200
+                }
+              references:
+                backend: vault_kubernetes_secret_backend.config.path
+              dependencies:
+                vault_kubernetes_secret_backend.config: |-
+                    {
+                      "description": "kubernetes secrets engine description",
+                      "disable_local_ca_jwt": false,
+                      "kubernetes_ca_cert": "${file(\"/path/to/cert\")}",
+                      "kubernetes_host": "https://127.0.0.1:61233",
+                      "path": "kubernetes",
+                      "service_account_jwt": "${file(\"/path/to/token\")}"
+                    }
         argumentDocs:
             allowed_kubernetes_namespaces: |-
                 - (Required) The list of Kubernetes namespaces this role
@@ -2631,11 +4537,28 @@ resources:
             token_default_ttl: '- (Optional) The default TTL for generated Kubernetes tokens in seconds.'
             token_max_ttl: '- (Optional) The maximum TTL for generated Kubernetes tokens in seconds.'
         importStatements: []
-    vault_kv_secret resource:
+    vault_kv_secret:
         subCategory: ""
         description: Writes a KV-V1 secret to a given path in Vault
-        name: vault_kv_secret resource
+        name: vault_kv_secret
         title: vault_kv_secret resource
+        examples:
+            - name: secret
+              manifest: |-
+                {
+                  "data_json": "${jsonencode(\n  {\n    zip = \"zap\",\n    foo = \"bar\"\n  }\n  )}",
+                  "path": "${vault_mount.kvv1.path}/secret"
+                }
+              dependencies:
+                vault_mount.kvv1: |-
+                    {
+                      "description": "KV Version 1 secret engine mount",
+                      "options": {
+                        "version": "1"
+                      },
+                      "path": "kvv1",
+                      "type": "kv"
+                    }
         argumentDocs:
             data: |-
                 - A mapping whose keys are the top-level data keys returned from
@@ -2652,11 +4575,32 @@ resources:
                 Available only for Vault Enterprise.
             path: '- (Required) Full path of the KV-V1 secret.'
         importStatements: []
-    vault_kv_secret_backend_v2 resource:
+    vault_kv_secret_backend_v2:
         subCategory: ""
         description: Configures KV-V2 backend level settings that are applied to every key in the key-value store.
-        name: vault_kv_secret_backend_v2 resource
+        name: vault_kv_secret_backend_v2
         title: vault_kv_secret_backend_v2 resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "cas_required": true,
+                  "delete_version_after": 12600,
+                  "max_versions": 5,
+                  "mount": "${vault_mount.kvv2.path}"
+                }
+              references:
+                mount: vault_mount.kvv2.path
+              dependencies:
+                vault_mount.kvv2: |-
+                    {
+                      "description": "KV Version 2 secret engine mount",
+                      "options": {
+                        "version": "2"
+                      },
+                      "path": "kvv2",
+                      "type": "kv"
+                    }
         argumentDocs:
             cas_required: |-
                 - (Optional) If true, all keys will require the cas
@@ -2672,11 +4616,42 @@ resources:
                 The namespace is always relative to the provider's configured namespace.
                 Available only for Vault Enterprise.
         importStatements: []
-    vault_kv_secret_v2 resource:
+    vault_kv_secret_v2:
         subCategory: ""
         description: Writes a KV-V2 secret to a given path in Vault
-        name: vault_kv_secret_v2 resource
+        name: vault_kv_secret_v2
         title: vault_kv_secret_v2 resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "cas": 1,
+                  "custom_metadata": [
+                    {
+                      "data": {
+                        "bar": "12345",
+                        "foo": "vault@example.com"
+                      },
+                      "max_versions": 5
+                    }
+                  ],
+                  "data_json": "${jsonencode(\n  {\n    zip       = \"zap\",\n    foo       = \"bar\"\n  }\n  )}",
+                  "delete_all_versions": true,
+                  "mount": "${vault_mount.kvv2.path}",
+                  "name": "secret"
+                }
+              references:
+                mount: vault_mount.kvv2.path
+              dependencies:
+                vault_mount.kvv2: |-
+                    {
+                      "description": "KV Version 2 secret engine mount",
+                      "options": {
+                        "version": "2"
+                      },
+                      "path": "kvv2",
+                      "type": "kv"
+                    }
         argumentDocs:
             cas: |-
                 - (Optional) This flag is required if cas_required is set to true
@@ -2719,11 +4694,50 @@ resources:
             options: '- (Optional) An object that holds option settings.'
             path: '- Full path where the KV-V2 secret will be written.'
         importStatements: []
-    vault_managed_keys resource:
+    vault_managed_keys:
         subCategory: ""
         description: Configures Managed Keys in Vault
-        name: vault_managed_keys resource
+        name: vault_managed_keys
         title: vault_managed_keys resource
+        examples:
+            - name: keys
+              manifest: |-
+                {
+                  "aws": [
+                    {
+                      "access_key": "${var.aws_access_key}",
+                      "key_bits": "2048",
+                      "key_type": "RSA",
+                      "kms_key": "alias/vault_aws_key_1",
+                      "name": "aws-key-1",
+                      "secret_key": "${var.aws_secret_key}"
+                    },
+                    {
+                      "access_key": "${var.aws_access_key}",
+                      "key_bits": "4096",
+                      "key_type": "RSA",
+                      "kms_key": "alias/vault_aws_key_2",
+                      "name": "aws-key-2",
+                      "secret_key": "${var.aws_secret_key}"
+                    }
+                  ]
+                }
+              references:
+                aws.access_key: var.aws_access_key
+                aws.secret_key: var.aws_secret_key
+              dependencies:
+                vault_mount.pki: |-
+                    {
+                      "allowed_managed_keys": [
+                        "${tolist(vault_managed_keys.keys.aws)[0].name}",
+                        "${tolist(vault_managed_keys.keys.aws)[1].name}"
+                      ],
+                      "default_lease_ttl_seconds": 3600,
+                      "description": "Example mount for managed keys",
+                      "max_lease_ttl_seconds": 36000,
+                      "path": "pki",
+                      "type": "pki"
+                    }
         argumentDocs:
             access_key: '- (Required) The AWS access key to use.'
             allow_generate_key: |-
@@ -2779,11 +4793,29 @@ resources:
             token_label: '- (Optional) The slot token label to use.'
             vault_name: '- (Required) The Key Vault vault to use for encryption and decryption.'
         importStatements: []
-    vault_mfa_duo resource:
+    vault_mfa_duo:
         subCategory: ""
         description: Managing the MFA Duo method configuration
-        name: vault_mfa_duo resource
+        name: vault_mfa_duo
         title: vault_mfa_duo resource
+        examples:
+            - name: my_duo
+              manifest: |-
+                {
+                  "api_hostname": "api-2b5c39f5.duosecurity.com",
+                  "integration_key": "BIACEUEAXI20BNWTEYXT",
+                  "mount_accessor": "${vault_auth_backend.userpass.accessor}",
+                  "name": "my_duo",
+                  "secret_key": "8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz"
+                }
+              references:
+                mount_accessor: vault_auth_backend.userpass.accessor
+              dependencies:
+                vault_auth_backend.userpass: |-
+                    {
+                      "path": "userpass",
+                      "type": "userpass"
+                    }
         argumentDocs:
             <key>: ': The value of the Alias''s metadata parameter'
             api_hostname: '(string: <required>) - API hostname for Duo.'
@@ -2799,11 +4831,29 @@ resources:
             secret_key: '(string: <required>) - Secret key for Duo.'
             username_format: '(string) - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias''s Name field will be used as-is. Currently-supported mappings:'
         importStatements: []
-    vault_mfa_okta resource:
+    vault_mfa_okta:
         subCategory: ""
         description: Managing the MFA Okta method configuration
-        name: vault_mfa_okta resource
+        name: vault_mfa_okta
         title: vault_mfa_okta resource
+        examples:
+            - name: my_okta
+              manifest: |-
+                {
+                  "api_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
+                  "mount_accessor": "${vault_auth_backend.userpass.accessor}",
+                  "name": "my_okta",
+                  "org_name": "hashicorp",
+                  "username_format": "user@example.com"
+                }
+              references:
+                mount_accessor: vault_auth_backend.userpass.accessor
+              dependencies:
+                vault_auth_backend.userpass: |-
+                    {
+                      "path": "userpass",
+                      "type": "userpass"
+                    }
         argumentDocs:
             <key>: ': The value of the Alias''s metadata parameter'
             api_token: '(string: <required>) - Okta API key.'
@@ -2828,11 +4878,29 @@ resources:
                 Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com".
                 If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
         importStatements: []
-    vault_mfa_pingid resource:
+    vault_mfa_pingid:
         subCategory: ""
         description: Managing the MFA PingID method configuration
-        name: vault_mfa_pingid resource
+        name: vault_mfa_pingid
         title: vault_mfa_pingid resource
+        examples:
+            - name: my_pingid
+              manifest: |-
+                {
+                  "mount_accessor": "${vault_auth_backend.userpass.accessor}",
+                  "name": "my_pingid",
+                  "settings_file_base64": "${var.settings_file}",
+                  "username_format": "user@example.com"
+                }
+              references:
+                mount_accessor: vault_auth_backend.userpass.accessor
+                settings_file_base64: var.settings_file
+              dependencies:
+                vault_auth_backend.userpass: |-
+                    {
+                      "path": "userpass",
+                      "type": "userpass"
+                    }
         argumentDocs:
             <key>: ': The value of the Alias''s metadata parameter'
             admin_url: (string) – Admin URL computed by Vault
@@ -2860,11 +4928,22 @@ resources:
                 Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com".
                 If blank, the Alias's Name field will be used as-is. Currently-supported mappings:
         importStatements: []
-    vault_mfa_totp resource:
+    vault_mfa_totp:
         subCategory: ""
         description: Managing the MFA TOTP method configuration
-        name: vault_mfa_totp resource
+        name: vault_mfa_totp
         title: vault_mfa_totp resource
+        examples:
+            - name: my_totp
+              manifest: |-
+                {
+                  "algorithm": "SHA256",
+                  "digits": 8,
+                  "issuer": "hashicorp",
+                  "key_size": 20,
+                  "name": "my_totp",
+                  "period": 60
+                }
         argumentDocs:
             algorithm: |-
                 (string) - Specifies the hashing algorithm used to generate the TOTP code.
@@ -2886,11 +4965,26 @@ resources:
                 (int) - The number of delay periods that are allowed when validating a TOTP token.
                 This value can either be 0 or 1.
         importStatements: []
-    vault_mongodbatlas_secret_backend resource:
+    vault_mongodbatlas_secret_backend:
         subCategory: ""
         description: Creates a MongoDB Atlas secret backend for Vault.
-        name: vault_mongodbatlas_secret_backend resource
+        name: vault_mongodbatlas_secret_backend
         title: vault_mongodbatlas_secret_backend resource
+        examples:
+            - name: config
+              manifest: |-
+                {
+                  "mount": "vault_mount.mongo.path",
+                  "private_key": "privateKey",
+                  "public_key": "publicKey"
+                }
+              dependencies:
+                vault_mount.mongo: |-
+                    {
+                      "description": "MongoDB Atlas secret engine mount",
+                      "path": "mongodbatlas",
+                      "type": "mongodbatlas"
+                    }
         argumentDocs:
             mount: '- (Required) Path where the MongoDB Atlas Secrets Engine is mounted.'
             namespace: |-
@@ -2901,11 +4995,41 @@ resources:
             private_key: '- (Required) Specifies the Private API Key used to authenticate with the MongoDB Atlas API.'
             public_key: '- (Required) Specifies the Public API Key used to authenticate with the MongoDB Atlas API.'
         importStatements: []
-    vault_mongodbatlas_secret_role resource:
+    vault_mongodbatlas_secret_role:
         subCategory: ""
         description: Creates a role for the MongoDB Atlas Secret Engine in Vault.
-        name: vault_mongodbatlas_secret_role resource
+        name: vault_mongodbatlas_secret_role
         title: vault_mongodbatlas_secret_role resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "cidr_blocks": "192.168.1.3/35",
+                  "ip_addresses": "192.168.1.5, 192.168.1.6",
+                  "max_ttl": "120",
+                  "mount": "${vault_mount.mongo.path}",
+                  "name": "tf-test-role",
+                  "organization_id": "7cf5a45a9ccf6400e60981b7",
+                  "project_id": "5cf5a45a9ccf6400e60981b6",
+                  "project_roles": "GROUP_READ_ONLY",
+                  "roles": "ORG_READ_ONLY",
+                  "ttl": "60"
+                }
+              references:
+                mount: vault_mount.mongo.path
+              dependencies:
+                vault_mongodbatlas_secret_backend.config: |-
+                    {
+                      "mount": "vault_mount.mongo.path",
+                      "private_key": "privateKey",
+                      "public_key": "publicKey"
+                    }
+                vault_mount.mongo: |-
+                    {
+                      "description": "MongoDB Atlas secret engine mount",
+                      "path": "%s",
+                      "type": "mongodbatlas"
+                    }
         argumentDocs:
             cidr_blocks: '- (Optional) Whitelist entry in CIDR notation to be added for the API key.'
             ip_addresses: '- (Optional) IP address to be added to the whitelist for the API key.'
@@ -2927,11 +5051,45 @@ resources:
             roles: '- (Required) List of roles that the API Key needs to have.'
             ttl: '- (Optional) Duration in seconds after which the issued credential should expire.'
         importStatements: []
-    vault_mount resource:
+    vault_mount:
         subCategory: ""
         description: Managing the mounting of secret backends in Vault
-        name: vault_mount resource
+        name: vault_mount
         title: vault_mount resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "description": "This is an example mount",
+                  "path": "dummy",
+                  "type": "generic"
+                }
+            - name: kvv2-example
+              manifest: |-
+                {
+                  "description": "This is an example KV Version 2 secret engine mount",
+                  "path": "version2-example",
+                  "type": "kv-v2"
+                }
+            - name: transit-example
+              manifest: |-
+                {
+                  "description": "This is an example transit secret engine mount",
+                  "options": {
+                    "convergent_encryption": false
+                  },
+                  "path": "transit-example",
+                  "type": "transit"
+                }
+            - name: pki-example
+              manifest: |-
+                {
+                  "default_lease_ttl_seconds": 3600,
+                  "description": "This is an example PKI mount",
+                  "max_lease_ttl_seconds": 86400,
+                  "path": "pki-example",
+                  "type": "pki"
+                }
         argumentDocs:
             accessor: '- The accessor for this mount.'
             allowed_managed_keys: '- (Optional) Set of managed key registry entry names that the mount in question is allowed to access'
@@ -2952,11 +5110,69 @@ resources:
             seal_wrap: '- (Optional) Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal''s encryption capability'
             type: '- (Required) Type of the backend, such as "aws"'
         importStatements: []
-    vault_namespace resource:
+    vault_namespace:
         subCategory: ""
         description: Writes namespaces for Vault
-        name: vault_namespace resource
+        name: vault_namespace
         title: vault_namespace resource
+        examples:
+            - name: ns1
+              manifest: |-
+                {
+                  "path": "ns1"
+                }
+            - name: parent
+              manifest: |-
+                {
+                  "path": "parent"
+                }
+              dependencies:
+                vault_generic_secret.children: |-
+                    {
+                      "data_json": "${jsonencode(\n    {\n      \"ns\" = each.key\n    }\n  )}",
+                      "for_each": "${local.child_namespaces}",
+                      "namespace": "${vault_mount.children[each.key].namespace}",
+                      "path": "${vault_mount.children[each.key].path}/secret"
+                    }
+                vault_mount.children: |-
+                    {
+                      "for_each": "${local.child_namespaces}",
+                      "namespace": "${vault_namespace.children[each.key].path_fq}",
+                      "options": {
+                        "version": "1"
+                      },
+                      "path": "secrets",
+                      "type": "kv"
+                    }
+            - name: children
+              manifest: |-
+                {
+                  "for_each": "${local.child_namespaces}",
+                  "namespace": "${vault_namespace.parent.path}",
+                  "path": "${each.key}"
+                }
+              references:
+                for_each: local.child_namespaces
+                namespace: vault_namespace.parent.path
+                path: each.key
+              dependencies:
+                vault_generic_secret.children: |-
+                    {
+                      "data_json": "${jsonencode(\n    {\n      \"ns\" = each.key\n    }\n  )}",
+                      "for_each": "${local.child_namespaces}",
+                      "namespace": "${vault_mount.children[each.key].namespace}",
+                      "path": "${vault_mount.children[each.key].path}/secret"
+                    }
+                vault_mount.children: |-
+                    {
+                      "for_each": "${local.child_namespaces}",
+                      "namespace": "${vault_namespace.children[each.key].path_fq}",
+                      "options": {
+                        "version": "1"
+                      },
+                      "path": "secrets",
+                      "type": "kv"
+                    }
         argumentDocs:
             id: '- ID of the namespace.'
             namespace: |-
@@ -2967,11 +5183,24 @@ resources:
             path: '- (Required) The path of the namespace. Must not have a trailing /'
             path_fq: '- The fully qualified path to the namespace. Useful when provisioning resources in a child namespace.'
         importStatements: []
-    vault_nomad_secret_backend resource:
+    vault_nomad_secret_backend:
         subCategory: ""
         description: Creates a Nomad secret backend for Vault.
-        name: vault_nomad_secret_backend resource
+        name: vault_nomad_secret_backend
         title: vault_nomad_secret_backend resource
+        examples:
+            - name: config
+              manifest: |-
+                {
+                  "address": "https://127.0.0.1:4646",
+                  "backend": "nomad",
+                  "default_lease_ttl_seconds": "3600",
+                  "description": "test description",
+                  "max_lease_ttl_seconds": "7200",
+                  "max_ttl": "240",
+                  "token": "ae20ceaa-...",
+                  "ttl": "120"
+                }
         argumentDocs:
             address: |-
                 - (Optional) Specifies the address of the Nomad instance, provided
@@ -3005,11 +5234,34 @@ resources:
             token: '- (Optional) Specifies the Nomad Management token to use.'
             ttl: '- (Optional) Specifies the ttl of the lease for the generated token.'
         importStatements: []
-    vault_nomad_secret_role resource:
+    vault_nomad_secret_role:
         subCategory: ""
         description: Creates a Nomad role.
-        name: vault_nomad_secret_role resource
+        name: vault_nomad_secret_role
         title: vault_nomad_secret_role resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "backend": "${vault_nomad_secret_backend.config.backend}",
+                  "policies": [
+                    "readonly"
+                  ],
+                  "role": "test",
+                  "type": "client"
+                }
+              references:
+                backend: vault_nomad_secret_backend.config.backend
+              dependencies:
+                vault_nomad_secret_backend.config: |-
+                    {
+                      "address": "https://127.0.0.1:4646",
+                      "backend": "nomad",
+                      "default_lease_ttl_seconds": "3600",
+                      "description": "test description",
+                      "max_lease_ttl_seconds": "7200",
+                      "token": "ae20ceaa-..."
+                    }
         argumentDocs:
             backend: |-
                 - (Optional) The unique path this backend should be mounted at. Must
@@ -3032,11 +5284,18 @@ resources:
                 - (Optional)  Specifies the type of token to create when using this role. Valid
                 settings are 'client' and 'management'. Defaults to 'client'.
         importStatements: []
-    vault_password_policy resource:
+    vault_password_policy:
         subCategory: ""
         description: Writes Password policies for Vault
-        name: vault_password_policy resource
+        name: vault_password_policy
         title: vault_password_policy resource
+        examples:
+            - name: alphanumeric
+              manifest: |-
+                {
+                  "name": "alphanumeric",
+                  "policy": "    length = 20\n    rule \"charset\" {\n      charset = \"abcdefghijklmnopqrstuvwxyz0123456789\"\n    }\n"
+                }
         argumentDocs:
             name: '- (Required) The name of the password policy.'
             namespace: |-
@@ -3046,11 +5305,25 @@ resources:
                 Available only for Vault Enterprise.
             policy: '- (Required) String containing a password policy.'
         importStatements: []
-    vault_pki_secret_backend_cert resource:
+    vault_pki_secret_backend_cert:
         subCategory: ""
         description: Generate an PKI certificate.
-        name: vault_pki_secret_backend_cert resource
+        name: vault_pki_secret_backend_cert
         title: vault_pki_secret_backend_cert resource
+        examples:
+            - name: app
+              manifest: |-
+                {
+                  "backend": "${vault_mount.intermediate.path}",
+                  "common_name": "app.my.domain",
+                  "depends_on": [
+                    "${vault_pki_secret_backend_role.admin}"
+                  ],
+                  "name": "${vault_pki_secret_backend_role.test.name}"
+                }
+              references:
+                backend: vault_mount.intermediate.path
+                name: vault_pki_secret_backend_role.test.name
         argumentDocs:
             alt_names: '- (Optional) List of alternative names'
             auto_renew: '- (Optional) If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false'
@@ -3080,11 +5353,23 @@ resources:
             ttl: '- (Optional) Time to live'
             uri_sans: '- (Optional) List of alternative URIs'
         importStatements: []
-    vault_pki_secret_backend_config_ca resource:
+    vault_pki_secret_backend_config_ca:
         subCategory: ""
         description: Submit the CA information to PKI.
-        name: vault_pki_secret_backend_config_ca resource
+        name: vault_pki_secret_backend_config_ca
         title: vault_pki_secret_backend_config_ca resource
+        examples:
+            - name: intermediate
+              manifest: |-
+                {
+                  "backend": "${vault_mount.intermediate.path}",
+                  "depends_on": [
+                    "${vault_mount.intermediate}"
+                  ],
+                  "pem_bundle": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwvEHeJCXnFgi88rE1dTX6FHdBPK0wSjedh0ywVnCZxLWbBv/\n5PytjTcCPdrfW7g2sfbPwOge/WF3X2KeYSP8SxZA0czmz6QDspeG921JkZWtyp5o\n++N0leLTIUAhq339p3O1onAOUO1k4sHfmCwfrDpTn2hcx4URa5Pzzb1fHigusjIH\n1mcGdncaA6Z2CzO1w4E8kPOUukIDrcZT4faOZrWUIQZKQw2JzTyKJ+ZMDCZq2TFz\nWwpL3eG48wB7J7mibFQ/9nFvxpIflBjDAZ8QiqkwYr5N0DNsTxcfTCSeubfJDCUf\nIWwFZhLitzwOxazazUQKXX/SPMQ1l/L9o3nnHwIDAQABAoIBAAQidJQcDPsl62fc\nTxxx7TpiMhvewfKu2TkMGX18V+EzxxR364+BxHSQTB3fvIkHeTGBGJrw0WdyX8PI\nJa/NwZYeHLXWcLbKtcFd8WDiEoNh91Oq1HMzOc/MBcpYv94RSAX7MEkHs2YIAvHE\nRufFV86hVhC1d/JLYjkz5CHi+Fd9XTYjBK78tHhJd4IJPu5LYvwlmzC1zeS7s1Tg\nQW1FQuVDV8tWa4PMTrQHwfaGqn95AKc+tbg+ubpCiWl5bBNI3Ghuh4sAC9dMdAkd\nw27i29O9/Y3XJSSGUZlZqDBP4YU388RgHpzLDUxgRcaQt9vdeEz6frULPW67e9D2\nmPPDzjECgYEA4aPOwvnSwGoOKsS6vANGy4Ajsq09PR+1ltMJUR5kDlXGuZWI72eX\n3/GAnovDuCp0tbYt0r7Fmkfel0Ore7SYM18TH5QGpPddcZLvKUf7AchCIOYY0Te3\npS9+7S1lEGrLXyuox4N26Ov6wHVrmZTcQoZsDWbjYxNNsNACsiQNjGMCgYEA3SvQ\nJets9e9SgNVvao2TijX+/vcNKRfcWB71T9Xc4BuSNEu5+ZLtptlwaSnVCVu1Xilk\nsWDh+3EhByl4EteENPvE/7A2s1sfcDOprvg0r52aBZKeTp0AukrT8+Ad4hap7g1x\n2Lz11MFDkhRqt2KqQaIL+5Mq5WfptbBJ0YI7ARUCgYAD6iSfK1hlsDFYupsGwgPL\nagi0g97pHZC38idaOe3AdeqBs79xb9mpr/XsSj52Bn6J3IRFALxK5e5Nr4XdGo/9\nbCvXw2iuGgCMBOGTVMVdDY1gJr3Ne2r7Oay5Dq2PMFsg5pACDhzVA6sRBbh9LKD5\non1jaiKNyHrzk1hIoOl/QwKBgA+Ov2uLbfS2yvTpDpdOMiyss603r6NOXF+Ofe8J\nuinBhr1K/mAB59muveuH18Z6vv1KqByaFgtb39jjH+Eja9dWRns95/sh08pOuAbo\nyrv3uBfgQmaBQMXZ8aLcBv4aXgWyyGlYkWpP1fL2oLMZq6RGQ9WEeqX8c0ImjmrA\nYGopAoGBAJZPFlZi2Rfq4MfFZp/X1/zM09hphZwkxkSI+RnsjDUjTgB8CuQul5ep\nKWE98yLw4C25Cqw5fKKQ2addizLnZCAIfJKVNRjYLWlWyGQydDEUzqwXlSLS9LVX\nLxLkWDajIyjeFn21Ttb42L9pBo3TAQIxUenom/lP2SQTvCKBiPai\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIUahce2sCO7Bom/Rznd5HsNAlr1NgwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODEyMDIwMTAxNDRaFw00NjEy\nMTUwMTAxNDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDC8Qd4kJecWCLzysTV1NfoUd0E8rTBKN52HTLBWcJn\nEtZsG//k/K2NNwI92t9buDax9s/A6B79YXdfYp5hI/xLFkDRzObPpAOyl4b3bUmR\nla3Knmj743SV4tMhQCGrff2nc7WicA5Q7WTiwd+YLB+sOlOfaFzHhRFrk/PNvV8e\nKC6yMgfWZwZ2dxoDpnYLM7XDgTyQ85S6QgOtxlPh9o5mtZQhBkpDDYnNPIon5kwM\nJmrZMXNbCkvd4bjzAHsnuaJsVD/2cW/Gkh+UGMMBnxCKqTBivk3QM2xPFx9MJJ65\nt8kMJR8hbAVmEuK3PA7FrNrNRApdf9I8xDWX8v2jeecfAgMBAAGjUzBRMB0GA1Ud\nDgQWBBQXGfrns8OqxTGKsXG5pDZS/WyyYDAfBgNVHSMEGDAWgBQXGfrns8OqxTGK\nsXG5pDZS/WyyYDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCt\n8aUX26cl2PgdIEByZSHAX5G+2b0IEtTclPkl4uDyyKRY4dVq6gK3ueVSU5eUmBip\nJbV5aRetovGOcV//8vbxkZm/ntQ8Oo+2sfGR5lIzd0UdlOr5pkD6g3bFy/zJ+4DR\nDAe8fklUacfz6CFmD+H8GyHm+fKmF+mjr4oOGQW6OegRDJHuiipUk2lJyuXdlPSa\nFpNRO2sGbjn000ANinFgnFiVzGDnx0/G1Kii/6GWrI6rrdVmXioQzF+8AloWckeB\n+hbmbwkwQa/JrLb5SWcBDOXSgtn1Li3XF5AQQBBjA3pOlyBXqnI94Irw89Lv9uPT\nMUR4qFxeUOW/GJGccMUd\n-----END CERTIFICATE-----\n"
+                }
+              references:
+                backend: vault_mount.intermediate.path
         argumentDocs:
             backend: '- (Required) The PKI secret backend the resource belongs to.'
             namespace: |-
@@ -3094,11 +5379,31 @@ resources:
                 Available only for Vault Enterprise.
             pem_bundle: '- (Required) The key and certificate PEM bundle'
         importStatements: []
-    vault_pki_secret_backend_config_urls resource:
+    vault_pki_secret_backend_config_urls:
         subCategory: ""
         description: Sets the config URL's on an PKI Secret Backend for Vault.
-        name: vault_pki_secret_backend_config_urls resource
+        name: vault_pki_secret_backend_config_urls
         title: vault_pki_secret_backend_config_urls resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_mount.root.path}",
+                  "issuing_certificates": [
+                    "http://127.0.0.1:8200/v1/pki/ca"
+                  ]
+                }
+              references:
+                backend: vault_mount.root.path
+              dependencies:
+                vault_mount.root: |-
+                    {
+                      "default_lease_ttl_seconds": 8640000,
+                      "description": "root PKI",
+                      "max_lease_ttl_seconds": 8640000,
+                      "path": "pki-root",
+                      "type": "pki"
+                    }
         argumentDocs:
             backend: '- (Required) The path the PKI secret backend is mounted at, with no leading or trailing /s.'
             crl_distribution_points: '- (Optional) Specifies the URL values for the CRL Distribution Points field.'
@@ -3110,11 +5415,29 @@ resources:
                 Available only for Vault Enterprise.
             ocsp_servers: '- (Optional) Specifies the URL values for the OCSP Servers field.'
         importStatements: []
-    vault_pki_secret_backend_crl_config resource:
+    vault_pki_secret_backend_crl_config:
         subCategory: ""
         description: Sets the CRL config on an PKI Secret Backend for Vault.
-        name: vault_pki_secret_backend_crl_config resource
+        name: vault_pki_secret_backend_crl_config
         title: vault_pki_secret_backend_crl_config resource
+        examples:
+            - name: crl_config
+              manifest: |-
+                {
+                  "backend": "${vault_mount.pki.path}",
+                  "disable": false,
+                  "expiry": "72h"
+                }
+              references:
+                backend: vault_mount.pki.path
+              dependencies:
+                vault_mount.pki: |-
+                    {
+                      "default_lease_ttl_seconds": 3600,
+                      "max_lease_ttl_seconds": 86400,
+                      "path": "%s",
+                      "type": "pki"
+                    }
         argumentDocs:
             auto_rebuild: '- (Optional) Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+'
             auto_rebuild_grace_period: '- (Optional) Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+'
@@ -3140,11 +5463,24 @@ resources:
                 - (Optional) Enables serving the unified CRL and OCSP on the existing, previously
                 cluster-local paths. Vault 1.13+
         importStatements: []
-    vault_pki_secret_backend_intermediate_cert_request resource:
+    vault_pki_secret_backend_intermediate_cert_request:
         subCategory: ""
         description: Generate a new private key and a CSR for signing the PKI.
-        name: vault_pki_secret_backend_intermediate_cert_request resource
+        name: vault_pki_secret_backend_intermediate_cert_request
         title: vault_pki_secret_backend_intermediate_cert_request resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "backend": "${vault_mount.pki.path}",
+                  "common_name": "app.my.domain",
+                  "depends_on": [
+                    "${vault_mount.pki}"
+                  ],
+                  "type": "internal"
+                }
+              references:
+                backend: vault_mount.pki.path
         argumentDocs:
             add_basic_constraints: |-
                 - (Optional) Adds a Basic Constraints extension with 'CA: true'.
@@ -3187,11 +5523,74 @@ resources:
                 or "kms"
             uri_sans: '- (Optional) List of alternative URIs'
         importStatements: []
-    vault_pki_secret_backend_intermediate_set_signed resource:
+    vault_pki_secret_backend_intermediate_set_signed:
         subCategory: ""
         description: Submit the PKI CA certificate.
-        name: vault_pki_secret_backend_intermediate_set_signed resource
+        name: vault_pki_secret_backend_intermediate_set_signed
         title: vault_pki_secret_backend_intermediate_set_signed resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_mount.intermediate.path}",
+                  "certificate": "${vault_pki_secret_backend_root_sign_intermediate.example.certificate}"
+                }
+              references:
+                backend: vault_mount.intermediate.path
+                certificate: vault_pki_secret_backend_root_sign_intermediate.example.certificate
+              dependencies:
+                vault_mount.intermediate: |-
+                    {
+                      "default_lease_ttl_seconds": 86400,
+                      "description": "intermediate",
+                      "max_lease_ttl_seconds": 86400,
+                      "path": "pki-int",
+                      "type": "${vault_mount.root.type}"
+                    }
+                vault_mount.root: |-
+                    {
+                      "default_lease_ttl_seconds": 8640000,
+                      "description": "root",
+                      "max_lease_ttl_seconds": 8640000,
+                      "path": "pki-root",
+                      "type": "pki"
+                    }
+                vault_pki_secret_backend_intermediate_cert_request.example: |-
+                    {
+                      "backend": "${vault_mount.intermediate.path}",
+                      "common_name": "SubOrg Intermediate CA",
+                      "type": "${vault_pki_secret_backend_root_cert.example.type}"
+                    }
+                vault_pki_secret_backend_root_cert.example: |-
+                    {
+                      "backend": "${vault_mount.root.path}",
+                      "common_name": "RootOrg Root CA",
+                      "country": "US",
+                      "exclude_cn_from_sans": true,
+                      "format": "pem",
+                      "key_bits": 4096,
+                      "key_type": "rsa",
+                      "locality": "San Francisco",
+                      "organization": "RootOrg",
+                      "ou": "Organizational Unit",
+                      "private_key_format": "der",
+                      "province": "CA",
+                      "ttl": 86400,
+                      "type": "internal"
+                    }
+                vault_pki_secret_backend_root_sign_intermediate.example: |-
+                    {
+                      "backend": "${vault_mount.root.path}",
+                      "common_name": "SubOrg Intermediate CA",
+                      "country": "US",
+                      "csr": "${vault_pki_secret_backend_intermediate_cert_request.example.csr}",
+                      "exclude_cn_from_sans": true,
+                      "locality": "San Francisco",
+                      "organization": "SubOrg",
+                      "ou": "SubUnit",
+                      "province": "CA",
+                      "revoke": true
+                    }
         argumentDocs:
             backend: '- (Required) The PKI secret backend the resource belongs to.'
             certificate: |-
@@ -3204,11 +5603,72 @@ resources:
                 The namespace is always relative to the provider's configured namespace.
                 Available only for Vault Enterprise.
         importStatements: []
-    vault_pki_secret_backend_role resource:
+    vault_pki_secret_backend_role:
         subCategory: ""
         description: Create a role on an PKI Secret Backend for Vault.
-        name: vault_pki_secret_backend_role resource
+        name: vault_pki_secret_backend_role
         title: vault_pki_secret_backend_role resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "allow_ip_sans": true,
+                  "allow_subdomains": true,
+                  "allowed_domains": [
+                    "example.com",
+                    "my.domain"
+                  ],
+                  "backend": "${vault_mount.pki.path}",
+                  "key_bits": 4096,
+                  "key_type": "rsa",
+                  "name": "my_role",
+                  "ttl": 3600
+                }
+              references:
+                backend: vault_mount.pki.path
+              dependencies:
+                vault_mount.pki: |-
+                    {
+                      "default_lease_ttl_seconds": 3600,
+                      "max_lease_ttl_seconds": 86400,
+                      "path": "pki",
+                      "type": "pki"
+                    }
+            - name: role
+              manifest: |-
+                {
+                  "allow_ip_sans": true,
+                  "allow_subdomains": true,
+                  "allowed_domains": [
+                    "example.com",
+                    "my.domain"
+                  ],
+                  "backend": "${vault_mount.pki.path}",
+                  "key_bits": 4096,
+                  "key_type": "rsa",
+                  "name": "my_role",
+                  "policy_identifier": [
+                    {
+                      "notice": "I am a user Notice",
+                      "oid": "1.3.6.1.4.1.7.8"
+                    },
+                    {
+                      "cps": "https://example.com",
+                      "oid": "1.3.6.1.4.1.44947.1.2.4"
+                    }
+                  ],
+                  "ttl": 3600
+                }
+              references:
+                backend: vault_mount.pki.path
+              dependencies:
+                vault_mount.pki: |-
+                    {
+                      "default_lease_ttl_seconds": 3600,
+                      "max_lease_ttl_seconds": 86400,
+                      "path": "pki",
+                      "type": "pki"
+                    }
         argumentDocs:
             allow_any_name: '- (Optional) Flag to allow any name'
             allow_bare_domains: '- (Optional) Flag to allow certificates matching the actual domain'
@@ -3261,11 +5721,32 @@ resources:
             use_csr_common_name: '- (Optional) Flag to use the CN in the CSR'
             use_csr_sans: '- (Optional) Flag to use the SANs in the CSR'
         importStatements: []
-    vault_pki_secret_backend_root_cert resource:
+    vault_pki_secret_backend_root_cert:
         subCategory: ""
         description: Generate root.
-        name: vault_pki_secret_backend_root_cert resource
+        name: vault_pki_secret_backend_root_cert
         title: vault_pki_secret_backend_root_cert resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "backend": "${vault_mount.pki.path}",
+                  "common_name": "Root CA",
+                  "depends_on": [
+                    "${vault_mount.pki}"
+                  ],
+                  "exclude_cn_from_sans": true,
+                  "format": "pem",
+                  "key_bits": 4096,
+                  "key_type": "rsa",
+                  "organization": "My organization",
+                  "ou": "My OU",
+                  "private_key_format": "der",
+                  "ttl": "315360000",
+                  "type": "internal"
+                }
+              references:
+                backend: vault_mount.pki.path
         argumentDocs:
             alt_names: '- (Optional) List of alternative names'
             backend: '- (Required) The PKI secret backend the resource belongs to.'
@@ -3307,11 +5788,26 @@ resources:
                 or "kms"
             uri_sans: '- (Optional) List of alternative URIs'
         importStatements: []
-    vault_pki_secret_backend_sign resource:
+    vault_pki_secret_backend_sign:
         subCategory: ""
         description: Sign a new certificate based on the CSR by the PKI.
-        name: vault_pki_secret_backend_sign resource
+        name: vault_pki_secret_backend_sign
         title: vault_pki_secret_backend_sign resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "backend": "${vault_mount.pki.path}",
+                  "common_name": "test.my.domain",
+                  "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx\nITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy\ndC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP\nCW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt\nVonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy\nX6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0\nV+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01\nte8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS\nkVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw\nkY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD\n5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O\ngIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I\n1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG\n9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL\nIt7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG\nfnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN\n77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN\nvt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv\ndo5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1\nOGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te\ndBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf\nUwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8\nOTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0\no3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=\n-----END CERTIFICATE REQUEST-----\n",
+                  "depends_on": [
+                    "${vault_pki_secret_backend_role.admin}"
+                  ],
+                  "name": "${vault_pki_secret_backend_role.admin.name}"
+                }
+              references:
+                backend: vault_mount.pki.path
+                name: vault_pki_secret_backend_role.admin.name
         argumentDocs:
             alt_names: '- (Optional) List of alternative names'
             auto_renew: '- (Optional) If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false'
@@ -3339,11 +5835,18 @@ resources:
             ttl: '- (Optional) Time to live'
             uri_sans: '- (Optional) List of alternative URIs'
         importStatements: []
-    vault_policy resource:
+    vault_policy:
         subCategory: ""
         description: Writes arbitrary policies for Vault
-        name: vault_policy resource
+        name: vault_policy
         title: vault_policy resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "name": "dev-team",
+                  "policy": "path \"secret/my_app\" {\n  capabilities = [\"update\"]\n}\n"
+                }
         argumentDocs:
             name: '- (Required) The name of the policy'
             namespace: |-
@@ -3353,11 +5856,19 @@ resources:
                 Available only for Vault Enterprise.
             policy: '- (Required) String containing a Vault policy'
         importStatements: []
-    vault_quota_lease_count resource:
+    vault_quota_lease_count:
         subCategory: ""
         description: Manage Lease Count Quota
-        name: vault_quota_lease_count resource
+        name: vault_quota_lease_count
         title: vault_quota_lease_count resource
+        examples:
+            - name: global
+              manifest: |-
+                {
+                  "max_leases": 100,
+                  "name": "global",
+                  "path": ""
+                }
         argumentDocs:
             max_leases: |-
                 - (Required) The maximum number of leases to be allowed by the quota
@@ -3376,11 +5887,19 @@ resources:
                 auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to
                 a namespace specific mount quota. Note, namespaces are supported in Enterprise only.
         importStatements: []
-    vault_quota_rate_limit resource:
+    vault_quota_rate_limit:
         subCategory: ""
         description: Manage Rate Limit Quota
-        name: vault_quota_rate_limit resource
+        name: vault_quota_rate_limit
         title: vault_quota_rate_limit resource
+        examples:
+            - name: global
+              manifest: |-
+                {
+                  "name": "global",
+                  "path": "",
+                  "rate": 100
+                }
         argumentDocs:
             block_interval: |-
                 - (Optional) If set, when a client reaches a rate limit threshold, the client will
@@ -3403,11 +5922,19 @@ resources:
                 - (Required) The maximum number of requests at any given second to be allowed by the quota
                 rule. The rate must be positive.
         importStatements: []
-    vault_rabbitmq_secret_backend resource:
+    vault_rabbitmq_secret_backend:
         subCategory: ""
         description: Creates an RabbitMQ secret backend for Vault.
-        name: vault_rabbitmq_secret_backend resource
+        name: vault_rabbitmq_secret_backend
         title: vault_rabbitmq_secret_backend resource
+        examples:
+            - name: rabbitmq
+              manifest: |-
+                {
+                  "connection_uri": "https://.....",
+                  "password": "password",
+                  "username": "user"
+                }
         argumentDocs:
             connection_uri: '- (Required)  Specifies the RabbitMQ connection URI.'
             default_lease_ttl_seconds: |-
@@ -3436,11 +5963,48 @@ resources:
                 - (Optional) Specifies whether to verify connection URI, username, and password.
                 Defaults to true.
         importStatements: []
-    vault_rabbitmq_secret_backend_role resource:
+    vault_rabbitmq_secret_backend_role:
         subCategory: ""
         description: Creates a role on an RabbitMQ Secret Backend for Vault.
-        name: vault_rabbitmq_secret_backend_role resource
+        name: vault_rabbitmq_secret_backend_role
         title: vault_rabbitmq_secret_backend_role resource
+        examples:
+            - name: role
+              manifest: |-
+                {
+                  "backend": "${vault_rabbitmq_secret_backend.rabbitmq.path}",
+                  "name": "deploy",
+                  "tags": "tag1,tag2",
+                  "vhost": [
+                    {
+                      "configure": "",
+                      "host": "/",
+                      "read": ".*",
+                      "write": ""
+                    }
+                  ],
+                  "vhost_topic": [
+                    {
+                      "host": "/",
+                      "vhost": [
+                        {
+                          "read": ".*",
+                          "topic": "amq.topic",
+                          "write": ""
+                        }
+                      ]
+                    }
+                  ]
+                }
+              references:
+                backend: vault_rabbitmq_secret_backend.rabbitmq.path
+              dependencies:
+                vault_rabbitmq_secret_backend.rabbitmq: |-
+                    {
+                      "connection_uri": "https://.....",
+                      "password": "password",
+                      "username": "user"
+                    }
         argumentDocs:
             backend: |-
                 - (Required) The path the RabbitMQ secret backend is mounted at,
@@ -3457,11 +6021,22 @@ resources:
             vhost: '- (Optional) Specifies a map of virtual hosts to permissions.'
             vhost_topic: '- (Optional) Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.'
         importStatements: []
-    vault_raft_autopilot resource:
+    vault_raft_autopilot:
         subCategory: ""
         description: Configures Raft's Autopilot capabilities.
-        name: vault_raft_autopilot resource
+        name: vault_raft_autopilot
         title: vault_raft_autopilot resource
+        examples:
+            - name: autopilot
+              manifest: |-
+                {
+                  "cleanup_dead_servers": true,
+                  "dead_server_last_contact_threshold": "24h0m0s",
+                  "last_contact_threshold": "10s",
+                  "max_trailing_logs": 1000,
+                  "min_quorum": 3,
+                  "server_stabilization_time": "10s"
+                }
         argumentDocs:
             cleanup_dead_servers: |-
                 – (Optional) Specifies whether to remove dead server nodes
@@ -3490,11 +6065,55 @@ resources:
                 - (Optional) Minimum amount of time a server must be
                 stable in the 'healthy' state before being added to the cluster.
         importStatements: []
-    vault_raft_snapshot_agent_config resource:
+    vault_raft_snapshot_agent_config:
         subCategory: ""
         description: Creates a Raft Snapshot Agent Configuration for Vault.
-        name: vault_raft_snapshot_agent_config resource
+        name: vault_raft_snapshot_agent_config
         title: vault_raft_snapshot_agent_config resource
+        examples:
+            - name: local_backups
+              manifest: |-
+                {
+                  "interval_seconds": 86400,
+                  "local_max_space": 10000000,
+                  "name": "local",
+                  "path_prefix": "/opt/vault/snapshots/",
+                  "retain": 7,
+                  "storage_type": "local"
+                }
+            - name: s3_backups
+              manifest: |-
+                {
+                  "aws_access_key_id": "${var.aws_access_key_id}",
+                  "aws_s3_bucket": "my-bucket",
+                  "aws_s3_enable_kms": true,
+                  "aws_s3_region": "${data.aws_region.current.name}",
+                  "aws_secret_access_key": "${var.aws_secret_access_key}",
+                  "interval_seconds": 86400,
+                  "name": "s3",
+                  "path_prefix": "/path/in/bucket",
+                  "retain": 7,
+                  "storage_type": "aws-s3"
+                }
+              references:
+                aws_access_key_id: var.aws_access_key_id
+                aws_s3_region: data.aws_region.current.name
+                aws_secret_access_key: var.aws_secret_access_key
+            - name: azure_backups
+              manifest: |-
+                {
+                  "azure_account_key": "${var.azure_account_key}",
+                  "azure_account_name": "${var.azure_account_name}",
+                  "azure_container_name": "vault-blob",
+                  "interval_seconds": 86400,
+                  "name": "azure_backup",
+                  "path_prefix": "/",
+                  "retain": 7,
+                  "storage_type": "azure-blob"
+                }
+              references:
+                azure_account_key: var.azure_account_key
+                azure_account_name: var.azure_account_name
         argumentDocs:
             aws_access_key_id: '- AWS access key ID.'
             aws_s3_bucket: <required> - S3 bucket to write snapshots to.
@@ -3563,11 +6182,19 @@ resources:
                 or "google-gcs". The remaining parameters described below are all specific to
                 the selected storage_type and prefixed accordingly.
         importStatements: []
-    vault_rgp_policy resource:
+    vault_rgp_policy:
         subCategory: ""
         description: Writes Sentinel role governing policies for Vault
-        name: vault_rgp_policy resource
+        name: vault_rgp_policy
         title: vault_rgp_policy resource
+        examples:
+            - name: allow-all
+              manifest: |-
+                {
+                  "enforcement_level": "soft-mandatory",
+                  "name": "allow-all",
+                  "policy": "main = rule {\n  true\n}\n"
+                }
         argumentDocs:
             enforcement_level: '- (Required) Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory'
             name: '- (Required) The name of the policy'
@@ -3578,11 +6205,24 @@ resources:
                 Available only for Vault Enterprise.
             policy: '- (Required) String containing a Sentinel policy'
         importStatements: []
-    vault_ssh_secret_backend_ca resource:
+    vault_ssh_secret_backend_ca:
         subCategory: ""
         description: Managing CA information in an SSH secret backend in Vault
-        name: vault_ssh_secret_backend_ca resource
+        name: vault_ssh_secret_backend_ca
         title: vault_ssh_secret_backend_ca resource
+        examples:
+            - name: foo
+              manifest: |-
+                {
+                  "backend": "${vault_mount.example.path}"
+                }
+              references:
+                backend: vault_mount.example.path
+              dependencies:
+                vault_mount.example: |-
+                    {
+                      "type": "ssh"
+                    }
         argumentDocs:
             backend: '- (Optional) The path where the SSH secret backend is mounted. Defaults to ''ssh'''
             generate_signing_key: '- (Optional) Whether Vault should generate the signing key pair internally. Defaults to true'
@@ -3594,11 +6234,44 @@ resources:
             private_key: '- (Optional) The private key part the SSH CA key pair; required if generate_signing_key is false.'
             public_key: '- (Optional) The public key part the SSH CA key pair; required if generate_signing_key is false.'
         importStatements: []
-    vault_ssh_secret_backend_role resource:
+    vault_ssh_secret_backend_role:
         subCategory: ""
         description: Managing roles in an SSH secret backend in Vault
-        name: vault_ssh_secret_backend_role resource
+        name: vault_ssh_secret_backend_role
         title: vault_ssh_secret_backend_role resource
+        examples:
+            - name: foo
+              manifest: |-
+                {
+                  "allow_user_certificates": true,
+                  "backend": "${vault_mount.example.path}",
+                  "key_type": "ca",
+                  "name": "my-role"
+                }
+              references:
+                backend: vault_mount.example.path
+              dependencies:
+                vault_mount.example: |-
+                    {
+                      "type": "ssh"
+                    }
+            - name: bar
+              manifest: |-
+                {
+                  "allowed_users": "default,baz",
+                  "backend": "${vault_mount.example.path}",
+                  "cidr_list": "0.0.0.0/0",
+                  "default_user": "default",
+                  "key_type": "otp",
+                  "name": "otp-role"
+                }
+              references:
+                backend: vault_mount.example.path
+              dependencies:
+                vault_mount.example: |-
+                    {
+                      "type": "ssh"
+                    }
         argumentDocs:
             algorithm_signer: '- (Optional) When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.'
             allow_bare_domains: '- (Optional) Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.'
@@ -3646,11 +6319,19 @@ resources:
                 rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519,
                 ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
         importStatements: []
-    vault_terraform_cloud_secret_backend resource:
+    vault_terraform_cloud_secret_backend:
         subCategory: ""
         description: Creates a Terraform Cloud secret backend for Vault.
-        name: vault_terraform_cloud_secret_backend resource
+        name: vault_terraform_cloud_secret_backend
         title: vault_terraform_cloud_secret_backend resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "backend": "terraform",
+                  "description": "Manages the Terraform Cloud backend",
+                  "token": "V0idfhi2iksSDU234ucdbi2nidsi..."
+                }
         argumentDocs:
             backend: '- (Optional) The unique location this backend should be mounted at. Must not begin or end with a /. Defaults to terraform.'
             default_lease_ttl_seconds: '- (Optional) The default TTL for credentials issued by this backend.'
@@ -3670,11 +6351,35 @@ resources:
                 - (Required) The Terraform Cloud management token this backend should
                 use to issue new tokens.
         importStatements: []
-    vault_terraform_cloud_secret_creds resource:
+    vault_terraform_cloud_secret_creds:
         subCategory: ""
         description: Generates tokens for Terraform Cloud.
-        name: vault_terraform_cloud_secret_creds resource
+        name: vault_terraform_cloud_secret_creds
         title: vault_terraform_cloud_secret_creds resource
+        examples:
+            - name: token
+              manifest: |-
+                {
+                  "backend": "${vault_terraform_cloud_secret_backend.test.backend}",
+                  "role": "${vault_terraform_cloud_secret_role.example.name}"
+                }
+              references:
+                backend: vault_terraform_cloud_secret_backend.test.backend
+                role: vault_terraform_cloud_secret_role.example.name
+              dependencies:
+                vault_terraform_cloud_secret_backend.test: |-
+                    {
+                      "backend": "terraform",
+                      "description": "Manages the Terraform Cloud backend",
+                      "token": "V0idfhi2iksSDU234ucdbi2nidsi..."
+                    }
+                vault_terraform_cloud_secret_role.example: |-
+                    {
+                      "backend": "${vault_terraform_cloud_secret_backend.test.backend}",
+                      "name": "test-role",
+                      "organization": "example-organization-name",
+                      "team_id": "team-ieF4isC..."
+                    }
         argumentDocs:
             backend: |-
                 - (Required) The path to the Terraform Cloud secret backend to
@@ -3699,11 +6404,29 @@ resources:
                 - The public identifier for a specific token. It can be used
                 to look up information about a token or to revoke a token.
         importStatements: []
-    vault_terraform_cloud_secret_role resource:
+    vault_terraform_cloud_secret_role:
         subCategory: ""
         description: Manages a Terraform Cloud secrets role for a Terraform Cloud secrets engine in Vault.
-        name: vault_terraform_cloud_secret_role resource
+        name: vault_terraform_cloud_secret_role
         title: vault_terraform_cloud_secret_role resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "backend": "${vault_terraform_cloud_secret_backend.test.backend}",
+                  "name": "test-role",
+                  "organization": "example-organization-name",
+                  "team_id": "team-ieF4isC..."
+                }
+              references:
+                backend: vault_terraform_cloud_secret_backend.test.backend
+              dependencies:
+                vault_terraform_cloud_secret_backend.test: |-
+                    {
+                      "backend": "terraform",
+                      "description": "Manages the Terraform Cloud backend",
+                      "token": "V0idfhi2iksSDU234ucdbi2nidsi..."
+                    }
         argumentDocs:
             backend: '- (Optional) The unique name of an existing Terraform Cloud secrets backend mount. Must not begin or end with a /.'
             max_ttl: '- (Optional) Maximum TTL for leases associated with this role, in seconds.'
@@ -3718,11 +6441,28 @@ resources:
             ttl: '- (Optional) Specifies the TTL for this role.'
             user_id: '- (Optional) The user id you wish to create a token for in your Terraform Cloud instance. (Note: this value can not be provided in conjunction with team_id and/or organization)'
         importStatements: []
-    vault_token resource:
+    vault_token:
         subCategory: ""
         description: Writes token for Vault
-        name: vault_token resource
+        name: vault_token
         title: vault_token resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "metadata": {
+                    "purpose": "service-account"
+                  },
+                  "policies": [
+                    "policy1",
+                    "policy2"
+                  ],
+                  "renew_increment": 86400,
+                  "renew_min_lease": 43200,
+                  "renewable": true,
+                  "role_name": "app",
+                  "ttl": "24h"
+                }
         argumentDocs:
             client_token: '- String containing the client token if stored in present file'
             display_name: '- (Optional) String containing the token display name'
@@ -3746,11 +6486,32 @@ resources:
             role_name: '- (Optional) The token role name'
             ttl: '- (Optional) The TTL period of this token'
         importStatements: []
-    vault_token_auth_backend_role resource:
+    vault_token_auth_backend_role:
         subCategory: ""
         description: Manages Token auth backend roles in Vault.
-        name: vault_token_auth_backend_role resource
+        name: vault_token_auth_backend_role
         title: vault_token_auth_backend_role resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "allowed_entity_aliases": [
+                    "test_entity"
+                  ],
+                  "allowed_policies": [
+                    "dev",
+                    "test"
+                  ],
+                  "disallowed_policies": [
+                    "default"
+                  ],
+                  "orphan": true,
+                  "path_suffix": "path-suffix",
+                  "renewable": true,
+                  "role_name": "my-role",
+                  "token_explicit_max_ttl": "115200",
+                  "token_period": "86400"
+                }
         argumentDocs:
             allowed_entity_aliases: (Optional) List of allowed entity aliases.
             allowed_policies: (Optional) List of allowed policies for given role.
@@ -3799,11 +6560,27 @@ resources:
                 default-service and default-batch which specify the type to return unless the client
                 requests a different type at generation time.
         importStatements: []
-    vault_transform_alphabet resource:
+    vault_transform_alphabet:
         subCategory: ""
         description: '"/transform/alphabet/{name}"'
-        name: vault_transform_alphabet resource
+        name: vault_transform_alphabet
         title: vault_transform_alphabet resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "alphabet": "0123456789",
+                  "name": "numerics",
+                  "path": "${vault_mount.mount_transform.path}"
+                }
+              references:
+                path: vault_mount.mount_transform.path
+              dependencies:
+                vault_mount.mount_transform: |-
+                    {
+                      "path": "transform",
+                      "type": "transform"
+                    }
         argumentDocs:
             alphabet: '- (Optional) A string of characters that contains the alphabet set.'
             name: '- (Required) The name of the alphabet.'
@@ -3814,11 +6591,29 @@ resources:
                 Available only for Vault Enterprise.
             path: '- (Required) Path to where the back-end is mounted within Vault.'
         importStatements: []
-    vault_transform_role resource:
+    vault_transform_role:
         subCategory: ""
         description: '"/transform/role/{name}"'
-        name: vault_transform_role resource
+        name: vault_transform_role
         title: vault_transform_role resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "name": "payments",
+                  "path": "${vault_mount.mount_transform.path}",
+                  "transformations": [
+                    "ccn-fpe"
+                  ]
+                }
+              references:
+                path: vault_mount.mount_transform.path
+              dependencies:
+                vault_mount.mount_transform: |-
+                    {
+                      "path": "transform",
+                      "type": "transform"
+                    }
         argumentDocs:
             name: '- (Required) The name of the role.'
             namespace: |-
@@ -3829,11 +6624,39 @@ resources:
             path: '- (Required) Path to where the back-end is mounted within Vault.'
             transformations: '- (Optional) A comma separated string or slice of transformations to use.'
         importStatements: []
-    vault_transform_template resource:
+    vault_transform_template:
         subCategory: ""
         description: '"/transform/template/{name}"'
-        name: vault_transform_template resource
+        name: vault_transform_template
         title: vault_transform_template resource
+        examples:
+            - name: test
+              manifest: |-
+                {
+                  "alphabet": "numerics",
+                  "decode_formats": {
+                    "last-four-digits": "$4"
+                  },
+                  "encode_format": "$1-$2-$3-$4",
+                  "name": "ccn",
+                  "path": "${vault_transform_alphabet.numerics.path}",
+                  "pattern": "(\\d{4})[- ](\\d{4})[- ](\\d{4})[- ](\\d{4})",
+                  "type": "regex"
+                }
+              references:
+                path: vault_transform_alphabet.numerics.path
+              dependencies:
+                vault_mount.transform: |-
+                    {
+                      "path": "transform",
+                      "type": "transform"
+                    }
+                vault_transform_alphabet.numerics: |-
+                    {
+                      "alphabet": "0123456789",
+                      "name": "numerics",
+                      "path": "${vault_mount.transform.path}"
+                    }
         argumentDocs:
             alphabet: '- (Optional) The alphabet to use for this template. This is only used during FPE transformations.'
             decode_formats: |-
@@ -3852,11 +6675,32 @@ resources:
             pattern: '- (Optional) The pattern used for matching. Currently, only regular expression pattern is supported.'
             type: '- (Optional) The pattern type to use for match detection. Currently, only regex is supported.'
         importStatements: []
-    vault_transform_transformation resource:
+    vault_transform_transformation:
         subCategory: ""
         description: '"/transform/transformation/{name}"'
-        name: vault_transform_transformation resource
+        name: vault_transform_transformation
         title: vault_transform_transformation resource
+        examples:
+            - name: example
+              manifest: |-
+                {
+                  "allowed_roles": [
+                    "payments"
+                  ],
+                  "name": "ccn-fpe",
+                  "path": "${vault_mount.example.path}",
+                  "template": "ccn",
+                  "tweak_source": "internal",
+                  "type": "fpe"
+                }
+              references:
+                path: vault_mount.example.path
+              dependencies:
+                vault_mount.example: |-
+                    {
+                      "path": "transform",
+                      "type": "transform"
+                    }
         argumentDocs:
             allowed_roles: '- (Optional) The set of roles allowed to perform this transformation.'
             deletion_allowed: |-
@@ -3876,11 +6720,29 @@ resources:
             tweak_source: '- (Optional) The source of where the tweak value comes from. Only valid when in FPE mode.'
             type: '- (Optional) The type of transformation to perform.'
         importStatements: []
-    vault_transit_secret_backend_key resource:
+    vault_transit_secret_backend_key:
         subCategory: ""
         description: Create an Encryption Keyring on a Transit Secret Backend for Vault.
-        name: vault_transit_secret_backend_key resource
+        name: vault_transit_secret_backend_key
         title: vault_transit_secret_backend_key resource
+        examples:
+            - name: key
+              manifest: |-
+                {
+                  "backend": "${vault_mount.transit.path}",
+                  "name": "my_key"
+                }
+              references:
+                backend: vault_mount.transit.path
+              dependencies:
+                vault_mount.transit: |-
+                    {
+                      "default_lease_ttl_seconds": 3600,
+                      "description": "Example description",
+                      "max_lease_ttl_seconds": 86400,
+                      "path": "transit",
+                      "type": "transit"
+                    }
         argumentDocs:
             aes128-gcm96: ', aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key''s metadata.'
             allow_plaintext_backup: '- (Optional) Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.'
@@ -3913,11 +6775,29 @@ resources:
             supports_signing: '- Whether or not the key supports signing, based on key type.'
             type: '- (Optional) Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096.'
         importStatements: []
-    vault_transit_secret_cache_config resource:
+    vault_transit_secret_cache_config:
         subCategory: ""
         description: Configure the cache for the Transit Secret Backend in Vault.
-        name: vault_transit_secret_cache_config resource
+        name: vault_transit_secret_cache_config
         title: vault_transit_secret_cache_config resource
+        examples:
+            - name: cfg
+              manifest: |-
+                {
+                  "backend": "${vault_mount.transit.path}",
+                  "size": 500
+                }
+              references:
+                backend: vault_mount.transit.path
+              dependencies:
+                vault_mount.transit: |-
+                    {
+                      "default_lease_ttl_seconds": 3600,
+                      "description": "Example description",
+                      "max_lease_ttl_seconds": 86400,
+                      "path": "transit",
+                      "type": "transit"
+                    }
         argumentDocs:
             backend: '- (Required) The path the transit secret backend is mounted at, with no leading or trailing /s.'
             namespace: |-
diff --git a/examples-generated/ad/secretbackend.yaml b/examples-generated/ad/secretbackend.yaml
new file mode 100644
index 00000000..6cc59924
--- /dev/null
+++ b/examples-generated/ad/secretbackend.yaml
@@ -0,0 +1,19 @@
+apiVersion: ad.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: ad/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: config
+  name: config
+spec:
+  forProvider:
+    backend: ad
+    binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
+    bindpassSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    insecureTls: "true"
+    url: ldaps://ad
+    userdn: CN=Users,DC=corp,DC=example,DC=net
diff --git a/examples-generated/ad/secretrole.yaml b/examples-generated/ad/secretrole.yaml
new file mode 100644
index 00000000..428846fb
--- /dev/null
+++ b/examples-generated/ad/secretrole.yaml
@@ -0,0 +1,36 @@
+apiVersion: ad.vault.upbound.io/v1alpha1
+kind: SecretRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: ad/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    backend: ad
+    role: bob
+    serviceAccountName: Bob
+    ttl: 60
+
+---
+
+apiVersion: ad.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: ad/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: config
+  name: config
+spec:
+  forProvider:
+    backend: ad
+    binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
+    bindpassSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    insecureTls: "true"
+    url: ldaps://ad
+    userdn: CN=Users,DC=corp,DC=example,DC=net
diff --git a/examples-generated/alicloud/authbackendrole.yaml b/examples-generated/alicloud/authbackendrole.yaml
new file mode 100644
index 00000000..6da7f16a
--- /dev/null
+++ b/examples-generated/alicloud/authbackendrole.yaml
@@ -0,0 +1,28 @@
+apiVersion: alicloud.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: alicloud/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: alicloud
+  name: alicloud
+spec:
+  forProvider:
+    arn: acs:ram:123456:tf:role/foobar
+    backend: cert
+    role: example
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: alicloud/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: alicloud
+  name: alicloud
+spec:
+  forProvider:
+    path: alicloud
+    type: alicloud
diff --git a/examples-generated/approle/authbackendlogin.yaml b/examples-generated/approle/authbackendlogin.yaml
new file mode 100644
index 00000000..b499ae6b
--- /dev/null
+++ b/examples-generated/approle/authbackendlogin.yaml
@@ -0,0 +1,61 @@
+apiVersion: approle.vault.upbound.io/v1alpha1
+kind: AuthBackendLogin
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendlogin
+  labels:
+    testing.upbound.io/example-name: login
+  name: login
+spec:
+  forProvider:
+    backend: cert
+    roleId: ${vault_approle_auth_backend_role.example.role_id}
+    secretId: ${vault_approle_auth_backend_role_secret_id.id.secret_id}
+
+---
+
+apiVersion: approle.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendlogin
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: ${vault_auth_backend.approle.path}
+    roleName: test-role
+    tokenPolicies:
+    - default
+    - dev
+    - prod
+
+---
+
+apiVersion: approle.vault.upbound.io/v1alpha1
+kind: AuthBackendRoleSecretID
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendlogin
+  labels:
+    testing.upbound.io/example-name: id
+  name: id
+spec:
+  forProvider:
+    backend: ${vault_auth_backend.approle.path}
+    roleName: test-role
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendlogin
+  labels:
+    testing.upbound.io/example-name: approle
+  name: approle
+spec:
+  forProvider:
+    type: approle
diff --git a/examples-generated/approle/authbackendrole.yaml b/examples-generated/approle/authbackendrole.yaml
new file mode 100644
index 00000000..cc2b958f
--- /dev/null
+++ b/examples-generated/approle/authbackendrole.yaml
@@ -0,0 +1,30 @@
+apiVersion: approle.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: cert
+    roleName: test-role
+    tokenPolicies:
+    - default
+    - dev
+    - prod
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: approle
+  name: approle
+spec:
+  forProvider:
+    type: approle
diff --git a/examples-generated/approle/authbackendrolesecretid.yaml b/examples-generated/approle/authbackendrolesecretid.yaml
new file mode 100644
index 00000000..88a082a8
--- /dev/null
+++ b/examples-generated/approle/authbackendrolesecretid.yaml
@@ -0,0 +1,51 @@
+apiVersion: approle.vault.upbound.io/v1alpha1
+kind: AuthBackendRoleSecretID
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendrolesecretid
+  labels:
+    testing.upbound.io/example-name: id
+  name: id
+spec:
+  forProvider:
+    backend: cert
+    metadata: |-
+      ${jsonencode(
+          {
+            "hello" = "world"
+          }
+        )}
+    roleName: ${vault_approle_auth_backend_role.example.role_name}
+
+---
+
+apiVersion: approle.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendrolesecretid
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: ${vault_auth_backend.approle.path}
+    roleName: test-role
+    tokenPolicies:
+    - default
+    - dev
+    - prod
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: approle/v1alpha1/authbackendrolesecretid
+  labels:
+    testing.upbound.io/example-name: approle
+  name: approle
+spec:
+  forProvider:
+    type: approle
diff --git a/examples-generated/audit/requestheader.yaml b/examples-generated/audit/requestheader.yaml
new file mode 100644
index 00000000..000aa60c
--- /dev/null
+++ b/examples-generated/audit/requestheader.yaml
@@ -0,0 +1,12 @@
+apiVersion: audit.vault.upbound.io/v1alpha1
+kind: RequestHeader
+metadata:
+  annotations:
+    meta.upbound.io/example-id: audit/v1alpha1/requestheader
+  labels:
+    testing.upbound.io/example-name: x_forwarded_for
+  name: x-forwarded-for
+spec:
+  forProvider:
+    hmac: false
+    name: X-Forwarded-For
diff --git a/examples-generated/auth/backend.yaml b/examples-generated/auth/backend.yaml
new file mode 100644
index 00000000..bef813e1
--- /dev/null
+++ b/examples-generated/auth/backend.yaml
@@ -0,0 +1,12 @@
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: auth/v1alpha1/backend
+  labels:
+    testing.upbound.io/example-name: cert
+  name: cert
+spec:
+  forProvider:
+    path: cert
+    type: cert
diff --git a/examples-generated/aws/authbackendcert.yaml b/examples-generated/aws/authbackendcert.yaml
new file mode 100644
index 00000000..632e393e
--- /dev/null
+++ b/examples-generated/aws/authbackendcert.yaml
@@ -0,0 +1,25 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendCert
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendcert
+  labels:
+    testing.upbound.io/example-name: cert
+  name: cert
+spec:
+  forProvider:
+    backend: cert
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendcert
+  labels:
+    testing.upbound.io/example-name: aws
+  name: aws
+spec:
+  forProvider:
+    type: aws
diff --git a/examples-generated/aws/authbackendclient.yaml b/examples-generated/aws/authbackendclient.yaml
new file mode 100644
index 00000000..530e18e4
--- /dev/null
+++ b/examples-generated/aws/authbackendclient.yaml
@@ -0,0 +1,33 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendClient
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendclient
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    accessKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    backend: cert
+    secretKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendclient
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    type: aws
diff --git a/examples-generated/aws/authbackendconfigidentity.yaml b/examples-generated/aws/authbackendconfigidentity.yaml
new file mode 100644
index 00000000..dd1a113e
--- /dev/null
+++ b/examples-generated/aws/authbackendconfigidentity.yaml
@@ -0,0 +1,29 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendConfigIdentity
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendconfigidentity
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: cert
+    iamAlias: full_arn
+    iamMetadata:
+    - canonical_arn
+    - account_id
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendconfigidentity
+  labels:
+    testing.upbound.io/example-name: aws
+  name: aws
+spec:
+  forProvider:
+    type: aws
diff --git a/examples-generated/aws/authbackendidentitywhitelist.yaml b/examples-generated/aws/authbackendidentitywhitelist.yaml
new file mode 100644
index 00000000..9e1af943
--- /dev/null
+++ b/examples-generated/aws/authbackendidentitywhitelist.yaml
@@ -0,0 +1,26 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendIdentityWhitelist
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendidentitywhitelist
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: cert
+    safetyBuffer: 3600
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendidentitywhitelist
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    type: aws
diff --git a/examples-generated/aws/authbackendlogin.yaml b/examples-generated/aws/authbackendlogin.yaml
new file mode 100644
index 00000000..926ee2ee
--- /dev/null
+++ b/examples-generated/aws/authbackendlogin.yaml
@@ -0,0 +1,79 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendLogin
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendlogin
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: cert
+    identity: BASE64ENCODEDIDENTITYDOCUMENT
+    role: test-role
+    signature: BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendlogin
+  labels:
+    testing.upbound.io/example-name: aws
+  name: aws
+spec:
+  forProvider:
+    path: aws
+    type: aws
+
+---
+
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendClient
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendlogin
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    accessKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    backend: aws
+    secretKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+
+---
+
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendlogin
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    authType: ec2
+    backend: aws
+    bound_account_id: "123456789012"
+    bound_ami_id: ami-8c1be5f6
+    bound_subnet_id: vpc-133128f1
+    bound_vpc_id: vpc-b61106d4
+    boundIamInstanceProfileArns:
+    - arn:aws:iam::123456789012:instance-profile/MyProfile
+    max_ttl: 120
+    role: test-role
+    tokenPolicies:
+    - default
+    - dev
+    - prod
+    ttl: 60
diff --git a/examples-generated/aws/authbackendrole.yaml b/examples-generated/aws/authbackendrole.yaml
new file mode 100644
index 00000000..383c8cf0
--- /dev/null
+++ b/examples-generated/aws/authbackendrole.yaml
@@ -0,0 +1,47 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    authType: iam
+    backend: cert
+    boundAccountIds:
+    - "123456789012"
+    boundAmiIds:
+    - ami-8c1be5f6
+    boundIamInstanceProfileArns:
+    - arn:aws:iam::123456789012:instance-profile/MyProfile
+    boundIamRoleArns:
+    - arn:aws:iam::123456789012:role/MyRole
+    boundSubnetIds:
+    - vpc-133128f1
+    boundVpcIds:
+    - vpc-b61106d4
+    inferredAwsRegion: us-east-1
+    inferredEntityType: ec2_instance
+    role: test-role
+    tokenMaxTtl: 120
+    tokenPolicies:
+    - default
+    - dev
+    - prod
+    tokenTtl: 60
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: aws
+  name: aws
+spec:
+  forProvider:
+    type: aws
diff --git a/examples-generated/aws/authbackendroletag.yaml b/examples-generated/aws/authbackendroletag.yaml
new file mode 100644
index 00000000..2ba314b5
--- /dev/null
+++ b/examples-generated/aws/authbackendroletag.yaml
@@ -0,0 +1,56 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendRoleTag
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendroletag
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    backend: cert
+    instanceId: i-1234567
+    maxTtl: 1h
+    policies:
+    - prod
+    - dev
+    - test
+    role: test-role
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendroletag
+  labels:
+    testing.upbound.io/example-name: aws
+  name: aws
+spec:
+  forProvider:
+    path: '%s'
+    type: aws
+
+---
+
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendroletag
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    authType: ec2
+    backend: '%s'
+    bound_account_id: "123456789012"
+    policies:
+    - dev
+    - prod
+    - qa
+    - test
+    role: '%s'
+    roleTag: VaultRoleTag
diff --git a/examples-generated/aws/authbackendroletagblacklist.yaml b/examples-generated/aws/authbackendroletagblacklist.yaml
new file mode 100644
index 00000000..1e7f9467
--- /dev/null
+++ b/examples-generated/aws/authbackendroletagblacklist.yaml
@@ -0,0 +1,26 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendRoletagBlacklist
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendroletagblacklist
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: cert
+    safetyBuffer: 360
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendroletagblacklist
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    type: aws
diff --git a/examples-generated/aws/authbackendstsrole.yaml b/examples-generated/aws/authbackendstsrole.yaml
new file mode 100644
index 00000000..b028a0e9
--- /dev/null
+++ b/examples-generated/aws/authbackendstsrole.yaml
@@ -0,0 +1,27 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: AuthBackendStsRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendstsrole
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    accountId: "1234567890"
+    backend: cert
+    stsRole: arn:aws:iam::1234567890:role/my-role
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/authbackendstsrole
+  labels:
+    testing.upbound.io/example-name: aws
+  name: aws
+spec:
+  forProvider:
+    type: aws
diff --git a/examples-generated/aws/secretbackend.yaml b/examples-generated/aws/secretbackend.yaml
new file mode 100644
index 00000000..e5bb1493
--- /dev/null
+++ b/examples-generated/aws/secretbackend.yaml
@@ -0,0 +1,18 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: aws
+  name: aws
+spec:
+  forProvider:
+    accessKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    secretKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/aws/secretbackendrole.yaml b/examples-generated/aws/secretbackendrole.yaml
new file mode 100644
index 00000000..b498ffb1
--- /dev/null
+++ b/examples-generated/aws/secretbackendrole.yaml
@@ -0,0 +1,45 @@
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    backend: ${vault_aws_secret_backend.aws.path}
+    credentialType: iam_user
+    name: deploy
+    policyDocument: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Action": "iam:*",
+            "Resource": "*"
+          }
+        ]
+      }
+
+---
+
+apiVersion: aws.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: aws/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: aws
+  name: aws
+spec:
+  forProvider:
+    accessKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    secretKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/azure/authbackendconfig.yaml b/examples-generated/azure/authbackendconfig.yaml
new file mode 100644
index 00000000..084ddbc3
--- /dev/null
+++ b/examples-generated/azure/authbackendconfig.yaml
@@ -0,0 +1,38 @@
+apiVersion: azure.vault.upbound.io/v1alpha1
+kind: AuthBackendConfig
+metadata:
+  annotations:
+    meta.upbound.io/example-id: azure/v1alpha1/authbackendconfig
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: cert
+    clientIdSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    clientSecretSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    resource: https://vault.hashicorp.com
+    tenantIdSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: azure/v1alpha1/authbackendconfig
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    type: azure
diff --git a/examples-generated/azure/authbackendrole.yaml b/examples-generated/azure/authbackendrole.yaml
new file mode 100644
index 00000000..6e65afb5
--- /dev/null
+++ b/examples-generated/azure/authbackendrole.yaml
@@ -0,0 +1,36 @@
+apiVersion: azure.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: azure/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: cert
+    boundResourceGroups:
+    - "123456789012"
+    boundSubscriptionIds:
+    - 11111111-2222-3333-4444-555555555555
+    role: test-role
+    tokenMaxTtl: 120
+    tokenPolicies:
+    - default
+    - dev
+    - prod
+    tokenTtl: 60
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: azure/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: azure
+  name: azure
+spec:
+  forProvider:
+    type: azure
diff --git a/examples-generated/azure/secretbackend.yaml b/examples-generated/azure/secretbackend.yaml
new file mode 100644
index 00000000..235437c3
--- /dev/null
+++ b/examples-generated/azure/secretbackend.yaml
@@ -0,0 +1,28 @@
+apiVersion: azure.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: azure/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: azure
+  name: azure
+spec:
+  forProvider:
+    clientIdSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    clientSecretSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    environment: AzurePublicCloud
+    subscriptionIdSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    tenantIdSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    useMicrosoftGraphApi: true
diff --git a/examples-generated/azure/secretbackendrole.yaml b/examples-generated/azure/secretbackendrole.yaml
new file mode 100644
index 00000000..a2890637
--- /dev/null
+++ b/examples-generated/azure/secretbackendrole.yaml
@@ -0,0 +1,46 @@
+apiVersion: azure.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: azure/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: generated_role
+  name: generated-role
+spec:
+  forProvider:
+    azureRoles:
+    - roleName: Reader
+      scope: /subscriptions/${var.subscription_id}/resourceGroups/azure-vault-group
+    backend: ${vault_azure_secret_backend.azure.path}
+    maxTtl: 600
+    role: generated_role
+    ttl: 300
+
+---
+
+apiVersion: azure.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: azure/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: azure
+  name: azure
+spec:
+  forProvider:
+    clientIdSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    clientSecretSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    subscriptionIdSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    tenantIdSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/consul/secretbackend.yaml b/examples-generated/consul/secretbackend.yaml
new file mode 100644
index 00000000..468509a2
--- /dev/null
+++ b/examples-generated/consul/secretbackend.yaml
@@ -0,0 +1,17 @@
+apiVersion: consul.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: consul/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    address: 127.0.0.1:8500
+    description: Manages the Consul backend
+    path: consul
+    tokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/consul/secretbackendrole.yaml b/examples-generated/consul/secretbackendrole.yaml
new file mode 100644
index 00000000..8833de27
--- /dev/null
+++ b/examples-generated/consul/secretbackendrole.yaml
@@ -0,0 +1,34 @@
+apiVersion: consul.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: consul/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: consul
+    consulPolicies:
+    - example-policy
+    name: test-role
+
+---
+
+apiVersion: consul.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: consul/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    address: 127.0.0.1:8500
+    description: Manages the Consul backend
+    path: consul
+    tokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/database/secretbackendconnection.yaml b/examples-generated/database/secretbackendconnection.yaml
new file mode 100644
index 00000000..87327e76
--- /dev/null
+++ b/examples-generated/database/secretbackendconnection.yaml
@@ -0,0 +1,32 @@
+apiVersion: database.vault.upbound.io/v1alpha1
+kind: SecretBackendConnection
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretbackendconnection
+  labels:
+    testing.upbound.io/example-name: postgres
+  name: postgres
+spec:
+  forProvider:
+    allowedRoles:
+    - dev
+    - prod
+    backend: dummy
+    name: postgres
+    postgresql:
+    - connectionUrl: postgres://username:password@host:port/database
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretbackendconnection
+  labels:
+    testing.upbound.io/example-name: db
+  name: db
+spec:
+  forProvider:
+    path: postgres
+    type: database
diff --git a/examples-generated/database/secretbackendrole.yaml b/examples-generated/database/secretbackendrole.yaml
new file mode 100644
index 00000000..64f6354d
--- /dev/null
+++ b/examples-generated/database/secretbackendrole.yaml
@@ -0,0 +1,50 @@
+apiVersion: database.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    backend: dummy
+    creationStatements:
+    - CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+    dbName: postgres
+    name: dev
+
+---
+
+apiVersion: database.vault.upbound.io/v1alpha1
+kind: SecretBackendConnection
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: postgres
+  name: postgres
+spec:
+  forProvider:
+    allowedRoles:
+    - dev
+    - prod
+    backend: postgres
+    name: postgres
+    postgresql:
+    - connectionUrl: postgres://username:password@host:port/database
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: db
+  name: db
+spec:
+  forProvider:
+    path: postgres
+    type: database
diff --git a/examples-generated/database/secretbackendstaticrole.yaml b/examples-generated/database/secretbackendstaticrole.yaml
new file mode 100644
index 00000000..7adcafcc
--- /dev/null
+++ b/examples-generated/database/secretbackendstaticrole.yaml
@@ -0,0 +1,51 @@
+apiVersion: database.vault.upbound.io/v1alpha1
+kind: SecretBackendStaticRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretbackendstaticrole
+  labels:
+    testing.upbound.io/example-name: static_role
+  name: static-role
+spec:
+  forProvider:
+    backend: dummy
+    dbName: postgres
+    name: my-static-role
+    rotationPeriod: "3600"
+    rotationStatements:
+    - ALTER USER "{{name}}" WITH PASSWORD '{{password}}';
+    username: example
+
+---
+
+apiVersion: database.vault.upbound.io/v1alpha1
+kind: SecretBackendConnection
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretbackendstaticrole
+  labels:
+    testing.upbound.io/example-name: postgres
+  name: postgres
+spec:
+  forProvider:
+    allowedRoles:
+    - '*'
+    backend: postgres
+    name: postgres
+    postgresql:
+    - connectionUrl: postgres://username:password@host:port/database
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretbackendstaticrole
+  labels:
+    testing.upbound.io/example-name: db
+  name: db
+spec:
+  forProvider:
+    path: postgres
+    type: database
diff --git a/examples-generated/database/secretsmount.yaml b/examples-generated/database/secretsmount.yaml
new file mode 100644
index 00000000..bd6e580e
--- /dev/null
+++ b/examples-generated/database/secretsmount.yaml
@@ -0,0 +1,71 @@
+apiVersion: database.vault.upbound.io/v1alpha1
+kind: SecretsMount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretsmount
+  labels:
+    testing.upbound.io/example-name: db
+  name: db
+spec:
+  forProvider:
+    mssql:
+    - allowedRoles:
+      - dev1
+      connectionUrl: sqlserver://{{username}}:{{password}}@127.0.0.1:1433
+      name: db1
+      passwordSecretRef:
+        key: example-key
+        name: example-secret
+        namespace: upbound-system
+      username: sa
+    path: db
+    postgresql:
+    - allowedRoles:
+      - dev2
+      connectionUrl: postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres
+      name: db2
+      passwordSecretRef:
+        key: example-key
+        name: example-secret
+        namespace: upbound-system
+      username: postgres
+      verifyConnection: true
+
+---
+
+apiVersion: database.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretsmount
+  labels:
+    testing.upbound.io/example-name: dev1
+  name: dev1
+spec:
+  forProvider:
+    backend: db
+    creationStatements:
+    - CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
+    - CREATE USER [{{name}}] FOR LOGIN [{{name}}];
+    - GRANT SELECT ON SCHEMA::dbo TO [{{name}}];
+    dbName: db1
+    name: dev1
+
+---
+
+apiVersion: database.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: database/v1alpha1/secretsmount
+  labels:
+    testing.upbound.io/example-name: dev2
+  name: dev2
+spec:
+  forProvider:
+    backend: db
+    creationStatements:
+    - CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+    - GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
+    dbName: db2
+    name: dev2
diff --git a/examples-generated/egp/policy.yaml b/examples-generated/egp/policy.yaml
new file mode 100644
index 00000000..5047e070
--- /dev/null
+++ b/examples-generated/egp/policy.yaml
@@ -0,0 +1,18 @@
+apiVersion: egp.vault.upbound.io/v1alpha1
+kind: Policy
+metadata:
+  annotations:
+    meta.upbound.io/example-id: egp/v1alpha1/policy
+  labels:
+    testing.upbound.io/example-name: allow-all
+  name: allow-all
+spec:
+  forProvider:
+    enforcementLevel: soft-mandatory
+    name: allow-all
+    paths:
+    - '*'
+    policy: |
+      main = rule {
+        true
+      }
diff --git a/examples-generated/gcp/authbackendrole.yaml b/examples-generated/gcp/authbackendrole.yaml
new file mode 100644
index 00000000..9924d3f7
--- /dev/null
+++ b/examples-generated/gcp/authbackendrole.yaml
@@ -0,0 +1,31 @@
+apiVersion: gcp.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: gcp
+  name: gcp
+spec:
+  forProvider:
+    backend: cert
+    boundServiceAccounts:
+    - database-server@foo-bar-baz.iam.gserviceaccount.com
+    project_id: foo-bar-baz
+    tokenPolicies:
+    - database-server
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: gcp
+  name: gcp
+spec:
+  forProvider:
+    path: gcp
+    type: gcp
diff --git a/examples-generated/gcp/secretbackend.yaml b/examples-generated/gcp/secretbackend.yaml
new file mode 100644
index 00000000..d5265886
--- /dev/null
+++ b/examples-generated/gcp/secretbackend.yaml
@@ -0,0 +1,14 @@
+apiVersion: gcp.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: gcp
+  name: gcp
+spec:
+  forProvider:
+    credentialsSecretRef:
+      key: attribute.credentials.json
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/gcp/secretimpersonatedaccount.yaml b/examples-generated/gcp/secretimpersonatedaccount.yaml
new file mode 100644
index 00000000..e9c5ef8b
--- /dev/null
+++ b/examples-generated/gcp/secretimpersonatedaccount.yaml
@@ -0,0 +1,33 @@
+apiVersion: gcp.vault.upbound.io/v1alpha1
+kind: SecretImpersonatedAccount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/secretimpersonatedaccount
+  labels:
+    testing.upbound.io/example-name: impersonated_account
+  name: impersonated-account
+spec:
+  forProvider:
+    backend: ${vault_gcp_secret_backend.gcp.path}
+    impersonatedAccount: this
+    serviceAccountEmail: ${google_service_account.this.email}
+    tokenScopes:
+    - https://www.googleapis.com/auth/cloud-platform
+
+---
+
+apiVersion: gcp.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/secretimpersonatedaccount
+  labels:
+    testing.upbound.io/example-name: gcp
+  name: gcp
+spec:
+  forProvider:
+    credentialsSecretRef:
+      key: attribute.credentials.json
+      name: example-secret
+      namespace: upbound-system
+    path: gcp
diff --git a/examples-generated/gcp/secretroleset.yaml b/examples-generated/gcp/secretroleset.yaml
new file mode 100644
index 00000000..8d3918ce
--- /dev/null
+++ b/examples-generated/gcp/secretroleset.yaml
@@ -0,0 +1,38 @@
+apiVersion: gcp.vault.upbound.io/v1alpha1
+kind: SecretRoleset
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/secretroleset
+  labels:
+    testing.upbound.io/example-name: roleset
+  name: roleset
+spec:
+  forProvider:
+    backend: ${vault_gcp_secret_backend.gcp.path}
+    binding:
+    - resource: //cloudresourcemanager.googleapis.com/projects/${local.project}
+      roles:
+      - roles/viewer
+    project: ${local.project}
+    roleset: project_viewer
+    secretType: access_token
+    tokenScopes:
+    - https://www.googleapis.com/auth/cloud-platform
+
+---
+
+apiVersion: gcp.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/secretroleset
+  labels:
+    testing.upbound.io/example-name: gcp
+  name: gcp
+spec:
+  forProvider:
+    credentialsSecretRef:
+      key: attribute.credentials.json
+      name: example-secret
+      namespace: upbound-system
+    path: gcp
diff --git a/examples-generated/gcp/secretstaticaccount.yaml b/examples-generated/gcp/secretstaticaccount.yaml
new file mode 100644
index 00000000..1d27f0f9
--- /dev/null
+++ b/examples-generated/gcp/secretstaticaccount.yaml
@@ -0,0 +1,38 @@
+apiVersion: gcp.vault.upbound.io/v1alpha1
+kind: SecretStaticAccount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/secretstaticaccount
+  labels:
+    testing.upbound.io/example-name: static_account
+  name: static-account
+spec:
+  forProvider:
+    backend: ${vault_gcp_secret_backend.gcp.path}
+    binding:
+    - resource: //cloudresourcemanager.googleapis.com/projects/${google_service_account.this.project}
+      roles:
+      - roles/viewer
+    secretType: access_token
+    serviceAccountEmail: ${google_service_account.this.email}
+    staticAccount: project_viewer
+    tokenScopes:
+    - https://www.googleapis.com/auth/cloud-platform
+
+---
+
+apiVersion: gcp.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: gcp/v1alpha1/secretstaticaccount
+  labels:
+    testing.upbound.io/example-name: gcp
+  name: gcp
+spec:
+  forProvider:
+    credentialsSecretRef:
+      key: attribute.credentials.json
+      name: example-secret
+      namespace: upbound-system
+    path: gcp
diff --git a/examples-generated/generic/endpoint.yaml b/examples-generated/generic/endpoint.yaml
new file mode 100644
index 00000000..9511ec4d
--- /dev/null
+++ b/examples-generated/generic/endpoint.yaml
@@ -0,0 +1,30 @@
+apiVersion: generic.vault.upbound.io/v1alpha1
+kind: Endpoint
+metadata:
+  annotations:
+    meta.upbound.io/example-id: generic/v1alpha1/endpoint
+  labels:
+    testing.upbound.io/example-name: u1
+  name: u1
+spec:
+  forProvider:
+    dataJsonSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    ignoreAbsentFields: true
+    path: auth/userpass/users/u1
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: generic/v1alpha1/endpoint
+  labels:
+    testing.upbound.io/example-name: userpass
+  name: userpass
+spec:
+  forProvider:
+    type: userpass
diff --git a/examples-generated/generic/secret.yaml b/examples-generated/generic/secret.yaml
new file mode 100644
index 00000000..22f9bf9e
--- /dev/null
+++ b/examples-generated/generic/secret.yaml
@@ -0,0 +1,15 @@
+apiVersion: generic.vault.upbound.io/v1alpha1
+kind: Secret
+metadata:
+  annotations:
+    meta.upbound.io/example-id: generic/v1alpha1/secret
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    dataJsonSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    path: secret/foo
diff --git a/examples-generated/github/authbackend.yaml b/examples-generated/github/authbackend.yaml
new file mode 100644
index 00000000..ce55fd14
--- /dev/null
+++ b/examples-generated/github/authbackend.yaml
@@ -0,0 +1,11 @@
+apiVersion: github.vault.upbound.io/v1alpha1
+kind: AuthBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: github/v1alpha1/authbackend
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    organization: myorg
diff --git a/examples-generated/github/team.yaml b/examples-generated/github/team.yaml
new file mode 100644
index 00000000..5cac6116
--- /dev/null
+++ b/examples-generated/github/team.yaml
@@ -0,0 +1,29 @@
+apiVersion: github.vault.upbound.io/v1alpha1
+kind: Team
+metadata:
+  annotations:
+    meta.upbound.io/example-id: github/v1alpha1/team
+  labels:
+    testing.upbound.io/example-name: tf_devs
+  name: tf-devs
+spec:
+  forProvider:
+    backend: ${vault_github_auth_backend.example.id}
+    policies:
+    - developer
+    - read-only
+    team: terraform-developers
+
+---
+
+apiVersion: github.vault.upbound.io/v1alpha1
+kind: AuthBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: github/v1alpha1/team
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    organization: myorg
diff --git a/examples-generated/github/user.yaml b/examples-generated/github/user.yaml
new file mode 100644
index 00000000..99adbab4
--- /dev/null
+++ b/examples-generated/github/user.yaml
@@ -0,0 +1,29 @@
+apiVersion: github.vault.upbound.io/v1alpha1
+kind: User
+metadata:
+  annotations:
+    meta.upbound.io/example-id: github/v1alpha1/user
+  labels:
+    testing.upbound.io/example-name: tf_user
+  name: tf-user
+spec:
+  forProvider:
+    backend: ${vault_github_auth_backend.example.id}
+    policies:
+    - developer
+    - read-only
+    user: john.doe
+
+---
+
+apiVersion: github.vault.upbound.io/v1alpha1
+kind: AuthBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: github/v1alpha1/user
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    organization: myorg
diff --git a/examples-generated/identity/entity.yaml b/examples-generated/identity/entity.yaml
new file mode 100644
index 00000000..f577d77d
--- /dev/null
+++ b/examples-generated/identity/entity.yaml
@@ -0,0 +1,15 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Entity
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/entity
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    metadata:
+      foo: bar
+    name: tester1
+    policies:
+    - test
diff --git a/examples-generated/identity/entityalias.yaml b/examples-generated/identity/entityalias.yaml
new file mode 100644
index 00000000..98a96e8c
--- /dev/null
+++ b/examples-generated/identity/entityalias.yaml
@@ -0,0 +1,13 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: EntityAlias
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/entityalias
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    canonicalId: 49877D63-07AD-4B85-BDA8-B61626C477E8
+    mountAccessor: token_1f2bd5
+    name: user_1
diff --git a/examples-generated/identity/entitypolicies.yaml b/examples-generated/identity/entitypolicies.yaml
new file mode 100644
index 00000000..29ad6093
--- /dev/null
+++ b/examples-generated/identity/entitypolicies.yaml
@@ -0,0 +1,30 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: EntityPolicies
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/entitypolicies
+  labels:
+    testing.upbound.io/example-name: policies
+  name: policies
+spec:
+  forProvider:
+    entityId: ${vault_identity_entity.entity.id}
+    exclusive: true
+    policies:
+    - default
+    - test
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Entity
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/entitypolicies
+  labels:
+    testing.upbound.io/example-name: entity
+  name: entity
+spec:
+  forProvider:
+    externalPolicies: true
+    name: entity
diff --git a/examples-generated/identity/group.yaml b/examples-generated/identity/group.yaml
new file mode 100644
index 00000000..52a9eae3
--- /dev/null
+++ b/examples-generated/identity/group.yaml
@@ -0,0 +1,17 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Group
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/group
+  labels:
+    testing.upbound.io/example-name: internal
+  name: internal
+spec:
+  forProvider:
+    metadata:
+      version: "2"
+    name: internal
+    policies:
+    - dev
+    - test
+    type: internal
diff --git a/examples-generated/identity/groupalias.yaml b/examples-generated/identity/groupalias.yaml
new file mode 100644
index 00000000..84d0819f
--- /dev/null
+++ b/examples-generated/identity/groupalias.yaml
@@ -0,0 +1,45 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: GroupAlias
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupalias
+  labels:
+    testing.upbound.io/example-name: group-alias
+  name: group-alias
+spec:
+  forProvider:
+    canonicalId: ${vault_identity_group.group.id}
+    mountAccessor: ${vault_auth_backend.github.accessor}
+    name: Github_Team_Slug
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupalias
+  labels:
+    testing.upbound.io/example-name: github
+  name: github
+spec:
+  forProvider:
+    path: github
+    type: github
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Group
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupalias
+  labels:
+    testing.upbound.io/example-name: group
+  name: group
+spec:
+  forProvider:
+    name: test
+    policies:
+    - test
+    type: external
diff --git a/examples-generated/identity/groupmemberentityids.yaml b/examples-generated/identity/groupmemberentityids.yaml
new file mode 100644
index 00000000..05112e11
--- /dev/null
+++ b/examples-generated/identity/groupmemberentityids.yaml
@@ -0,0 +1,46 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: GroupMemberEntityIds
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupmemberentityids
+  labels:
+    testing.upbound.io/example-name: members
+  name: members
+spec:
+  forProvider:
+    exclusive: true
+    groupId: ${vault_identity_group.internal.id}
+    memberEntityIds:
+    - ${vault_identity_entity.user.id}
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Entity
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupmemberentityids
+  labels:
+    testing.upbound.io/example-name: user
+  name: user
+spec:
+  forProvider:
+    name: user
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Group
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupmemberentityids
+  labels:
+    testing.upbound.io/example-name: internal
+  name: internal
+spec:
+  forProvider:
+    externalMemberEntityIds: true
+    metadata:
+      version: "2"
+    name: internal
+    type: internal
diff --git a/examples-generated/identity/groupmembergroupids.yaml b/examples-generated/identity/groupmembergroupids.yaml
new file mode 100644
index 00000000..eb1ec279
--- /dev/null
+++ b/examples-generated/identity/groupmembergroupids.yaml
@@ -0,0 +1,48 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: GroupMemberGroupIds
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupmembergroupids
+  labels:
+    testing.upbound.io/example-name: members
+  name: members
+spec:
+  forProvider:
+    exclusive: true
+    groupId: ${vault_identity_group.internal.id}
+    memberGroupIds:
+    - ${vault_identity_group.users.id}
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Group
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupmembergroupids
+  labels:
+    testing.upbound.io/example-name: internal
+  name: internal
+spec:
+  forProvider:
+    externalMemberGroupIds: true
+    metadata:
+      version: "2"
+    name: internal
+    type: internal
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Group
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/groupmembergroupids
+  labels:
+    testing.upbound.io/example-name: users
+  name: users
+spec:
+  forProvider:
+    metadata:
+      version: "2"
+    name: users
diff --git a/examples-generated/identity/grouppolicies.yaml b/examples-generated/identity/grouppolicies.yaml
new file mode 100644
index 00000000..0c080067
--- /dev/null
+++ b/examples-generated/identity/grouppolicies.yaml
@@ -0,0 +1,33 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: GroupPolicies
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/grouppolicies
+  labels:
+    testing.upbound.io/example-name: policies
+  name: policies
+spec:
+  forProvider:
+    exclusive: true
+    groupId: ${vault_identity_group.internal.id}
+    policies:
+    - default
+    - test
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Group
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/grouppolicies
+  labels:
+    testing.upbound.io/example-name: internal
+  name: internal
+spec:
+  forProvider:
+    externalPolicies: true
+    metadata:
+      version: "2"
+    name: internal
+    type: internal
diff --git a/examples-generated/identity/mfaduo.yaml b/examples-generated/identity/mfaduo.yaml
new file mode 100644
index 00000000..ece452a3
--- /dev/null
+++ b/examples-generated/identity/mfaduo.yaml
@@ -0,0 +1,19 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: MfaDuo
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/mfaduo
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    apiHostname: api-xxxxxxxx.duosecurity.com
+    integrationKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    secretKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/identity/mfaloginenforcement.yaml b/examples-generated/identity/mfaloginenforcement.yaml
new file mode 100644
index 00000000..3a287c00
--- /dev/null
+++ b/examples-generated/identity/mfaloginenforcement.yaml
@@ -0,0 +1,36 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: MfaLoginEnforcement
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/mfaloginenforcement
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    mfaMethodIds:
+    - ${vault_identity_mfa_duo.example.method_id}
+    name: default
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: MfaDuo
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/mfaloginenforcement
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    apiHostname: foo.baz
+    integrationKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    pushInfo: push-info
+    secretKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/identity/mfaokta.yaml b/examples-generated/identity/mfaokta.yaml
new file mode 100644
index 00000000..d8ff9c01
--- /dev/null
+++ b/examples-generated/identity/mfaokta.yaml
@@ -0,0 +1,16 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: MfaOkta
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/mfaokta
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    apiTokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    baseUrl: qux.baz.com
+    orgName: org1
diff --git a/examples-generated/identity/mfatotp.yaml b/examples-generated/identity/mfatotp.yaml
new file mode 100644
index 00000000..2621ac23
--- /dev/null
+++ b/examples-generated/identity/mfatotp.yaml
@@ -0,0 +1,11 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: MfaTotp
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/mfatotp
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    issuer: issuer1
diff --git a/examples-generated/identity/oidc.yaml b/examples-generated/identity/oidc.yaml
new file mode 100644
index 00000000..180320b1
--- /dev/null
+++ b/examples-generated/identity/oidc.yaml
@@ -0,0 +1,11 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Oidc
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidc
+  labels:
+    testing.upbound.io/example-name: server
+  name: server
+spec:
+  forProvider:
+    issuer: https://www.acme.com
diff --git a/examples-generated/identity/oidcassignment.yaml b/examples-generated/identity/oidcassignment.yaml
new file mode 100644
index 00000000..ad0de0a8
--- /dev/null
+++ b/examples-generated/identity/oidcassignment.yaml
@@ -0,0 +1,49 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcAssignment
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcassignment
+  labels:
+    testing.upbound.io/example-name: default
+  name: default
+spec:
+  forProvider:
+    entityIds:
+    - ${vault_identity_entity.test.id}
+    groupIds:
+    - ${vault_identity_group.internal.id}
+    name: assignment
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Entity
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcassignment
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    name: test
+    policies:
+    - test
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: Group
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcassignment
+  labels:
+    testing.upbound.io/example-name: internal
+  name: internal
+spec:
+  forProvider:
+    name: internal
+    policies:
+    - dev
+    - test
+    type: internal
diff --git a/examples-generated/identity/oidcclient.yaml b/examples-generated/identity/oidcclient.yaml
new file mode 100644
index 00000000..8649c2a8
--- /dev/null
+++ b/examples-generated/identity/oidcclient.yaml
@@ -0,0 +1,37 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcClient
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcclient
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    accessTokenTtl: 7200
+    assignments:
+    - ${vault_identity_oidc_assignment.test.name}
+    idTokenTtl: 2400
+    name: my-app
+    redirectUris:
+    - http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback
+    - http://127.0.0.1:8251/callback
+    - http://127.0.0.1:8080/callback
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcAssignment
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcclient
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    entityIds:
+    - ascbascas-2231a-sdfaa
+    groupIds:
+    - sajkdsad-32414-sfsada
+    name: my-assignment
diff --git a/examples-generated/identity/oidckey.yaml b/examples-generated/identity/oidckey.yaml
new file mode 100644
index 00000000..5666a436
--- /dev/null
+++ b/examples-generated/identity/oidckey.yaml
@@ -0,0 +1,42 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcKey
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidckey
+  labels:
+    testing.upbound.io/example-name: key
+  name: key
+spec:
+  forProvider:
+    algorithm: RS256
+    name: key
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcKeyAllowedClientID
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidckey
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    allowedClientId: ${vault_identity_oidc_role.role.client_id}
+    keyName: key
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidckey
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    key: key
+    name: role
diff --git a/examples-generated/identity/oidckeyallowedclientid.yaml b/examples-generated/identity/oidckeyallowedclientid.yaml
new file mode 100644
index 00000000..d0055caf
--- /dev/null
+++ b/examples-generated/identity/oidckeyallowedclientid.yaml
@@ -0,0 +1,42 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcKeyAllowedClientID
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidckeyallowedclientid
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    allowedClientId: ${vault_identity_oidc_role.role.client_id}
+    keyName: key
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcKey
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidckeyallowedclientid
+  labels:
+    testing.upbound.io/example-name: key
+  name: key
+spec:
+  forProvider:
+    algorithm: RS256
+    name: key
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidckeyallowedclientid
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    key: key
+    name: role
diff --git a/examples-generated/identity/oidcprovider.yaml b/examples-generated/identity/oidcprovider.yaml
new file mode 100644
index 00000000..42bd7614
--- /dev/null
+++ b/examples-generated/identity/oidcprovider.yaml
@@ -0,0 +1,97 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcProvider
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcprovider
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    allowedClientIds:
+    - ${vault_identity_oidc_client.test.client_id}
+    httpsEnabled: false
+    issuerHost: 127.0.0.1:8200
+    name: my-provider
+    scopesSupported:
+    - ${vault_identity_oidc_scope.test.name}
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcAssignment
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcprovider
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    entityIds:
+    - fake-ascbascas-2231a-sdfaa
+    groupIds:
+    - fake-sajkdsad-32414-sfsada
+    name: my-assignment
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcClient
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcprovider
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    accessTokenTtl: 7200
+    assignments:
+    - ${vault_identity_oidc_assignment.test.name}
+    idTokenTtl: 2400
+    key: my-key
+    name: application
+    redirectUris:
+    - http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback
+    - http://127.0.0.1:8251/callback
+    - http://127.0.0.1:8080/callback
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcKey
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcprovider
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    allowedClientIds:
+    - '*'
+    name: my-key
+    rotationPeriod: 3600
+    verificationTtl: 3600
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcScope
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcprovider
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    description: Groups scope.
+    name: groups
+    template: |-
+      ${jsonencode(
+        {
+          groups = "{{identity.entity.groups.names}}",
+        }
+        )}
diff --git a/examples-generated/identity/oidcrole.yaml b/examples-generated/identity/oidcrole.yaml
new file mode 100644
index 00000000..62e66b24
--- /dev/null
+++ b/examples-generated/identity/oidcrole.yaml
@@ -0,0 +1,29 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcrole
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    key: ${var.key}
+    name: role
+
+---
+
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcKey
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcrole
+  labels:
+    testing.upbound.io/example-name: key
+  name: key
+spec:
+  forProvider:
+    algorithm: RS256
+    allowedClientIds:
+    - ${vault_identity_oidc_role.role.client_id}
+    name: ${var.key}
diff --git a/examples-generated/identity/oidcscope.yaml b/examples-generated/identity/oidcscope.yaml
new file mode 100644
index 00000000..bfe8d7bc
--- /dev/null
+++ b/examples-generated/identity/oidcscope.yaml
@@ -0,0 +1,13 @@
+apiVersion: identity.vault.upbound.io/v1alpha1
+kind: OidcScope
+metadata:
+  annotations:
+    meta.upbound.io/example-id: identity/v1alpha1/oidcscope
+  labels:
+    testing.upbound.io/example-name: groups
+  name: groups
+spec:
+  forProvider:
+    description: Vault OIDC Groups Scope
+    name: groups
+    template: '{"groups":{{identity.entity.groups.names}}}'
diff --git a/examples-generated/jwt/authbackend.yaml b/examples-generated/jwt/authbackend.yaml
new file mode 100644
index 00000000..6b45ed39
--- /dev/null
+++ b/examples-generated/jwt/authbackend.yaml
@@ -0,0 +1,14 @@
+apiVersion: jwt.vault.upbound.io/v1alpha1
+kind: AuthBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: jwt/v1alpha1/authbackend
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    boundIssuer: https://myco.auth0.com/
+    description: Demonstration of the Terraform JWT auth backend
+    oidcDiscoveryUrl: https://myco.auth0.com/
+    path: jwt
diff --git a/examples-generated/jwt/authbackendrole.yaml b/examples-generated/jwt/authbackendrole.yaml
new file mode 100644
index 00000000..314e6cc3
--- /dev/null
+++ b/examples-generated/jwt/authbackendrole.yaml
@@ -0,0 +1,36 @@
+apiVersion: jwt.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: jwt/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: jwt
+    boundAudiences:
+    - https://myco.test
+    boundClaims:
+      color: red,green,blue
+    roleName: test-role
+    roleType: jwt
+    tokenPolicies:
+    - default
+    - dev
+    - prod
+    userClaim: https://vault/user
+
+---
+
+apiVersion: jwt.vault.upbound.io/v1alpha1
+kind: AuthBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: jwt/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: jwt
+  name: jwt
+spec:
+  forProvider:
+    path: jwt
diff --git a/examples-generated/kmip/secretbackend.yaml b/examples-generated/kmip/secretbackend.yaml
new file mode 100644
index 00000000..e6ff3867
--- /dev/null
+++ b/examples-generated/kmip/secretbackend.yaml
@@ -0,0 +1,20 @@
+apiVersion: kmip.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kmip/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: default
+  name: default
+spec:
+  forProvider:
+    defaultTlsClientKeyBits: 4096
+    defaultTlsClientKeyType: rsa
+    defaultTlsClientTtl: 86400
+    description: Vault KMIP backend
+    listenAddrs:
+    - 127.0.0.1:5696
+    - 127.0.0.1:8080
+    path: kmip
+    tlsCaKeyBits: 4096
+    tlsCaKeyType: rsa
diff --git a/examples-generated/kmip/secretrole.yaml b/examples-generated/kmip/secretrole.yaml
new file mode 100644
index 00000000..24623559
--- /dev/null
+++ b/examples-generated/kmip/secretrole.yaml
@@ -0,0 +1,51 @@
+apiVersion: kmip.vault.upbound.io/v1alpha1
+kind: SecretRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kmip/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: admin
+  name: admin
+spec:
+  forProvider:
+    operationActivate: true
+    operationCreate: true
+    operationDestroy: true
+    operationGet: true
+    operationGetAttributes: true
+    path: kmip
+    role: admin
+    scope: dev
+    tlsClientKeyBits: 256
+    tlsClientKeyType: ec
+
+---
+
+apiVersion: kmip.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kmip/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: default
+  name: default
+spec:
+  forProvider:
+    description: Vault KMIP backend
+    path: kmip
+
+---
+
+apiVersion: kmip.vault.upbound.io/v1alpha1
+kind: SecretScope
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kmip/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: dev
+  name: dev
+spec:
+  forProvider:
+    force: true
+    path: kmip
+    scope: dev
diff --git a/examples-generated/kmip/secretscope.yaml b/examples-generated/kmip/secretscope.yaml
new file mode 100644
index 00000000..1ed88f1e
--- /dev/null
+++ b/examples-generated/kmip/secretscope.yaml
@@ -0,0 +1,28 @@
+apiVersion: kmip.vault.upbound.io/v1alpha1
+kind: SecretScope
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kmip/v1alpha1/secretscope
+  labels:
+    testing.upbound.io/example-name: dev
+  name: dev
+spec:
+  forProvider:
+    force: true
+    path: kmip
+    scope: dev
+
+---
+
+apiVersion: kmip.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kmip/v1alpha1/secretscope
+  labels:
+    testing.upbound.io/example-name: default
+  name: default
+spec:
+  forProvider:
+    description: Vault KMIP backend
+    path: kmip
diff --git a/examples-generated/kubernetes/authbackendconfig.yaml b/examples-generated/kubernetes/authbackendconfig.yaml
new file mode 100644
index 00000000..6800139c
--- /dev/null
+++ b/examples-generated/kubernetes/authbackendconfig.yaml
@@ -0,0 +1,36 @@
+apiVersion: kubernetes.vault.upbound.io/v1alpha1
+kind: AuthBackendConfig
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kubernetes/v1alpha1/authbackendconfig
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: cert
+    disableIssValidation: "true"
+    issuer: api
+    kubernetesCaCert: |-
+      -----BEGIN CERTIFICATE-----
+      example
+      -----END CERTIFICATE-----
+    kubernetesHost: http://example.com:443
+    tokenReviewerJwtSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kubernetes/v1alpha1/authbackendconfig
+  labels:
+    testing.upbound.io/example-name: kubernetes
+  name: kubernetes
+spec:
+  forProvider:
+    type: kubernetes
diff --git a/examples-generated/kubernetes/authbackendrole.yaml b/examples-generated/kubernetes/authbackendrole.yaml
new file mode 100644
index 00000000..1ba11a57
--- /dev/null
+++ b/examples-generated/kubernetes/authbackendrole.yaml
@@ -0,0 +1,36 @@
+apiVersion: kubernetes.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kubernetes/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    audience: vault
+    backend: cert
+    boundServiceAccountNames:
+    - example
+    boundServiceAccountNamespaces:
+    - example
+    roleName: example-role
+    tokenPolicies:
+    - default
+    - dev
+    - prod
+    tokenTtl: 3600
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kubernetes/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: kubernetes
+  name: kubernetes
+spec:
+  forProvider:
+    type: kubernetes
diff --git a/examples-generated/kubernetes/secretbackend.yaml b/examples-generated/kubernetes/secretbackend.yaml
new file mode 100644
index 00000000..dce11b05
--- /dev/null
+++ b/examples-generated/kubernetes/secretbackend.yaml
@@ -0,0 +1,21 @@
+apiVersion: kubernetes.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kubernetes/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: config
+  name: config
+spec:
+  forProvider:
+    defaultLeaseTtlSeconds: 43200
+    description: kubernetes secrets engine description
+    disableLocalCaJwt: false
+    kubernetesCaCert: ${file("/path/to/cert")}
+    kubernetesHost: https://127.0.0.1:61233
+    maxLeaseTtlSeconds: 86400
+    path: kubernetes
+    serviceAccountJwtSecretRef:
+      key: attribute.token
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/kubernetes/secretbackendrole.yaml b/examples-generated/kubernetes/secretbackendrole.yaml
new file mode 100644
index 00000000..95161338
--- /dev/null
+++ b/examples-generated/kubernetes/secretbackendrole.yaml
@@ -0,0 +1,45 @@
+apiVersion: kubernetes.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kubernetes/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: sa-example
+  name: sa-example
+spec:
+  forProvider:
+    allowedKubernetesNamespaces:
+    - '*'
+    backend: kubernetes
+    extraAnnotations:
+      env: development
+      location: earth
+    extraLabels:
+      id: abc123
+      name: some_name
+    name: service-account-name-role
+    serviceAccountName: test-service-account-with-generated-token
+    tokenDefaultTtl: 21600
+    tokenMaxTtl: 43200
+
+---
+
+apiVersion: kubernetes.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kubernetes/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: config
+  name: config
+spec:
+  forProvider:
+    description: kubernetes secrets engine description
+    disableLocalCaJwt: false
+    kubernetesCaCert: ${file("/path/to/cert")}
+    kubernetesHost: https://127.0.0.1:61233
+    path: kubernetes
+    serviceAccountJwtSecretRef:
+      key: attribute.token
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/kv/secret.yaml b/examples-generated/kv/secret.yaml
new file mode 100644
index 00000000..49dcbcba
--- /dev/null
+++ b/examples-generated/kv/secret.yaml
@@ -0,0 +1,33 @@
+apiVersion: kv.vault.upbound.io/v1alpha1
+kind: Secret
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kv/v1alpha1/secret
+  labels:
+    testing.upbound.io/example-name: secret
+  name: secret
+spec:
+  forProvider:
+    dataJsonSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    path: dummy
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kv/v1alpha1/secret
+  labels:
+    testing.upbound.io/example-name: kvv1
+  name: kvv1
+spec:
+  forProvider:
+    description: KV Version 1 secret engine mount
+    options:
+      version: "1"
+    path: kvv1
+    type: kv
diff --git a/examples-generated/kv/secretbackendv2.yaml b/examples-generated/kv/secretbackendv2.yaml
new file mode 100644
index 00000000..d8f8e410
--- /dev/null
+++ b/examples-generated/kv/secretbackendv2.yaml
@@ -0,0 +1,32 @@
+apiVersion: kv.vault.upbound.io/v1alpha1
+kind: SecretBackendV2
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kv/v1alpha1/secretbackendv2
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    casRequired: true
+    deleteVersionAfter: 12600
+    maxVersions: 5
+    mount: dummy
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kv/v1alpha1/secretbackendv2
+  labels:
+    testing.upbound.io/example-name: kvv2
+  name: kvv2
+spec:
+  forProvider:
+    description: KV Version 2 secret engine mount
+    options:
+      version: "2"
+    path: kvv2
+    type: kv
diff --git a/examples-generated/kv/secretv2.yaml b/examples-generated/kv/secretv2.yaml
new file mode 100644
index 00000000..5118be5e
--- /dev/null
+++ b/examples-generated/kv/secretv2.yaml
@@ -0,0 +1,41 @@
+apiVersion: kv.vault.upbound.io/v1alpha1
+kind: SecretV2
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kv/v1alpha1/secretv2
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    cas: 1
+    customMetadata:
+    - data:
+        bar: "12345"
+        foo: vault@example.com
+      maxVersions: 5
+    dataJsonSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    deleteAllVersions: true
+    mount: dummy
+    name: secret
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: kv/v1alpha1/secretv2
+  labels:
+    testing.upbound.io/example-name: kvv2
+  name: kvv2
+spec:
+  forProvider:
+    description: KV Version 2 secret engine mount
+    options:
+      version: "2"
+    path: kvv2
+    type: kv
diff --git a/examples-generated/managed/keys.yaml b/examples-generated/managed/keys.yaml
new file mode 100644
index 00000000..11d27a4e
--- /dev/null
+++ b/examples-generated/managed/keys.yaml
@@ -0,0 +1,44 @@
+apiVersion: managed.vault.upbound.io/v1alpha1
+kind: Keys
+metadata:
+  annotations:
+    meta.upbound.io/example-id: managed/v1alpha1/keys
+  labels:
+    testing.upbound.io/example-name: keys
+  name: keys
+spec:
+  forProvider:
+    aws:
+    - accessKey: ${var.aws_access_key}
+      keyBits: "2048"
+      keyType: RSA
+      kmsKey: alias/vault_aws_key_1
+      name: aws-key-1
+      secretKey: ${var.aws_secret_key}
+    - accessKey: ${var.aws_access_key}
+      keyBits: "4096"
+      keyType: RSA
+      kmsKey: alias/vault_aws_key_2
+      name: aws-key-2
+      secretKey: ${var.aws_secret_key}
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: managed/v1alpha1/keys
+  labels:
+    testing.upbound.io/example-name: pki
+  name: pki
+spec:
+  forProvider:
+    allowedManagedKeys:
+    - ${tolist(vault_managed_keys.keys.aws)[0].name}
+    - ${tolist(vault_managed_keys.keys.aws)[1].name}
+    defaultLeaseTtlSeconds: 3600
+    description: Example mount for managed keys
+    maxLeaseTtlSeconds: 36000
+    path: pki
+    type: pki
diff --git a/examples-generated/mfa/duo.yaml b/examples-generated/mfa/duo.yaml
new file mode 100644
index 00000000..c641194d
--- /dev/null
+++ b/examples-generated/mfa/duo.yaml
@@ -0,0 +1,36 @@
+apiVersion: mfa.vault.upbound.io/v1alpha1
+kind: Duo
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mfa/v1alpha1/duo
+  labels:
+    testing.upbound.io/example-name: my_duo
+  name: my-duo
+spec:
+  forProvider:
+    apiHostname: api-2b5c39f5.duosecurity.com
+    integrationKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    mountAccessor: ${vault_auth_backend.userpass.accessor}
+    name: my_duo
+    secretKeySecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mfa/v1alpha1/duo
+  labels:
+    testing.upbound.io/example-name: userpass
+  name: userpass
+spec:
+  forProvider:
+    path: userpass
+    type: userpass
diff --git a/examples-generated/mfa/okta.yaml b/examples-generated/mfa/okta.yaml
new file mode 100644
index 00000000..1d19d911
--- /dev/null
+++ b/examples-generated/mfa/okta.yaml
@@ -0,0 +1,33 @@
+apiVersion: mfa.vault.upbound.io/v1alpha1
+kind: Okta
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mfa/v1alpha1/okta
+  labels:
+    testing.upbound.io/example-name: my_okta
+  name: my-okta
+spec:
+  forProvider:
+    apiTokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    mountAccessor: ${vault_auth_backend.userpass.accessor}
+    name: my_okta
+    orgName: hashicorp
+    usernameFormat: user@example.com
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mfa/v1alpha1/okta
+  labels:
+    testing.upbound.io/example-name: userpass
+  name: userpass
+spec:
+  forProvider:
+    path: userpass
+    type: userpass
diff --git a/examples-generated/mfa/pingid.yaml b/examples-generated/mfa/pingid.yaml
new file mode 100644
index 00000000..246fbdd9
--- /dev/null
+++ b/examples-generated/mfa/pingid.yaml
@@ -0,0 +1,29 @@
+apiVersion: mfa.vault.upbound.io/v1alpha1
+kind: Pingid
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mfa/v1alpha1/pingid
+  labels:
+    testing.upbound.io/example-name: my_pingid
+  name: my-pingid
+spec:
+  forProvider:
+    mountAccessor: ${vault_auth_backend.userpass.accessor}
+    name: my_pingid
+    settingsFileBase64: ${var.settings_file}
+    usernameFormat: user@example.com
+
+---
+
+apiVersion: auth.vault.upbound.io/v1alpha1
+kind: Backend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mfa/v1alpha1/pingid
+  labels:
+    testing.upbound.io/example-name: userpass
+  name: userpass
+spec:
+  forProvider:
+    path: userpass
+    type: userpass
diff --git a/examples-generated/mfa/totp.yaml b/examples-generated/mfa/totp.yaml
new file mode 100644
index 00000000..4035fba4
--- /dev/null
+++ b/examples-generated/mfa/totp.yaml
@@ -0,0 +1,16 @@
+apiVersion: mfa.vault.upbound.io/v1alpha1
+kind: Totp
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mfa/v1alpha1/totp
+  labels:
+    testing.upbound.io/example-name: my_totp
+  name: my-totp
+spec:
+  forProvider:
+    algorithm: SHA256
+    digits: 8
+    issuer: hashicorp
+    keySize: 20
+    name: my_totp
+    period: 60
diff --git a/examples-generated/mongodbatlas/secretbackend.yaml b/examples-generated/mongodbatlas/secretbackend.yaml
new file mode 100644
index 00000000..41e0b4cc
--- /dev/null
+++ b/examples-generated/mongodbatlas/secretbackend.yaml
@@ -0,0 +1,29 @@
+apiVersion: mongodbatlas.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mongodbatlas/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: config
+  name: config
+spec:
+  forProvider:
+    mount: vault_mount.mongo.path
+    privateKey: privateKey
+    publicKey: publicKey
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mongodbatlas/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: mongo
+  name: mongo
+spec:
+  forProvider:
+    description: MongoDB Atlas secret engine mount
+    path: mongodbatlas
+    type: mongodbatlas
diff --git a/examples-generated/mongodbatlas/secretrole.yaml b/examples-generated/mongodbatlas/secretrole.yaml
new file mode 100644
index 00000000..e9cf0b86
--- /dev/null
+++ b/examples-generated/mongodbatlas/secretrole.yaml
@@ -0,0 +1,52 @@
+apiVersion: mongodbatlas.vault.upbound.io/v1alpha1
+kind: SecretRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mongodbatlas/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    cidrBlocks: 192.168.1.3/35
+    ipAddresses: 192.168.1.5, 192.168.1.6
+    maxTtl: "120"
+    mount: dummy
+    name: tf-test-role
+    organizationId: 7cf5a45a9ccf6400e60981b7
+    projectId: 5cf5a45a9ccf6400e60981b6
+    projectRoles: GROUP_READ_ONLY
+    roles: ORG_READ_ONLY
+    ttl: "60"
+
+---
+
+apiVersion: mongodbatlas.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mongodbatlas/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: config
+  name: config
+spec:
+  forProvider:
+    mount: vault_mount.mongo.path
+    privateKey: privateKey
+    publicKey: publicKey
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: mongodbatlas/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: mongo
+  name: mongo
+spec:
+  forProvider:
+    description: MongoDB Atlas secret engine mount
+    path: '%s'
+    type: mongodbatlas
diff --git a/examples-generated/nomad/secretbackend.yaml b/examples-generated/nomad/secretbackend.yaml
new file mode 100644
index 00000000..6f84fd79
--- /dev/null
+++ b/examples-generated/nomad/secretbackend.yaml
@@ -0,0 +1,21 @@
+apiVersion: nomad.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: nomad/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: config
+  name: config
+spec:
+  forProvider:
+    address: https://127.0.0.1:4646
+    backend: nomad
+    defaultLeaseTtlSeconds: "3600"
+    description: test description
+    maxLeaseTtlSeconds: "7200"
+    maxTtl: "240"
+    tokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    ttl: "120"
diff --git a/examples-generated/nomad/secretrole.yaml b/examples-generated/nomad/secretrole.yaml
new file mode 100644
index 00000000..5b50eed9
--- /dev/null
+++ b/examples-generated/nomad/secretrole.yaml
@@ -0,0 +1,37 @@
+apiVersion: nomad.vault.upbound.io/v1alpha1
+kind: SecretRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: nomad/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    backend: nomad
+    policies:
+    - readonly
+    role: test
+    type: client
+
+---
+
+apiVersion: nomad.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: nomad/v1alpha1/secretrole
+  labels:
+    testing.upbound.io/example-name: config
+  name: config
+spec:
+  forProvider:
+    address: https://127.0.0.1:4646
+    backend: nomad
+    defaultLeaseTtlSeconds: "3600"
+    description: test description
+    maxLeaseTtlSeconds: "7200"
+    tokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/password/policy.yaml b/examples-generated/password/policy.yaml
new file mode 100644
index 00000000..fd57ff91
--- /dev/null
+++ b/examples-generated/password/policy.yaml
@@ -0,0 +1,16 @@
+apiVersion: password.vault.upbound.io/v1alpha1
+kind: Policy
+metadata:
+  annotations:
+    meta.upbound.io/example-id: password/v1alpha1/policy
+  labels:
+    testing.upbound.io/example-name: alphanumeric
+  name: alphanumeric
+spec:
+  forProvider:
+    name: alphanumeric
+    policy: |2
+          length = 20
+          rule "charset" {
+            charset = "abcdefghijklmnopqrstuvwxyz0123456789"
+          }
diff --git a/examples-generated/pki/secretbackendcert.yaml b/examples-generated/pki/secretbackendcert.yaml
new file mode 100644
index 00000000..4916753e
--- /dev/null
+++ b/examples-generated/pki/secretbackendcert.yaml
@@ -0,0 +1,13 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendCert
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendcert
+  labels:
+    testing.upbound.io/example-name: app
+  name: app
+spec:
+  forProvider:
+    backend: dummy
+    commonName: app.my.domain
+    name: my_role
diff --git a/examples-generated/pki/secretbackendconfigca.yaml b/examples-generated/pki/secretbackendconfigca.yaml
new file mode 100644
index 00000000..cb0c77ef
--- /dev/null
+++ b/examples-generated/pki/secretbackendconfigca.yaml
@@ -0,0 +1,15 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendConfigCA
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendconfigca
+  labels:
+    testing.upbound.io/example-name: intermediate
+  name: intermediate
+spec:
+  forProvider:
+    backend: dummy
+    pemBundleSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/pki/secretbackendconfigurls.yaml b/examples-generated/pki/secretbackendconfigurls.yaml
new file mode 100644
index 00000000..3212f167
--- /dev/null
+++ b/examples-generated/pki/secretbackendconfigurls.yaml
@@ -0,0 +1,31 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendConfigUrls
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendconfigurls
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: dummy
+    issuingCertificates:
+    - http://127.0.0.1:8200/v1/pki/ca
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendconfigurls
+  labels:
+    testing.upbound.io/example-name: root
+  name: root
+spec:
+  forProvider:
+    defaultLeaseTtlSeconds: 8640000
+    description: root PKI
+    maxLeaseTtlSeconds: 8640000
+    path: pki-root
+    type: pki
diff --git a/examples-generated/pki/secretbackendcrlconfig.yaml b/examples-generated/pki/secretbackendcrlconfig.yaml
new file mode 100644
index 00000000..d5ec7c4e
--- /dev/null
+++ b/examples-generated/pki/secretbackendcrlconfig.yaml
@@ -0,0 +1,30 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendCrlConfig
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendcrlconfig
+  labels:
+    testing.upbound.io/example-name: crl_config
+  name: crl-config
+spec:
+  forProvider:
+    backend: dummy
+    disable: false
+    expiry: 72h
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendcrlconfig
+  labels:
+    testing.upbound.io/example-name: pki
+  name: pki
+spec:
+  forProvider:
+    defaultLeaseTtlSeconds: 3600
+    maxLeaseTtlSeconds: 86400
+    path: '%s'
+    type: pki
diff --git a/examples-generated/pki/secretbackendintermediatecertrequest.yaml b/examples-generated/pki/secretbackendintermediatecertrequest.yaml
new file mode 100644
index 00000000..d8bf858c
--- /dev/null
+++ b/examples-generated/pki/secretbackendintermediatecertrequest.yaml
@@ -0,0 +1,13 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendIntermediateCertRequest
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendintermediatecertrequest
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    backend: dummy
+    commonName: app.my.domain
+    type: internal
diff --git a/examples-generated/pki/secretbackendintermediatesetsigned.yaml b/examples-generated/pki/secretbackendintermediatesetsigned.yaml
new file mode 100644
index 00000000..05d0ff0b
--- /dev/null
+++ b/examples-generated/pki/secretbackendintermediatesetsigned.yaml
@@ -0,0 +1,91 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendIntermediateSetSigned
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendintermediatesetsigned
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: dummy
+    certificate: ${vault_pki_secret_backend_root_sign_intermediate.example.certificate}
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendintermediatesetsigned
+  labels:
+    testing.upbound.io/example-name: intermediate
+  name: intermediate
+spec:
+  forProvider:
+    defaultLeaseTtlSeconds: 86400
+    description: intermediate
+    maxLeaseTtlSeconds: 86400
+    path: pki-int
+    type: pki
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendintermediatesetsigned
+  labels:
+    testing.upbound.io/example-name: root
+  name: root
+spec:
+  forProvider:
+    defaultLeaseTtlSeconds: 8640000
+    description: root
+    maxLeaseTtlSeconds: 8640000
+    path: pki-root
+    type: pki
+
+---
+
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendIntermediateCertRequest
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendintermediatesetsigned
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: pki-int
+    commonName: SubOrg Intermediate CA
+    type: internal
+
+---
+
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendRootCert
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendintermediatesetsigned
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: pki-root
+    commonName: RootOrg Root CA
+    country: US
+    excludeCnFromSans: true
+    format: pem
+    keyBits: 4096
+    keyType: rsa
+    locality: San Francisco
+    organization: RootOrg
+    ou: Organizational Unit
+    privateKeyFormat: der
+    province: CA
+    ttl: 86400
+    type: internal
diff --git a/examples-generated/pki/secretbackendrole.yaml b/examples-generated/pki/secretbackendrole.yaml
new file mode 100644
index 00000000..114e9e6c
--- /dev/null
+++ b/examples-generated/pki/secretbackendrole.yaml
@@ -0,0 +1,37 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    allowIpSans: true
+    allowSubdomains: true
+    allowedDomains:
+    - example.com
+    - my.domain
+    backend: dummy
+    keyBits: 4096
+    keyType: rsa
+    name: my_role
+    ttl: 3600
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: pki
+  name: pki
+spec:
+  forProvider:
+    defaultLeaseTtlSeconds: 3600
+    maxLeaseTtlSeconds: 86400
+    path: pki
+    type: pki
diff --git a/examples-generated/pki/secretbackendrootcert.yaml b/examples-generated/pki/secretbackendrootcert.yaml
new file mode 100644
index 00000000..d872b883
--- /dev/null
+++ b/examples-generated/pki/secretbackendrootcert.yaml
@@ -0,0 +1,21 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendRootCert
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendrootcert
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    backend: dummy
+    commonName: Root CA
+    excludeCnFromSans: true
+    format: pem
+    keyBits: 4096
+    keyType: rsa
+    organization: My organization
+    ou: My OU
+    privateKeyFormat: der
+    ttl: "315360000"
+    type: internal
diff --git a/examples-generated/pki/secretbackendsign.yaml b/examples-generated/pki/secretbackendsign.yaml
new file mode 100644
index 00000000..6816b10c
--- /dev/null
+++ b/examples-generated/pki/secretbackendsign.yaml
@@ -0,0 +1,41 @@
+apiVersion: pki.vault.upbound.io/v1alpha1
+kind: SecretBackendSign
+metadata:
+  annotations:
+    meta.upbound.io/example-id: pki/v1alpha1/secretbackendsign
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    backend: dummy
+    commonName: test.my.domain
+    csr: |
+      -----BEGIN CERTIFICATE REQUEST-----
+      MIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+      ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy
+      dC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+      AJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP
+      CW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt
+      Vonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy
+      X6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0
+      V+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01
+      te8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS
+      kVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw
+      kY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD
+      5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O
+      gIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I
+      1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG
+      9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL
+      It7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG
+      fnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN
+      77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN
+      vt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv
+      do5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1
+      OGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te
+      dBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf
+      UwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8
+      OTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0
+      o3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=
+      -----END CERTIFICATE REQUEST-----
+    name: my_role
diff --git a/examples-generated/quota/leasecount.yaml b/examples-generated/quota/leasecount.yaml
new file mode 100644
index 00000000..11e6a883
--- /dev/null
+++ b/examples-generated/quota/leasecount.yaml
@@ -0,0 +1,13 @@
+apiVersion: quota.vault.upbound.io/v1alpha1
+kind: LeaseCount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: quota/v1alpha1/leasecount
+  labels:
+    testing.upbound.io/example-name: global
+  name: global
+spec:
+  forProvider:
+    maxLeases: 100
+    name: global
+    path: ""
diff --git a/examples-generated/quota/ratelimit.yaml b/examples-generated/quota/ratelimit.yaml
new file mode 100644
index 00000000..867d50f5
--- /dev/null
+++ b/examples-generated/quota/ratelimit.yaml
@@ -0,0 +1,13 @@
+apiVersion: quota.vault.upbound.io/v1alpha1
+kind: RateLimit
+metadata:
+  annotations:
+    meta.upbound.io/example-id: quota/v1alpha1/ratelimit
+  labels:
+    testing.upbound.io/example-name: global
+  name: global
+spec:
+  forProvider:
+    name: global
+    path: ""
+    rate: 100
diff --git a/examples-generated/rabbitmq/secretbackend.yaml b/examples-generated/rabbitmq/secretbackend.yaml
new file mode 100644
index 00000000..3ba0ea54
--- /dev/null
+++ b/examples-generated/rabbitmq/secretbackend.yaml
@@ -0,0 +1,19 @@
+apiVersion: rabbitmq.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: rabbitmq/v1alpha1/secretbackend
+  labels:
+    testing.upbound.io/example-name: rabbitmq
+  name: rabbitmq
+spec:
+  forProvider:
+    connectionUri: https://.....
+    passwordSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    usernameSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/rabbitmq/secretbackendrole.yaml b/examples-generated/rabbitmq/secretbackendrole.yaml
new file mode 100644
index 00000000..bea9f9c0
--- /dev/null
+++ b/examples-generated/rabbitmq/secretbackendrole.yaml
@@ -0,0 +1,46 @@
+apiVersion: rabbitmq.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: rabbitmq/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: role
+  name: role
+spec:
+  forProvider:
+    backend: ${vault_rabbitmq_secret_backend.rabbitmq.path}
+    name: deploy
+    tags: tag1,tag2
+    vhost:
+    - configure: ""
+      host: /
+      read: .*
+      write: ""
+    vhostTopic:
+    - host: /
+      vhost:
+      - read: .*
+        topic: amq.topic
+        write: ""
+
+---
+
+apiVersion: rabbitmq.vault.upbound.io/v1alpha1
+kind: SecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: rabbitmq/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: rabbitmq
+  name: rabbitmq
+spec:
+  forProvider:
+    connectionUri: https://.....
+    passwordSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+    usernameSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/raft/autopilot.yaml b/examples-generated/raft/autopilot.yaml
new file mode 100644
index 00000000..08fc52b4
--- /dev/null
+++ b/examples-generated/raft/autopilot.yaml
@@ -0,0 +1,16 @@
+apiVersion: raft.vault.upbound.io/v1alpha1
+kind: Autopilot
+metadata:
+  annotations:
+    meta.upbound.io/example-id: raft/v1alpha1/autopilot
+  labels:
+    testing.upbound.io/example-name: autopilot
+  name: autopilot
+spec:
+  forProvider:
+    cleanupDeadServers: true
+    deadServerLastContactThreshold: 24h0m0s
+    lastContactThreshold: 10s
+    maxTrailingLogs: 1000
+    minQuorum: 3
+    serverStabilizationTime: 10s
diff --git a/examples-generated/raft/snapshotagentconfig.yaml b/examples-generated/raft/snapshotagentconfig.yaml
new file mode 100644
index 00000000..48685571
--- /dev/null
+++ b/examples-generated/raft/snapshotagentconfig.yaml
@@ -0,0 +1,16 @@
+apiVersion: raft.vault.upbound.io/v1alpha1
+kind: SnapshotAgentConfig
+metadata:
+  annotations:
+    meta.upbound.io/example-id: raft/v1alpha1/snapshotagentconfig
+  labels:
+    testing.upbound.io/example-name: local_backups
+  name: local-backups
+spec:
+  forProvider:
+    intervalSeconds: 86400
+    localMaxSpace: 10000000
+    name: local
+    pathPrefix: /opt/vault/snapshots/
+    retain: 7
+    storageType: local
diff --git a/examples-generated/rgp/policy.yaml b/examples-generated/rgp/policy.yaml
new file mode 100644
index 00000000..5b08bba1
--- /dev/null
+++ b/examples-generated/rgp/policy.yaml
@@ -0,0 +1,16 @@
+apiVersion: rgp.vault.upbound.io/v1alpha1
+kind: Policy
+metadata:
+  annotations:
+    meta.upbound.io/example-id: rgp/v1alpha1/policy
+  labels:
+    testing.upbound.io/example-name: allow-all
+  name: allow-all
+spec:
+  forProvider:
+    enforcementLevel: soft-mandatory
+    name: allow-all
+    policy: |
+      main = rule {
+        true
+      }
diff --git a/examples-generated/ssh/secretbackendca.yaml b/examples-generated/ssh/secretbackendca.yaml
new file mode 100644
index 00000000..73484e56
--- /dev/null
+++ b/examples-generated/ssh/secretbackendca.yaml
@@ -0,0 +1,25 @@
+apiVersion: ssh.vault.upbound.io/v1alpha1
+kind: SecretBackendCA
+metadata:
+  annotations:
+    meta.upbound.io/example-id: ssh/v1alpha1/secretbackendca
+  labels:
+    testing.upbound.io/example-name: foo
+  name: foo
+spec:
+  forProvider:
+    backend: dummy
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: ssh/v1alpha1/secretbackendca
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    type: ssh
diff --git a/examples-generated/ssh/secretbackendrole.yaml b/examples-generated/ssh/secretbackendrole.yaml
new file mode 100644
index 00000000..a5c0f1a0
--- /dev/null
+++ b/examples-generated/ssh/secretbackendrole.yaml
@@ -0,0 +1,28 @@
+apiVersion: ssh.vault.upbound.io/v1alpha1
+kind: SecretBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: ssh/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: foo
+  name: foo
+spec:
+  forProvider:
+    allowUserCertificates: true
+    backend: dummy
+    keyType: ca
+    name: my-role
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: ssh/v1alpha1/secretbackendrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    type: ssh
diff --git a/examples-generated/terraform/cloudsecretbackend.yaml b/examples-generated/terraform/cloudsecretbackend.yaml
new file mode 100644
index 00000000..a9916c1a
--- /dev/null
+++ b/examples-generated/terraform/cloudsecretbackend.yaml
@@ -0,0 +1,16 @@
+apiVersion: terraform.vault.upbound.io/v1alpha1
+kind: CloudSecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: terraform/v1alpha1/cloudsecretbackend
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    backend: terraform
+    description: Manages the Terraform Cloud backend
+    tokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/terraform/cloudsecretcreds.yaml b/examples-generated/terraform/cloudsecretcreds.yaml
new file mode 100644
index 00000000..37463d33
--- /dev/null
+++ b/examples-generated/terraform/cloudsecretcreds.yaml
@@ -0,0 +1,48 @@
+apiVersion: terraform.vault.upbound.io/v1alpha1
+kind: CloudSecretCreds
+metadata:
+  annotations:
+    meta.upbound.io/example-id: terraform/v1alpha1/cloudsecretcreds
+  labels:
+    testing.upbound.io/example-name: token
+  name: token
+spec:
+  forProvider:
+    backend: terraform
+    role: test-role
+
+---
+
+apiVersion: terraform.vault.upbound.io/v1alpha1
+kind: CloudSecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: terraform/v1alpha1/cloudsecretcreds
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    backend: terraform
+    description: Manages the Terraform Cloud backend
+    tokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
+
+---
+
+apiVersion: terraform.vault.upbound.io/v1alpha1
+kind: CloudSecretRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: terraform/v1alpha1/cloudsecretcreds
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: terraform
+    name: test-role
+    organization: example-organization-name
+    teamId: team-ieF4isC...
diff --git a/examples-generated/terraform/cloudsecretrole.yaml b/examples-generated/terraform/cloudsecretrole.yaml
new file mode 100644
index 00000000..bd480320
--- /dev/null
+++ b/examples-generated/terraform/cloudsecretrole.yaml
@@ -0,0 +1,33 @@
+apiVersion: terraform.vault.upbound.io/v1alpha1
+kind: CloudSecretRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: terraform/v1alpha1/cloudsecretrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    backend: terraform
+    name: test-role
+    organization: example-organization-name
+    teamId: team-ieF4isC...
+
+---
+
+apiVersion: terraform.vault.upbound.io/v1alpha1
+kind: CloudSecretBackend
+metadata:
+  annotations:
+    meta.upbound.io/example-id: terraform/v1alpha1/cloudsecretrole
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    backend: terraform
+    description: Manages the Terraform Cloud backend
+    tokenSecretRef:
+      key: example-key
+      name: example-secret
+      namespace: upbound-system
diff --git a/examples-generated/token/authbackendrole.yaml b/examples-generated/token/authbackendrole.yaml
new file mode 100644
index 00000000..d4bc5e94
--- /dev/null
+++ b/examples-generated/token/authbackendrole.yaml
@@ -0,0 +1,23 @@
+apiVersion: token.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  annotations:
+    meta.upbound.io/example-id: token/v1alpha1/authbackendrole
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    allowedEntityAliases:
+    - test_entity
+    allowedPolicies:
+    - dev
+    - test
+    disallowedPolicies:
+    - default
+    orphan: true
+    pathSuffix: path-suffix
+    renewable: true
+    roleName: my-role
+    tokenExplicitMaxTtl: "115200"
+    tokenPeriod: "86400"
diff --git a/examples-generated/transform/alphabet.yaml b/examples-generated/transform/alphabet.yaml
new file mode 100644
index 00000000..1c20a644
--- /dev/null
+++ b/examples-generated/transform/alphabet.yaml
@@ -0,0 +1,28 @@
+apiVersion: transform.vault.upbound.io/v1alpha1
+kind: Alphabet
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/alphabet
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    alphabet: "0123456789"
+    name: numerics
+    path: dummy
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/alphabet
+  labels:
+    testing.upbound.io/example-name: mount_transform
+  name: mount-transform
+spec:
+  forProvider:
+    path: transform
+    type: transform
diff --git a/examples-generated/transform/role.yaml b/examples-generated/transform/role.yaml
new file mode 100644
index 00000000..d259f2b6
--- /dev/null
+++ b/examples-generated/transform/role.yaml
@@ -0,0 +1,29 @@
+apiVersion: transform.vault.upbound.io/v1alpha1
+kind: Role
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/role
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    name: payments
+    path: dummy
+    transformations:
+    - ccn-fpe
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/role
+  labels:
+    testing.upbound.io/example-name: mount_transform
+  name: mount-transform
+spec:
+  forProvider:
+    path: transform
+    type: transform
diff --git a/examples-generated/transform/template.yaml b/examples-generated/transform/template.yaml
new file mode 100644
index 00000000..743fe9f1
--- /dev/null
+++ b/examples-generated/transform/template.yaml
@@ -0,0 +1,49 @@
+apiVersion: transform.vault.upbound.io/v1alpha1
+kind: Template
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/template
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    alphabet: numerics
+    decodeFormats:
+      last-four-digits: $4
+    encodeFormat: $1-$2-$3-$4
+    name: ccn
+    path: dummy
+    pattern: (\d{4})[- ](\d{4})[- ](\d{4})[- ](\d{4})
+    type: regex
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/template
+  labels:
+    testing.upbound.io/example-name: transform
+  name: transform
+spec:
+  forProvider:
+    path: transform
+    type: transform
+
+---
+
+apiVersion: transform.vault.upbound.io/v1alpha1
+kind: Alphabet
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/template
+  labels:
+    testing.upbound.io/example-name: numerics
+  name: numerics
+spec:
+  forProvider:
+    alphabet: "0123456789"
+    name: numerics
+    path: transform
diff --git a/examples-generated/transform/transformation.yaml b/examples-generated/transform/transformation.yaml
new file mode 100644
index 00000000..20265863
--- /dev/null
+++ b/examples-generated/transform/transformation.yaml
@@ -0,0 +1,32 @@
+apiVersion: transform.vault.upbound.io/v1alpha1
+kind: Transformation
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/transformation
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    allowedRoles:
+    - payments
+    name: ccn-fpe
+    path: dummy
+    template: ccn
+    tweakSource: internal
+    type: fpe
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transform/v1alpha1/transformation
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    path: transform
+    type: transform
diff --git a/examples-generated/transit/secretbackendkey.yaml b/examples-generated/transit/secretbackendkey.yaml
new file mode 100644
index 00000000..d48af0f2
--- /dev/null
+++ b/examples-generated/transit/secretbackendkey.yaml
@@ -0,0 +1,30 @@
+apiVersion: transit.vault.upbound.io/v1alpha1
+kind: SecretBackendKey
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transit/v1alpha1/secretbackendkey
+  labels:
+    testing.upbound.io/example-name: key
+  name: key
+spec:
+  forProvider:
+    backend: dummy
+    name: my_key
+
+---
+
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: transit/v1alpha1/secretbackendkey
+  labels:
+    testing.upbound.io/example-name: transit
+  name: transit
+spec:
+  forProvider:
+    defaultLeaseTtlSeconds: 3600
+    description: Example description
+    maxLeaseTtlSeconds: 86400
+    path: transit
+    type: transit
diff --git a/examples-generated/vault/audit.yaml b/examples-generated/vault/audit.yaml
new file mode 100644
index 00000000..d699f8a4
--- /dev/null
+++ b/examples-generated/vault/audit.yaml
@@ -0,0 +1,13 @@
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Audit
+metadata:
+  annotations:
+    meta.upbound.io/example-id: vault/v1alpha1/audit
+  labels:
+    testing.upbound.io/example-name: test
+  name: test
+spec:
+  forProvider:
+    options:
+      file_path: C:/temp/audit.txt
+    type: file
diff --git a/examples-generated/vault/mount.yaml b/examples-generated/vault/mount.yaml
new file mode 100644
index 00000000..1ef3f2a7
--- /dev/null
+++ b/examples-generated/vault/mount.yaml
@@ -0,0 +1,13 @@
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Mount
+metadata:
+  annotations:
+    meta.upbound.io/example-id: vault/v1alpha1/mount
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    description: This is an example mount
+    path: dummy
+    type: generic
diff --git a/examples-generated/vault/namespace.yaml b/examples-generated/vault/namespace.yaml
new file mode 100644
index 00000000..6b10e98f
--- /dev/null
+++ b/examples-generated/vault/namespace.yaml
@@ -0,0 +1,11 @@
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Namespace
+metadata:
+  annotations:
+    meta.upbound.io/example-id: vault/v1alpha1/namespace
+  labels:
+    testing.upbound.io/example-name: ns1
+  name: ns1
+spec:
+  forProvider:
+    path: ns1
diff --git a/examples-generated/vault/policy.yaml b/examples-generated/vault/policy.yaml
new file mode 100644
index 00000000..efd37d44
--- /dev/null
+++ b/examples-generated/vault/policy.yaml
@@ -0,0 +1,15 @@
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Policy
+metadata:
+  annotations:
+    meta.upbound.io/example-id: vault/v1alpha1/policy
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    name: dev-team
+    policy: |
+      path "secret/my_app" {
+        capabilities = ["update"]
+      }
diff --git a/examples-generated/vault/token.yaml b/examples-generated/vault/token.yaml
new file mode 100644
index 00000000..663dd4f6
--- /dev/null
+++ b/examples-generated/vault/token.yaml
@@ -0,0 +1,20 @@
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Token
+metadata:
+  annotations:
+    meta.upbound.io/example-id: vault/v1alpha1/token
+  labels:
+    testing.upbound.io/example-name: example
+  name: example
+spec:
+  forProvider:
+    metadata:
+      purpose: service-account
+    policies:
+    - policy1
+    - policy2
+    renewIncrement: 86400
+    renewMinLease: 43200
+    renewable: true
+    roleName: app
+    ttl: 24h
diff --git a/go.mod b/go.mod
index 02c99b18..5efdf78c 100644
--- a/go.mod
+++ b/go.mod
@@ -3,47 +3,46 @@ module github.com/upbound/provider-vault
 go 1.20
 
 require (
-	github.com/crossplane/crossplane-runtime v0.20.0-rc.0.0.20230406155702-4e1673b7141f
-	github.com/crossplane/crossplane-tools v0.0.0-20230327091744-4236bf732aa5
+	github.com/crossplane/crossplane-runtime v0.20.0
+	github.com/crossplane/crossplane-tools v0.0.0-20230714144037-2684f4bc7638
 	github.com/pkg/errors v0.9.1
-	github.com/upbound/upjet v0.9.0-rc.0.0.20230413124512-01e5c1fafb42
+	github.com/upbound/upjet v0.9.0-rc.0.0.20230801094152-39dcb37efd81
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
-	k8s.io/apimachinery v0.26.3
-	k8s.io/client-go v0.26.3
-	sigs.k8s.io/controller-runtime v0.14.6
-	sigs.k8s.io/controller-tools v0.11.3
+	k8s.io/apimachinery v0.27.3
+	k8s.io/client-go v0.27.3
+	sigs.k8s.io/controller-runtime v0.15.0
+	sigs.k8s.io/controller-tools v0.12.1
 )
 
 require (
+	dario.cat/mergo v1.0.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
 	github.com/antchfx/htmlquery v1.2.4 // indirect
 	github.com/antchfx/xpath v1.2.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/armon/go-metrics v0.3.9 // indirect
-	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/dave/jennifer v1.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/color v1.15.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-logr/zapr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/swag v0.21.1 // indirect
-	github.com/gobuffalo/flect v0.3.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/zapr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -52,18 +51,14 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect
 	github.com/hashicorp/go-hclog v1.2.1 // indirect
-	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-plugin v1.4.4 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.14.1 // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
@@ -71,17 +66,15 @@ require (
 	github.com/hashicorp/terraform-plugin-go v0.14.0 // indirect
 	github.com/hashicorp/terraform-plugin-log v0.7.0 // indirect
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.0 // indirect
-	github.com/hashicorp/vault/api v1.5.0 // indirect
-	github.com/hashicorp/vault/sdk v0.4.1 // indirect
-	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
+	github.com/hashicorp/vault/api v1.9.2 // indirect
 	github.com/iancoleman/strcase v0.2.0 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
@@ -94,15 +87,13 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7 // indirect
-	github.com/oklog/run v1.0.0 // indirect
-	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
-	github.com/prometheus/client_golang v1.14.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/client_golang v1.15.1 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.10.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	github.com/spf13/afero v1.9.2 // indirect
-	github.com/spf13/cobra v1.6.1 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
+	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tmccombs/hcl2json v0.3.3 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
@@ -110,34 +101,35 @@ require (
 	github.com/vmihailenco/tagparser v0.1.1 // indirect
 	github.com/yuin/goldmark v1.4.13 // indirect
 	github.com/zclconf/go-cty v1.11.0 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.2.0 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/oauth2 v0.1.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.4.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+	golang.org/x/tools v0.11.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd // indirect
-	google.golang.org/grpc v1.50.1 // indirect
-	google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
+	google.golang.org/grpc v1.56.2 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.26.3 // indirect
-	k8s.io/apiextensions-apiserver v0.26.3 // indirect
-	k8s.io/component-base v0.26.3 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	k8s.io/api v0.27.3 // indirect
+	k8s.io/apiextensions-apiserver v0.27.3 // indirect
+	k8s.io/component-base v0.27.3 // indirect
+	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515 // indirect
+	k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
+
+replace github.com/upbound/upjet => github.com/haarchri/upjet v0.9.0-rc.0.0.20230801-af46bef5eab5fc8482e02f29e56f5373d02cb4c7
diff --git a/go.sum b/go.sum
index 82ba2388..7af8765f 100644
--- a/go.sum
+++ b/go.sum
@@ -35,21 +35,18 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/alecthomas/kong v0.2.16/go.mod h1:kQOmtJgV+Lb4aj+I2LEn40cbtawdWJ9Y8QLq+lElKxE=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
 github.com/antchfx/htmlquery v1.2.4 h1:qLteofCMe/KGovBI6SQgmou2QNyedFUW+pE+BpeZ494=
@@ -63,15 +60,9 @@ github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/
 github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/armon/go-metrics v0.3.9 h1:O2sNqxBdvq8Eq5xmzljcYzAORli6RWCvEym4cJf9m18=
-github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
-github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
@@ -80,96 +71,72 @@ github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3
 github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
-github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
-github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/crossplane/crossplane-runtime v0.20.0-rc.0.0.20230406155702-4e1673b7141f h1:wDRr6gaoiQstEdddrn0B5SSSgzdXreOQAbdmRH+9JeI=
-github.com/crossplane/crossplane-runtime v0.20.0-rc.0.0.20230406155702-4e1673b7141f/go.mod h1:ebtUpmconMy8RKUEhrCXTUFSOpfGQqbKM2E+rjCCYJo=
-github.com/crossplane/crossplane-tools v0.0.0-20230327091744-4236bf732aa5 h1:K9H55wcwfXcGroZApIgPmIGRGuZLszsLDCYB12p2yMo=
-github.com/crossplane/crossplane-tools v0.0.0-20230327091744-4236bf732aa5/go.mod h1:+e4OaFlOcmr0JvINHl/yvEYBrZawzTgj6pQumOH1SS0=
+github.com/crossplane/crossplane-runtime v0.20.0 h1:MlPNrK6ELKLQdeHaIdKxQpZW2LSivSYXxHKVfU32auU=
+github.com/crossplane/crossplane-runtime v0.20.0/go.mod h1:FuKIC8Mg8hE2gIAMyf2wCPkxkFPz+VnMQiYWBq1/p5A=
+github.com/crossplane/crossplane-tools v0.0.0-20230714144037-2684f4bc7638 h1:NPbGG7jLyM+LbSMFQXilM70EOxbxk4z2CFvdSRtxc1s=
+github.com/crossplane/crossplane-tools v0.0.0-20230714144037-2684f4bc7638/go.mod h1:+e4OaFlOcmr0JvINHl/yvEYBrZawzTgj6pQumOH1SS0=
 github.com/dave/jennifer v1.4.1 h1:XyqG6cn5RQsTj3qlWQTKlRGAyrTcsk1kUmWdZBzRjDw=
 github.com/dave/jennifer v1.4.1/go.mod h1:7jEdnm+qBcxl8PC0zyp7vxcpSRnzXSt9r39tpTVGlwA=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
-github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE=
+github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
-github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
 github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
-github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
+github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
+github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
 github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0=
-github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y=
-github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk=
-github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
-github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
+github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
+github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
-github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A=
-github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
-github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.21.1 h1:wm0rhTb5z7qpJRHBdPOMuY4QjVUMbF6/kwoYeRAOrKU=
-github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
+github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M=
 github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
-github.com/gobuffalo/flect v0.3.0 h1:erfPWM+K1rFNIQeRPdeEXxo8yFr/PO17lhRnS8FUrtk=
-github.com/gobuffalo/flect v0.3.0/go.mod h1:5pf3aGnsvqvCj50AVni7mJJF8ICxGZ8HomberC3pXLE=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
+github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -203,10 +170,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
-github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170/go.mod h1:EMjYTRimagHs1FwlIqKyX3wAM0u3rA+McvlIIWmSamA=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -241,6 +207,7 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 h1:n6vlPhxsA+BW/XsS5+uqi7GyzaLa5MH7qlSLBZtRdiA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
@@ -249,59 +216,40 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/haarchri/upjet v0.9.0-rc.0.0.20230801-af46bef5eab5fc8482e02f29e56f5373d02cb4c7 h1:ea6dDCwkpE0eUKdpAhcK8as1pMXJFGsCOcK5E8rb1BQ=
+github.com/haarchri/upjet v0.9.0-rc.0.0.20230801-af46bef5eab5fc8482e02f29e56f5373d02cb4c7/go.mod h1:2RXHgpIugCL/S/Use1QJAeVaev901RBeUByQh5gUtGk=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 h1:1/D3zfFHttUKaCaGKZ/dR2roBXv0vKbSCnssIldfQdI=
 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320/go.mod h1:EiZBMaudVLy8fmjf9Npq1dq9RalhveqZG5w/yz3mHWs=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
-github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.2.1 h1:YQsLlGDJgwhXFpucSPyVbCBviQtjlHv3jLTlp8YmtEw=
 github.com/hashicorp/go-hclog v1.2.1/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
-github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ=
-github.com/hashicorp/go-plugin v1.4.4 h1:NVdrSdFRt3SkZtNckJ6tog7gbpRrcbOjQi/rgF7JYWQ=
-github.com/hashicorp/go-plugin v1.4.4/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s=
-github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ=
 github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
-github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
-github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 h1:cCRo8gK7oq6A2L6LICkUZ+/a5rLiRXFMf1Qd4xSwxTc=
-github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 h1:78ki3QBevHwYrVxnyVeaEz+7WtifHhauYF23es/0KlI=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
-github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 h1:nd0HIW15E6FG1MsnArYaHfuw9C2zgzM8LxkG5Ty/788=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
-github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
-github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.5.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
-github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/hcl/v2 v2.9.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg=
@@ -317,47 +265,30 @@ github.com/hashicorp/terraform-plugin-log v0.7.0 h1:SDxJUyT8TwN4l5b5/VkiTIaQgY6R
 github.com/hashicorp/terraform-plugin-log v0.7.0/go.mod h1:p4R1jWBXRTvL4odmEkFfDdhUjHf9zcs/BCoNHAc7IK4=
 github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.0 h1:FtCLTiTcykdsURXPt/ku7fYXm3y19nbzbZcUxHx9RbI=
 github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.0/go.mod h1:80wf5oad1tW+oLnbXS4UTYmDCrl7BuN1Q+IA91X1a4Y=
-github.com/hashicorp/vault/api v1.5.0 h1:Bp6yc2bn7CWkOrVIzFT/Qurzx528bdavF3nz590eu28=
-github.com/hashicorp/vault/api v1.5.0/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM=
-github.com/hashicorp/vault/sdk v0.4.1 h1:3SaHOJY687jY1fnB61PtL0cOkKItphrbLmux7T92HBo=
-github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=
-github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
-github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
-github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3Cl2as=
+github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
 github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
-github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
-github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
+github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE=
-github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -365,37 +296,28 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
-github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
 github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
 github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
@@ -403,38 +325,24 @@ github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUb
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7 h1:CxRHKnh1YJXgNKxcos9rrKL6AcmOl1AS/fygmxFDzh4=
 github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7/go.mod h1:SAAdeMEiFXR8LcHffvIdiLI1w243DCH2DuHq7UrA5YQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce h1:RPclfga2SEJmgMmz2k+Mg7cowZ8yv4Trqw9UsJby758=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
-github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
-github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc=
-github.com/onsi/gomega v1.24.2 h1:J/tulyYK6JwBldPViHJReihxxZ+22FHs0piGjQAvoUE=
-github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
-github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI=
-github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
+github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -442,59 +350,36 @@ github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qR
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
-github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
-github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI=
+github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
-github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE=
-github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
-github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/procfs v0.10.0 h1:UkG7GPYkO4UZyLnyXjaWYcgOSONqwdBqFUT95ugmt6I=
+github.com/prometheus/procfs v0.10.0/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw=
-github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
-github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
-github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
+github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM=
+github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -503,13 +388,11 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ=
 github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w=
-github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
-github.com/upbound/upjet v0.9.0-rc.0.0.20230413124512-01e5c1fafb42 h1:kEpQ3I4YXkdatz/dT8LvvFUHbJTPw4SBz4SdFmPS/vw=
-github.com/upbound/upjet v0.9.0-rc.0.0.20230413124512-01e5c1fafb42/go.mod h1:IhrO+1L/Ieq7ZCORhiuZ4sShOzl/GoVGVjq0+JCMDYo=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
@@ -542,29 +425,26 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
-go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
-go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
+go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
-go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
-go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE=
-golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -599,13 +479,11 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -613,7 +491,6 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -638,12 +515,10 @@ golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -653,10 +528,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.1.0 h1:isLCZuhj4v+tYv7eskaN4v/TM+A1begWWgyVJDdl1+Y=
-golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
+golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
+golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -668,16 +541,12 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -685,10 +554,8 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -702,8 +569,6 @@ golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -711,27 +576,22 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -741,12 +601,11 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -764,7 +623,6 @@ golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -800,14 +658,15 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4=
-golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8=
+golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
-gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY=
+gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
+gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -835,7 +694,6 @@ google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -874,9 +732,8 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd h1:OjndDrsik+Gt+e6fs45z9AxiewiKyLKYpA45W5Kpkks=
-google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd/go.mod h1:cTsE614GARnxrLsqKREzmNYJACSWWpAWdNMwnD7c2BE=
-google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -896,9 +753,8 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
-google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY=
-google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
+google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI=
+google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -912,33 +768,26 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8 h1:KR8+MyP7/qOlV+8Af01LtjL04bu7on42eVsxT4EyBQk=
-google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
-gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -948,31 +797,31 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU=
-k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE=
-k8s.io/apiextensions-apiserver v0.26.3 h1:5PGMm3oEzdB1W/FTMgGIDmm100vn7IaUP5er36dB+YE=
-k8s.io/apiextensions-apiserver v0.26.3/go.mod h1:jdA5MdjNWGP+njw1EKMZc64xAT5fIhN6VJrElV3sfpQ=
-k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k=
-k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I=
-k8s.io/client-go v0.26.3 h1:k1UY+KXfkxV2ScEL3gilKcF7761xkYsSD6BC9szIu8s=
-k8s.io/client-go v0.26.3/go.mod h1:ZPNu9lm8/dbRIPAgteN30RSXea6vrCpFvq+MateTUuQ=
-k8s.io/component-base v0.26.3 h1:oC0WMK/ggcbGDTkdcqefI4wIZRYdK3JySx9/HADpV0g=
-k8s.io/component-base v0.26.3/go.mod h1:5kj1kZYwSC6ZstHJN7oHBqcJC6yyn41eR+Sqa/mQc8E=
-k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
-k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E=
-k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
-k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y=
-k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y=
+k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg=
+k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4=
+k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84=
+k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM=
+k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
+k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8=
+k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48=
+k8s.io/component-base v0.27.3 h1:g078YmdcdTfrCE4fFobt7qmVXwS8J/3cI1XxRi/2+6k=
+k8s.io/component-base v0.27.3/go.mod h1:JNiKYcGImpQ44iwSYs6dysxzR9SxIIgQalk4HaCNVUY=
+k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
+k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515 h1:OmK1d0WrkD3IPfkskvroRykOulHVHf0s0ZIFRjyt+UI=
+k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515/go.mod h1:kzo02I3kQ4BTtEfVLaPbjvCkX97YqGve33wzlb3fofQ=
+k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU=
+k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA=
-sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0=
-sigs.k8s.io/controller-tools v0.11.3 h1:T1xzLkog9saiyQSLz1XOImu4OcbdXWytc5cmYsBeBiE=
-sigs.k8s.io/controller-tools v0.11.3/go.mod h1:qcfX7jfcfYD/b7lAhvqAyTbt/px4GpvN88WKLFFv7p8=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU=
+sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk=
+sigs.k8s.io/controller-tools v0.12.1 h1:GyQqxzH5wksa4n3YDIJdJJOopztR5VDM+7qsyg5yE4U=
+sigs.k8s.io/controller-tools v0.12.1/go.mod h1:rXlpTfFHZMpZA8aGq9ejArgZiieHd+fkk/fTatY8A2M=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
diff --git a/internal/controller/ad/secretbackend/zz_controller.go b/internal/controller/ad/secretbackend/zz_controller.go
index 439b585e..cc4d0442 100755
--- a/internal/controller/ad/secretbackend/zz_controller.go
+++ b/internal/controller/ad/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ad_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ad_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/ad/secretrole/zz_controller.go b/internal/controller/ad/secretrole/zz_controller.go
index 158ff48f..585e0f3f 100755
--- a/internal/controller/ad/secretrole/zz_controller.go
+++ b/internal/controller/ad/secretrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ad_secret_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ad_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/alicloud/authbackendrole/zz_controller.go b/internal/controller/alicloud/authbackendrole/zz_controller.go
index dddd2a1a..e49f2ee6 100755
--- a/internal/controller/alicloud/authbackendrole/zz_controller.go
+++ b/internal/controller/alicloud/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_alicloud_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_alicloud_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/approle/authbackendlogin/zz_controller.go b/internal/controller/approle/authbackendlogin/zz_controller.go
index bd2522cd..54bc360c 100755
--- a/internal/controller/approle/authbackendlogin/zz_controller.go
+++ b/internal/controller/approle/authbackendlogin/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_login"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_login"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendLogin{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendLogin{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/approle/authbackendrole/zz_controller.go b/internal/controller/approle/authbackendrole/zz_controller.go
index 5d340ddd..9af79804 100755
--- a/internal/controller/approle/authbackendrole/zz_controller.go
+++ b/internal/controller/approle/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/approle/authbackendrolesecretid/zz_controller.go b/internal/controller/approle/authbackendrolesecretid/zz_controller.go
index f4adc313..87916b71 100755
--- a/internal/controller/approle/authbackendrolesecretid/zz_controller.go
+++ b/internal/controller/approle/authbackendrolesecretid/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleSecretID_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_role_secret_id"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleSecretID_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_role_secret_id"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRoleSecretID{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRoleSecretID{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/audit/requestheader/zz_controller.go b/internal/controller/audit/requestheader/zz_controller.go
index a991e795..c2a0703d 100755
--- a/internal/controller/audit/requestheader/zz_controller.go
+++ b/internal/controller/audit/requestheader/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.RequestHeader_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_audit_request_header"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.RequestHeader_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_audit_request_header"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.RequestHeader{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.RequestHeader{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/auth/backend/zz_controller.go b/internal/controller/auth/backend/zz_controller.go
index 7a4b58c8..42ee3764 100755
--- a/internal/controller/auth/backend/zz_controller.go
+++ b/internal/controller/auth/backend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Backend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_auth_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Backend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Backend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Backend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendcert/zz_controller.go b/internal/controller/aws/authbackendcert/zz_controller.go
index c113877f..d4d723f4 100755
--- a/internal/controller/aws/authbackendcert/zz_controller.go
+++ b/internal/controller/aws/authbackendcert/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendCert_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_cert"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendCert_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_cert"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendCert{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendCert{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendclient/zz_controller.go b/internal/controller/aws/authbackendclient/zz_controller.go
index 44bc5697..f457a286 100755
--- a/internal/controller/aws/authbackendclient/zz_controller.go
+++ b/internal/controller/aws/authbackendclient/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendClient_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_client"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendClient_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_client"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendClient{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendClient{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendconfigidentity/zz_controller.go b/internal/controller/aws/authbackendconfigidentity/zz_controller.go
index b4048f3f..c5708002 100755
--- a/internal/controller/aws/authbackendconfigidentity/zz_controller.go
+++ b/internal/controller/aws/authbackendconfigidentity/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfigIdentity_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_config_identity"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfigIdentity_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_config_identity"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendConfigIdentity{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendConfigIdentity{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendidentitywhitelist/zz_controller.go b/internal/controller/aws/authbackendidentitywhitelist/zz_controller.go
index c3a48a1d..5f54537a 100755
--- a/internal/controller/aws/authbackendidentitywhitelist/zz_controller.go
+++ b/internal/controller/aws/authbackendidentitywhitelist/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendIdentityWhitelist_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_identity_whitelist"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendIdentityWhitelist_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_identity_whitelist"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendIdentityWhitelist{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendIdentityWhitelist{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendlogin/zz_controller.go b/internal/controller/aws/authbackendlogin/zz_controller.go
index cc667d69..6c95bffd 100755
--- a/internal/controller/aws/authbackendlogin/zz_controller.go
+++ b/internal/controller/aws/authbackendlogin/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_login"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_login"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendLogin{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendLogin{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendrole/zz_controller.go b/internal/controller/aws/authbackendrole/zz_controller.go
index 6ed7ed6f..dba39748 100755
--- a/internal/controller/aws/authbackendrole/zz_controller.go
+++ b/internal/controller/aws/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendroletag/zz_controller.go b/internal/controller/aws/authbackendroletag/zz_controller.go
index 25a84a25..a27d4ff3 100755
--- a/internal/controller/aws/authbackendroletag/zz_controller.go
+++ b/internal/controller/aws/authbackendroletag/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleTag_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role_tag"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleTag_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role_tag"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRoleTag{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRoleTag{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendroletagblacklist/zz_controller.go b/internal/controller/aws/authbackendroletagblacklist/zz_controller.go
index f85c4220..fdddeb1b 100755
--- a/internal/controller/aws/authbackendroletagblacklist/zz_controller.go
+++ b/internal/controller/aws/authbackendroletagblacklist/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoletagBlacklist_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_roletag_blacklist"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoletagBlacklist_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_roletag_blacklist"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRoletagBlacklist{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRoletagBlacklist{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/authbackendstsrole/zz_controller.go b/internal/controller/aws/authbackendstsrole/zz_controller.go
index bc8ecdc3..abd017b3 100755
--- a/internal/controller/aws/authbackendstsrole/zz_controller.go
+++ b/internal/controller/aws/authbackendstsrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendStsRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_sts_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendStsRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_sts_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendStsRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendStsRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/secretbackend/zz_controller.go b/internal/controller/aws/secretbackend/zz_controller.go
index 606d20ae..2d1ef79c 100755
--- a/internal/controller/aws/secretbackend/zz_controller.go
+++ b/internal/controller/aws/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/aws/secretbackendrole/zz_controller.go b/internal/controller/aws/secretbackendrole/zz_controller.go
index 27e85637..acf9a855 100755
--- a/internal/controller/aws/secretbackendrole/zz_controller.go
+++ b/internal/controller/aws/secretbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_secret_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/azure/authbackendconfig/zz_controller.go b/internal/controller/azure/authbackendconfig/zz_controller.go
index 128e85f1..205a989d 100755
--- a/internal/controller/azure/authbackendconfig/zz_controller.go
+++ b/internal/controller/azure/authbackendconfig/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_auth_backend_config"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_auth_backend_config"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendConfig{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendConfig{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/azure/authbackendrole/zz_controller.go b/internal/controller/azure/authbackendrole/zz_controller.go
index d8e3a6dd..25de2c85 100755
--- a/internal/controller/azure/authbackendrole/zz_controller.go
+++ b/internal/controller/azure/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/azure/secretbackend/zz_controller.go b/internal/controller/azure/secretbackend/zz_controller.go
index 45b12070..4427a6a8 100755
--- a/internal/controller/azure/secretbackend/zz_controller.go
+++ b/internal/controller/azure/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/azure/secretbackendrole/zz_controller.go b/internal/controller/azure/secretbackendrole/zz_controller.go
index 747d78ec..4c89f15b 100755
--- a/internal/controller/azure/secretbackendrole/zz_controller.go
+++ b/internal/controller/azure/secretbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_secret_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/cert/authbackendrole/zz_controller.go b/internal/controller/cert/authbackendrole/zz_controller.go
index 2bb25d6f..057383de 100755
--- a/internal/controller/cert/authbackendrole/zz_controller.go
+++ b/internal/controller/cert/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_cert_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_cert_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/consul/secretbackend/zz_controller.go b/internal/controller/consul/secretbackend/zz_controller.go
index c7ca0890..718a6217 100755
--- a/internal/controller/consul/secretbackend/zz_controller.go
+++ b/internal/controller/consul/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_consul_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_consul_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/consul/secretbackendrole/zz_controller.go b/internal/controller/consul/secretbackendrole/zz_controller.go
index 24916c59..57a254bc 100755
--- a/internal/controller/consul/secretbackendrole/zz_controller.go
+++ b/internal/controller/consul/secretbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_consul_secret_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_consul_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/database/secretbackendconnection/zz_controller.go b/internal/controller/database/secretbackendconnection/zz_controller.go
index 00d81894..ecab5898 100755
--- a/internal/controller/database/secretbackendconnection/zz_controller.go
+++ b/internal/controller/database/secretbackendconnection/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConnection_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_connection"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConnection_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_connection"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendConnection{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendConnection{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/database/secretbackendrole/zz_controller.go b/internal/controller/database/secretbackendrole/zz_controller.go
index e0490145..744461d6 100755
--- a/internal/controller/database/secretbackendrole/zz_controller.go
+++ b/internal/controller/database/secretbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/database/secretbackendstaticrole/zz_controller.go b/internal/controller/database/secretbackendstaticrole/zz_controller.go
index 68802031..e2abc471 100755
--- a/internal/controller/database/secretbackendstaticrole/zz_controller.go
+++ b/internal/controller/database/secretbackendstaticrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendStaticRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_static_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendStaticRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_static_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendStaticRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendStaticRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/database/secretsmount/zz_controller.go b/internal/controller/database/secretsmount/zz_controller.go
index be84e9b3..7d130d91 100755
--- a/internal/controller/database/secretsmount/zz_controller.go
+++ b/internal/controller/database/secretsmount/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretsMount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secrets_mount"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretsMount_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secrets_mount"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretsMount{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretsMount{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/egp/policy/zz_controller.go b/internal/controller/egp/policy/zz_controller.go
index 1eca2671..e8443e45 100755
--- a/internal/controller/egp/policy/zz_controller.go
+++ b/internal/controller/egp/policy/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_egp_policy"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_egp_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Policy{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Policy{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/gcp/authbackend/zz_controller.go b/internal/controller/gcp/authbackend/zz_controller.go
index 8b4ac4fa..118ee3f4 100755
--- a/internal/controller/gcp/authbackend/zz_controller.go
+++ b/internal/controller/gcp/authbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_auth_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/gcp/authbackendrole/zz_controller.go b/internal/controller/gcp/authbackendrole/zz_controller.go
index f9e8f9fd..9d4de1ea 100755
--- a/internal/controller/gcp/authbackendrole/zz_controller.go
+++ b/internal/controller/gcp/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/gcp/secretbackend/zz_controller.go b/internal/controller/gcp/secretbackend/zz_controller.go
index 194308b4..2f1f3b27 100755
--- a/internal/controller/gcp/secretbackend/zz_controller.go
+++ b/internal/controller/gcp/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/gcp/secretimpersonatedaccount/zz_controller.go b/internal/controller/gcp/secretimpersonatedaccount/zz_controller.go
index 2b5642e8..aadaec53 100755
--- a/internal/controller/gcp/secretimpersonatedaccount/zz_controller.go
+++ b/internal/controller/gcp/secretimpersonatedaccount/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretImpersonatedAccount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_impersonated_account"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretImpersonatedAccount_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_impersonated_account"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretImpersonatedAccount{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretImpersonatedAccount{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/gcp/secretroleset/zz_controller.go b/internal/controller/gcp/secretroleset/zz_controller.go
index 27b3becc..156bb765 100755
--- a/internal/controller/gcp/secretroleset/zz_controller.go
+++ b/internal/controller/gcp/secretroleset/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRoleset_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_roleset"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRoleset_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_roleset"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretRoleset{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretRoleset{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/gcp/secretstaticaccount/zz_controller.go b/internal/controller/gcp/secretstaticaccount/zz_controller.go
index d248fa6f..6285b2bd 100755
--- a/internal/controller/gcp/secretstaticaccount/zz_controller.go
+++ b/internal/controller/gcp/secretstaticaccount/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretStaticAccount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_static_account"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretStaticAccount_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_static_account"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretStaticAccount{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretStaticAccount{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/generic/endpoint/zz_controller.go b/internal/controller/generic/endpoint/zz_controller.go
index 11d672df..21f6cf06 100755
--- a/internal/controller/generic/endpoint/zz_controller.go
+++ b/internal/controller/generic/endpoint/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Endpoint_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_generic_endpoint"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Endpoint_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_generic_endpoint"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Endpoint{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Endpoint{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/generic/secret/zz_controller.go b/internal/controller/generic/secret/zz_controller.go
index a4e44309..003bb54b 100755
--- a/internal/controller/generic/secret/zz_controller.go
+++ b/internal/controller/generic/secret/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_generic_secret"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_generic_secret"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Secret{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Secret{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/github/authbackend/zz_controller.go b/internal/controller/github/authbackend/zz_controller.go
index d05543c8..74e9e104 100755
--- a/internal/controller/github/authbackend/zz_controller.go
+++ b/internal/controller/github/authbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_auth_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/github/team/zz_controller.go b/internal/controller/github/team/zz_controller.go
index cb1c2c30..e2dbf91d 100755
--- a/internal/controller/github/team/zz_controller.go
+++ b/internal/controller/github/team/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Team_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_team"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Team_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_team"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Team{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Team{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/github/user/zz_controller.go b/internal/controller/github/user/zz_controller.go
index 4b035312..fa0c0cb5 100755
--- a/internal/controller/github/user/zz_controller.go
+++ b/internal/controller/github/user/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.User_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_user"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.User_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_user"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.User{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.User{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/entity/zz_controller.go b/internal/controller/identity/entity/zz_controller.go
index 484664a4..b83f39ba 100755
--- a/internal/controller/identity/entity/zz_controller.go
+++ b/internal/controller/identity/entity/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Entity_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Entity_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Entity{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Entity{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/entityalias/zz_controller.go b/internal/controller/identity/entityalias/zz_controller.go
index b7f2705a..c27c8c47 100755
--- a/internal/controller/identity/entityalias/zz_controller.go
+++ b/internal/controller/identity/entityalias/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.EntityAlias_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity_alias"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.EntityAlias_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity_alias"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.EntityAlias{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.EntityAlias{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/entitypolicies/zz_controller.go b/internal/controller/identity/entitypolicies/zz_controller.go
index 0a136149..405916f7 100755
--- a/internal/controller/identity/entitypolicies/zz_controller.go
+++ b/internal/controller/identity/entitypolicies/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.EntityPolicies_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity_policies"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.EntityPolicies_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity_policies"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.EntityPolicies{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.EntityPolicies{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/group/zz_controller.go b/internal/controller/identity/group/zz_controller.go
index d5f05719..3a5d247a 100755
--- a/internal/controller/identity/group/zz_controller.go
+++ b/internal/controller/identity/group/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Group_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Group_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Group{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Group{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/groupalias/zz_controller.go b/internal/controller/identity/groupalias/zz_controller.go
index c6449299..800c1f6f 100755
--- a/internal/controller/identity/groupalias/zz_controller.go
+++ b/internal/controller/identity/groupalias/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupAlias_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_alias"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupAlias_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_alias"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.GroupAlias{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.GroupAlias{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/groupmemberentityids/zz_controller.go b/internal/controller/identity/groupmemberentityids/zz_controller.go
index b6ddafbd..73636922 100755
--- a/internal/controller/identity/groupmemberentityids/zz_controller.go
+++ b/internal/controller/identity/groupmemberentityids/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberEntityIds_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_member_entity_ids"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberEntityIds_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_member_entity_ids"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.GroupMemberEntityIds{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.GroupMemberEntityIds{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/groupmembergroupids/zz_controller.go b/internal/controller/identity/groupmembergroupids/zz_controller.go
index 7506614c..9bb5ae40 100755
--- a/internal/controller/identity/groupmembergroupids/zz_controller.go
+++ b/internal/controller/identity/groupmembergroupids/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberGroupIds_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_member_group_ids"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberGroupIds_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_member_group_ids"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.GroupMemberGroupIds{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.GroupMemberGroupIds{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/grouppolicies/zz_controller.go b/internal/controller/identity/grouppolicies/zz_controller.go
index 9414d765..686fc100 100755
--- a/internal/controller/identity/grouppolicies/zz_controller.go
+++ b/internal/controller/identity/grouppolicies/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupPolicies_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_policies"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupPolicies_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_policies"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.GroupPolicies{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.GroupPolicies{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/mfaduo/zz_controller.go b/internal/controller/identity/mfaduo/zz_controller.go
index d092cf02..eae9b6f2 100755
--- a/internal/controller/identity/mfaduo/zz_controller.go
+++ b/internal/controller/identity/mfaduo/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaDuo_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_duo"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaDuo_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_duo"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.MfaDuo{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.MfaDuo{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/mfaloginenforcement/zz_controller.go b/internal/controller/identity/mfaloginenforcement/zz_controller.go
index fa2e261b..e394efd1 100755
--- a/internal/controller/identity/mfaloginenforcement/zz_controller.go
+++ b/internal/controller/identity/mfaloginenforcement/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaLoginEnforcement_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_login_enforcement"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaLoginEnforcement_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_login_enforcement"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.MfaLoginEnforcement{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.MfaLoginEnforcement{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/mfaokta/zz_controller.go b/internal/controller/identity/mfaokta/zz_controller.go
index 39665051..c2c93eb9 100755
--- a/internal/controller/identity/mfaokta/zz_controller.go
+++ b/internal/controller/identity/mfaokta/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaOkta_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_okta"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaOkta_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_okta"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.MfaOkta{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.MfaOkta{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/mfapingid/zz_controller.go b/internal/controller/identity/mfapingid/zz_controller.go
index c61cf242..15f4e625 100755
--- a/internal/controller/identity/mfapingid/zz_controller.go
+++ b/internal/controller/identity/mfapingid/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaPingid_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_pingid"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaPingid_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_pingid"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.MfaPingid{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.MfaPingid{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/mfatotp/zz_controller.go b/internal/controller/identity/mfatotp/zz_controller.go
index a486eaca..1927ed59 100755
--- a/internal/controller/identity/mfatotp/zz_controller.go
+++ b/internal/controller/identity/mfatotp/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaTotp_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_totp"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaTotp_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_totp"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.MfaTotp{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.MfaTotp{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/oidc/zz_controller.go b/internal/controller/identity/oidc/zz_controller.go
index 428baf8c..1a0241bc 100755
--- a/internal/controller/identity/oidc/zz_controller.go
+++ b/internal/controller/identity/oidc/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Oidc_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Oidc_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Oidc{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Oidc{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/oidcassignment/zz_controller.go b/internal/controller/identity/oidcassignment/zz_controller.go
index 32b9ff4f..d4fa1fe7 100755
--- a/internal/controller/identity/oidcassignment/zz_controller.go
+++ b/internal/controller/identity/oidcassignment/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcAssignment_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_assignment"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcAssignment_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_assignment"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.OidcAssignment{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.OidcAssignment{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/oidcclient/zz_controller.go b/internal/controller/identity/oidcclient/zz_controller.go
index 9e5f193f..b79b1598 100755
--- a/internal/controller/identity/oidcclient/zz_controller.go
+++ b/internal/controller/identity/oidcclient/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcClient_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_client"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcClient_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_client"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.OidcClient{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.OidcClient{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/oidckey/zz_controller.go b/internal/controller/identity/oidckey/zz_controller.go
index 9c77e279..3a8a961e 100755
--- a/internal/controller/identity/oidckey/zz_controller.go
+++ b/internal/controller/identity/oidckey/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcKey_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_key"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcKey_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_key"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.OidcKey{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.OidcKey{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/oidckeyallowedclientid/zz_controller.go b/internal/controller/identity/oidckeyallowedclientid/zz_controller.go
index 39f8aacd..6846c48a 100755
--- a/internal/controller/identity/oidckeyallowedclientid/zz_controller.go
+++ b/internal/controller/identity/oidckeyallowedclientid/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcKeyAllowedClientID_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_key_allowed_client_id"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcKeyAllowedClientID_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_key_allowed_client_id"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.OidcKeyAllowedClientID{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.OidcKeyAllowedClientID{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/oidcprovider/zz_controller.go b/internal/controller/identity/oidcprovider/zz_controller.go
index 6ad9aedf..fe69bf7b 100755
--- a/internal/controller/identity/oidcprovider/zz_controller.go
+++ b/internal/controller/identity/oidcprovider/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcProvider_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_provider"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcProvider_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_provider"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.OidcProvider{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.OidcProvider{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/oidcrole/zz_controller.go b/internal/controller/identity/oidcrole/zz_controller.go
index 96ad34d4..9205917f 100755
--- a/internal/controller/identity/oidcrole/zz_controller.go
+++ b/internal/controller/identity/oidcrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.OidcRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.OidcRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/identity/oidcscope/zz_controller.go b/internal/controller/identity/oidcscope/zz_controller.go
index 63914ee3..a73abf33 100755
--- a/internal/controller/identity/oidcscope/zz_controller.go
+++ b/internal/controller/identity/oidcscope/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcScope_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_scope"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcScope_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_scope"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.OidcScope{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.OidcScope{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/jwt/authbackend/zz_controller.go b/internal/controller/jwt/authbackend/zz_controller.go
index 92bf961f..7aa9177c 100755
--- a/internal/controller/jwt/authbackend/zz_controller.go
+++ b/internal/controller/jwt/authbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/jwt/authbackendrole/zz_controller.go b/internal/controller/jwt/authbackendrole/zz_controller.go
index 2feb960e..1023f5e8 100755
--- a/internal/controller/jwt/authbackendrole/zz_controller.go
+++ b/internal/controller/jwt/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kmip/secretbackend/zz_controller.go b/internal/controller/kmip/secretbackend/zz_controller.go
index 25e12765..9532e7e8 100755
--- a/internal/controller/kmip/secretbackend/zz_controller.go
+++ b/internal/controller/kmip/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kmip/secretrole/zz_controller.go b/internal/controller/kmip/secretrole/zz_controller.go
index 6eaa9ed3..59aac7ff 100755
--- a/internal/controller/kmip/secretrole/zz_controller.go
+++ b/internal/controller/kmip/secretrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kmip/secretscope/zz_controller.go b/internal/controller/kmip/secretscope/zz_controller.go
index 42e7a7b8..761af289 100755
--- a/internal/controller/kmip/secretscope/zz_controller.go
+++ b/internal/controller/kmip/secretscope/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretScope_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_scope"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretScope_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_scope"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretScope{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretScope{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kubernetes/authbackendconfig/zz_controller.go b/internal/controller/kubernetes/authbackendconfig/zz_controller.go
index b985cafb..bb32da51 100755
--- a/internal/controller/kubernetes/authbackendconfig/zz_controller.go
+++ b/internal/controller/kubernetes/authbackendconfig/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_auth_backend_config"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_auth_backend_config"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendConfig{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendConfig{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kubernetes/authbackendrole/zz_controller.go b/internal/controller/kubernetes/authbackendrole/zz_controller.go
index 953294e9..00cf3b1c 100755
--- a/internal/controller/kubernetes/authbackendrole/zz_controller.go
+++ b/internal/controller/kubernetes/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kubernetes/secretbackend/zz_controller.go b/internal/controller/kubernetes/secretbackend/zz_controller.go
index 80f526f0..f4aa0228 100755
--- a/internal/controller/kubernetes/secretbackend/zz_controller.go
+++ b/internal/controller/kubernetes/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kubernetes/secretbackendrole/zz_controller.go b/internal/controller/kubernetes/secretbackendrole/zz_controller.go
index 3382d693..dfe76f54 100755
--- a/internal/controller/kubernetes/secretbackendrole/zz_controller.go
+++ b/internal/controller/kubernetes/secretbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_secret_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kv/secret/zz_controller.go b/internal/controller/kv/secret/zz_controller.go
index 0e061e87..f498949b 100755
--- a/internal/controller/kv/secret/zz_controller.go
+++ b/internal/controller/kv/secret/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Secret{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Secret{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kv/secretbackendv2/zz_controller.go b/internal/controller/kv/secretbackendv2/zz_controller.go
index 9e4f33f7..bb9b7a9c 100755
--- a/internal/controller/kv/secretbackendv2/zz_controller.go
+++ b/internal/controller/kv/secretbackendv2/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendV2_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret_backend_v2"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendV2_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret_backend_v2"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendV2{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendV2{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/kv/secretv2/zz_controller.go b/internal/controller/kv/secretv2/zz_controller.go
index 18aecfb0..b029d33a 100755
--- a/internal/controller/kv/secretv2/zz_controller.go
+++ b/internal/controller/kv/secretv2/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretV2_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret_v2"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretV2_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret_v2"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretV2{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretV2{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/ldap/authbackend/zz_controller.go b/internal/controller/ldap/authbackend/zz_controller.go
index 088488d4..b62d912f 100755
--- a/internal/controller/ldap/authbackend/zz_controller.go
+++ b/internal/controller/ldap/authbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/ldap/authbackendgroup/zz_controller.go b/internal/controller/ldap/authbackendgroup/zz_controller.go
index 97f1f9d6..3a51258f 100755
--- a/internal/controller/ldap/authbackendgroup/zz_controller.go
+++ b/internal/controller/ldap/authbackendgroup/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend_group"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend_group"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendGroup{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendGroup{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/ldap/authbackenduser/zz_controller.go b/internal/controller/ldap/authbackenduser/zz_controller.go
index f7761a0f..d699c174 100755
--- a/internal/controller/ldap/authbackenduser/zz_controller.go
+++ b/internal/controller/ldap/authbackenduser/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend_user"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend_user"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendUser{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendUser{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/managed/keys/zz_controller.go b/internal/controller/managed/keys/zz_controller.go
index 5c54ba11..e7ea8728 100755
--- a/internal/controller/managed/keys/zz_controller.go
+++ b/internal/controller/managed/keys/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Keys_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_managed_keys"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Keys_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_managed_keys"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Keys{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Keys{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/mfa/duo/zz_controller.go b/internal/controller/mfa/duo/zz_controller.go
index b44409ca..d4c340cd 100755
--- a/internal/controller/mfa/duo/zz_controller.go
+++ b/internal/controller/mfa/duo/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Duo_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_duo"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Duo_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_duo"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Duo{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Duo{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/mfa/okta/zz_controller.go b/internal/controller/mfa/okta/zz_controller.go
index 976e7ace..08f89674 100755
--- a/internal/controller/mfa/okta/zz_controller.go
+++ b/internal/controller/mfa/okta/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Okta_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_okta"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Okta_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_okta"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Okta{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Okta{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/mfa/pingid/zz_controller.go b/internal/controller/mfa/pingid/zz_controller.go
index 44de5d55..a1560913 100755
--- a/internal/controller/mfa/pingid/zz_controller.go
+++ b/internal/controller/mfa/pingid/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Pingid_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_pingid"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Pingid_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_pingid"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Pingid{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Pingid{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/mfa/totp/zz_controller.go b/internal/controller/mfa/totp/zz_controller.go
index 97053659..30a0c18c 100755
--- a/internal/controller/mfa/totp/zz_controller.go
+++ b/internal/controller/mfa/totp/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Totp_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_totp"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Totp_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_totp"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Totp{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Totp{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/mongodbatlas/secretbackend/zz_controller.go b/internal/controller/mongodbatlas/secretbackend/zz_controller.go
index 41cabfbb..7a231bcb 100755
--- a/internal/controller/mongodbatlas/secretbackend/zz_controller.go
+++ b/internal/controller/mongodbatlas/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mongodbatlas_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mongodbatlas_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/mongodbatlas/secretrole/zz_controller.go b/internal/controller/mongodbatlas/secretrole/zz_controller.go
index bce849cb..7c0f2bc7 100755
--- a/internal/controller/mongodbatlas/secretrole/zz_controller.go
+++ b/internal/controller/mongodbatlas/secretrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mongodbatlas_secret_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mongodbatlas_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/nomad/secretbackend/zz_controller.go b/internal/controller/nomad/secretbackend/zz_controller.go
index 85535072..d9852d3c 100755
--- a/internal/controller/nomad/secretbackend/zz_controller.go
+++ b/internal/controller/nomad/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_nomad_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_nomad_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/nomad/secretrole/zz_controller.go b/internal/controller/nomad/secretrole/zz_controller.go
index 9746b834..85fd6890 100755
--- a/internal/controller/nomad/secretrole/zz_controller.go
+++ b/internal/controller/nomad/secretrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_nomad_secret_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_nomad_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/okta/authbackend/zz_controller.go b/internal/controller/okta/authbackend/zz_controller.go
index a84de1a6..470e6272 100755
--- a/internal/controller/okta/authbackend/zz_controller.go
+++ b/internal/controller/okta/authbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/okta/authbackendgroup/zz_controller.go b/internal/controller/okta/authbackendgroup/zz_controller.go
index 12e1d2f4..8476fa64 100755
--- a/internal/controller/okta/authbackendgroup/zz_controller.go
+++ b/internal/controller/okta/authbackendgroup/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend_group"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend_group"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendGroup{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendGroup{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/okta/authbackenduser/zz_controller.go b/internal/controller/okta/authbackenduser/zz_controller.go
index 8ff6b98b..c98a8a8b 100755
--- a/internal/controller/okta/authbackenduser/zz_controller.go
+++ b/internal/controller/okta/authbackenduser/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend_user"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend_user"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendUser{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendUser{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/password/policy/zz_controller.go b/internal/controller/password/policy/zz_controller.go
index f82c9536..ebb275f4 100755
--- a/internal/controller/password/policy/zz_controller.go
+++ b/internal/controller/password/policy/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_password_policy"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_password_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Policy{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Policy{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendcert/zz_controller.go b/internal/controller/pki/secretbackendcert/zz_controller.go
index b3f78ac3..542f0c3b 100755
--- a/internal/controller/pki/secretbackendcert/zz_controller.go
+++ b/internal/controller/pki/secretbackendcert/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCert_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_cert"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCert_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_cert"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendCert{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendCert{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendconfigca/zz_controller.go b/internal/controller/pki/secretbackendconfigca/zz_controller.go
index 1c558370..3c155b84 100755
--- a/internal/controller/pki/secretbackendconfigca/zz_controller.go
+++ b/internal/controller/pki/secretbackendconfigca/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigCA_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_config_ca"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigCA_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_config_ca"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendConfigCA{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendConfigCA{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendconfigurls/zz_controller.go b/internal/controller/pki/secretbackendconfigurls/zz_controller.go
index 9a3b138d..f6b3e515 100755
--- a/internal/controller/pki/secretbackendconfigurls/zz_controller.go
+++ b/internal/controller/pki/secretbackendconfigurls/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigUrls_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_config_urls"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigUrls_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_config_urls"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendConfigUrls{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendConfigUrls{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendcrlconfig/zz_controller.go b/internal/controller/pki/secretbackendcrlconfig/zz_controller.go
index 000a4ab1..b18056dd 100755
--- a/internal/controller/pki/secretbackendcrlconfig/zz_controller.go
+++ b/internal/controller/pki/secretbackendcrlconfig/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCrlConfig_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_crl_config"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCrlConfig_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_crl_config"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendCrlConfig{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendCrlConfig{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendintermediatecertrequest/zz_controller.go b/internal/controller/pki/secretbackendintermediatecertrequest/zz_controller.go
index ea788df3..4e88160c 100755
--- a/internal/controller/pki/secretbackendintermediatecertrequest/zz_controller.go
+++ b/internal/controller/pki/secretbackendintermediatecertrequest/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateCertRequest_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_intermediate_cert_request"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateCertRequest_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_intermediate_cert_request"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendIntermediateCertRequest{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendIntermediateCertRequest{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendintermediatesetsigned/zz_controller.go b/internal/controller/pki/secretbackendintermediatesetsigned/zz_controller.go
index b01039f5..0e612bfa 100755
--- a/internal/controller/pki/secretbackendintermediatesetsigned/zz_controller.go
+++ b/internal/controller/pki/secretbackendintermediatesetsigned/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateSetSigned_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_intermediate_set_signed"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateSetSigned_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_intermediate_set_signed"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendIntermediateSetSigned{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendIntermediateSetSigned{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendrole/zz_controller.go b/internal/controller/pki/secretbackendrole/zz_controller.go
index 81cd375e..d22c5ed6 100755
--- a/internal/controller/pki/secretbackendrole/zz_controller.go
+++ b/internal/controller/pki/secretbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendrootcert/zz_controller.go b/internal/controller/pki/secretbackendrootcert/zz_controller.go
index 2d553c8e..ffa28d83 100755
--- a/internal/controller/pki/secretbackendrootcert/zz_controller.go
+++ b/internal/controller/pki/secretbackendrootcert/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootCert_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_root_cert"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootCert_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_root_cert"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRootCert{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRootCert{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendrootsignintermediate/zz_controller.go b/internal/controller/pki/secretbackendrootsignintermediate/zz_controller.go
index dd3d5660..a87f0086 100755
--- a/internal/controller/pki/secretbackendrootsignintermediate/zz_controller.go
+++ b/internal/controller/pki/secretbackendrootsignintermediate/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootSignIntermediate_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_root_sign_intermediate"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootSignIntermediate_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_root_sign_intermediate"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRootSignIntermediate{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRootSignIntermediate{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/pki/secretbackendsign/zz_controller.go b/internal/controller/pki/secretbackendsign/zz_controller.go
index 74dd0e4e..27ef28cb 100755
--- a/internal/controller/pki/secretbackendsign/zz_controller.go
+++ b/internal/controller/pki/secretbackendsign/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendSign_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_sign"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendSign_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_sign"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendSign{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendSign{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/providerconfig/config.go b/internal/controller/providerconfig/config.go
index b10cf720..a6facfaa 100644
--- a/internal/controller/providerconfig/config.go
+++ b/internal/controller/providerconfig/config.go
@@ -6,7 +6,6 @@ package providerconfig
 
 import (
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	"github.com/crossplane/crossplane-runtime/pkg/event"
 	"github.com/crossplane/crossplane-runtime/pkg/reconciler/providerconfig"
@@ -30,7 +29,7 @@ func Setup(mgr ctrl.Manager, o controller.Options) error {
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
 		For(&v1beta1.ProviderConfig{}).
-		Watches(&source.Kind{Type: &v1beta1.ProviderConfigUsage{}}, &resource.EnqueueRequestForProviderConfig{}).
+		Watches(&v1beta1.ProviderConfigUsage{}, &resource.EnqueueRequestForProviderConfig{}).
 		Complete(providerconfig.NewReconciler(mgr, of,
 			providerconfig.WithLogger(o.Logger.WithValues("controller", name)),
 			providerconfig.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name)))))
diff --git a/internal/controller/quota/leasecount/zz_controller.go b/internal/controller/quota/leasecount/zz_controller.go
index 7f980d97..a0b55a6a 100755
--- a/internal/controller/quota/leasecount/zz_controller.go
+++ b/internal/controller/quota/leasecount/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.LeaseCount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_quota_lease_count"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.LeaseCount_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_quota_lease_count"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.LeaseCount{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.LeaseCount{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/quota/ratelimit/zz_controller.go b/internal/controller/quota/ratelimit/zz_controller.go
index a621487f..48285b66 100755
--- a/internal/controller/quota/ratelimit/zz_controller.go
+++ b/internal/controller/quota/ratelimit/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.RateLimit_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_quota_rate_limit"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.RateLimit_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_quota_rate_limit"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.RateLimit{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.RateLimit{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/rabbitmq/secretbackend/zz_controller.go b/internal/controller/rabbitmq/secretbackend/zz_controller.go
index 1e0bad63..737cba62 100755
--- a/internal/controller/rabbitmq/secretbackend/zz_controller.go
+++ b/internal/controller/rabbitmq/secretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rabbitmq_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rabbitmq_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/rabbitmq/secretbackendrole/zz_controller.go b/internal/controller/rabbitmq/secretbackendrole/zz_controller.go
index e7f4d5a2..af1e8f01 100755
--- a/internal/controller/rabbitmq/secretbackendrole/zz_controller.go
+++ b/internal/controller/rabbitmq/secretbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rabbitmq_secret_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rabbitmq_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/raft/autopilot/zz_controller.go b/internal/controller/raft/autopilot/zz_controller.go
index c2be603c..9edf0484 100755
--- a/internal/controller/raft/autopilot/zz_controller.go
+++ b/internal/controller/raft/autopilot/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Autopilot_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_raft_autopilot"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Autopilot_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_raft_autopilot"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Autopilot{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Autopilot{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/raft/snapshotagentconfig/zz_controller.go b/internal/controller/raft/snapshotagentconfig/zz_controller.go
index 4f2bb01a..2846e5a7 100755
--- a/internal/controller/raft/snapshotagentconfig/zz_controller.go
+++ b/internal/controller/raft/snapshotagentconfig/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SnapshotAgentConfig_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_raft_snapshot_agent_config"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SnapshotAgentConfig_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_raft_snapshot_agent_config"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SnapshotAgentConfig{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SnapshotAgentConfig{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/rgp/policy/zz_controller.go b/internal/controller/rgp/policy/zz_controller.go
index e844e671..de8660db 100755
--- a/internal/controller/rgp/policy/zz_controller.go
+++ b/internal/controller/rgp/policy/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rgp_policy"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rgp_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Policy{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Policy{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/ssh/secretbackendca/zz_controller.go b/internal/controller/ssh/secretbackendca/zz_controller.go
index eea5cb0f..6574dc0d 100755
--- a/internal/controller/ssh/secretbackendca/zz_controller.go
+++ b/internal/controller/ssh/secretbackendca/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCA_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ssh_secret_backend_ca"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCA_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ssh_secret_backend_ca"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendCA{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendCA{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/ssh/secretbackendrole/zz_controller.go b/internal/controller/ssh/secretbackendrole/zz_controller.go
index 862e4d08..edd3a9fc 100755
--- a/internal/controller/ssh/secretbackendrole/zz_controller.go
+++ b/internal/controller/ssh/secretbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ssh_secret_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ssh_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/terraform/cloudsecretbackend/zz_controller.go b/internal/controller/terraform/cloudsecretbackend/zz_controller.go
index 956b2f80..865cde05 100755
--- a/internal/controller/terraform/cloudsecretbackend/zz_controller.go
+++ b/internal/controller/terraform/cloudsecretbackend/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_backend"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretBackend_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.CloudSecretBackend{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.CloudSecretBackend{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/terraform/cloudsecretcreds/zz_controller.go b/internal/controller/terraform/cloudsecretcreds/zz_controller.go
index e306f7e5..452a0763 100755
--- a/internal/controller/terraform/cloudsecretcreds/zz_controller.go
+++ b/internal/controller/terraform/cloudsecretcreds/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretCreds_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_creds"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretCreds_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_creds"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.CloudSecretCreds{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.CloudSecretCreds{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/terraform/cloudsecretrole/zz_controller.go b/internal/controller/terraform/cloudsecretrole/zz_controller.go
index 6f263c75..ec894357 100755
--- a/internal/controller/terraform/cloudsecretrole/zz_controller.go
+++ b/internal/controller/terraform/cloudsecretrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.CloudSecretRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.CloudSecretRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/token/authbackendrole/zz_controller.go b/internal/controller/token/authbackendrole/zz_controller.go
index ec0c0066..e5d7eb68 100755
--- a/internal/controller/token/authbackendrole/zz_controller.go
+++ b/internal/controller/token/authbackendrole/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_token_auth_backend_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_token_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.AuthBackendRole{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/transform/alphabet/zz_controller.go b/internal/controller/transform/alphabet/zz_controller.go
index 83cd0cd0..2bf2215c 100755
--- a/internal/controller/transform/alphabet/zz_controller.go
+++ b/internal/controller/transform/alphabet/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Alphabet_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_alphabet"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Alphabet_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_alphabet"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Alphabet{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Alphabet{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/transform/role/zz_controller.go b/internal/controller/transform/role/zz_controller.go
index 6c4d548e..fcb70535 100755
--- a/internal/controller/transform/role/zz_controller.go
+++ b/internal/controller/transform/role/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Role_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_role"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Role_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Role{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Role{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/transform/template/zz_controller.go b/internal/controller/transform/template/zz_controller.go
index ae15b972..c70178a6 100755
--- a/internal/controller/transform/template/zz_controller.go
+++ b/internal/controller/transform/template/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Template_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_template"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Template_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_template"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Template{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Template{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/transform/transformation/zz_controller.go b/internal/controller/transform/transformation/zz_controller.go
index 6f5b3b4c..b512df12 100755
--- a/internal/controller/transform/transformation/zz_controller.go
+++ b/internal/controller/transform/transformation/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Transformation_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_transformation"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Transformation_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_transformation"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Transformation{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Transformation{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/transit/secretbackendkey/zz_controller.go b/internal/controller/transit/secretbackendkey/zz_controller.go
index ee2821b3..f6541852 100755
--- a/internal/controller/transit/secretbackendkey/zz_controller.go
+++ b/internal/controller/transit/secretbackendkey/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendKey_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transit_secret_backend_key"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendKey_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transit_secret_backend_key"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.SecretBackendKey{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.SecretBackendKey{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/vault/audit/zz_controller.go b/internal/controller/vault/audit/zz_controller.go
index 9d186224..dde56dd6 100755
--- a/internal/controller/vault/audit/zz_controller.go
+++ b/internal/controller/vault/audit/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Audit_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_audit"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Audit_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_audit"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Audit{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Audit{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/vault/mount/zz_controller.go b/internal/controller/vault/mount/zz_controller.go
index 78dd849b..4f80fddb 100755
--- a/internal/controller/vault/mount/zz_controller.go
+++ b/internal/controller/vault/mount/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Mount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mount"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Mount_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mount"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Mount{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Mount{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/vault/namespace/zz_controller.go b/internal/controller/vault/namespace/zz_controller.go
index 913eb891..e26d93b9 100755
--- a/internal/controller/vault/namespace/zz_controller.go
+++ b/internal/controller/vault/namespace/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Namespace_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_namespace"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Namespace_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_namespace"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Namespace{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Namespace{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/vault/policy/zz_controller.go b/internal/controller/vault/policy/zz_controller.go
index af9b8ed3..861826d3 100755
--- a/internal/controller/vault/policy/zz_controller.go
+++ b/internal/controller/vault/policy/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_policy"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Policy{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Policy{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/internal/controller/vault/token/zz_controller.go b/internal/controller/vault/token/zz_controller.go
index 05760d2d..38d95e92 100755
--- a/internal/controller/vault/token/zz_controller.go
+++ b/internal/controller/vault/token/zz_controller.go
@@ -28,11 +28,12 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	var initializers managed.InitializerChain
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
-		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
+		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
 	}
+	ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Token_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler))
 	opts := []managed.ReconcilerOption{
-		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_token"], tjcontroller.WithLogger(o.Logger),
-			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Token_GroupVersionKind))),
+		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_token"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler),
+			tjcontroller.WithCallbackProvider(ac),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
@@ -50,6 +51,7 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
 		WithOptions(o.ForControllerRuntime()).
-		For(&v1alpha1.Token{}).
+		WithEventFilter(xpresource.DesiredStateChanged()).
+		Watches(&v1alpha1.Token{}, o.EventHandler).
 		Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter))
 }
diff --git a/package/crds/ad.vault.upbound.io_secretbackends.yaml b/package/crds/ad.vault.upbound.io_secretbackends.yaml
index 171e791e..1268ea9c 100644
--- a/package/crds/ad.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/ad.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.ad.vault.upbound.io
 spec:
   group: ad.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          an Active Directory secret backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,18 +70,24 @@ spec:
                   anonymousGroupSearch:
                     description: Use anonymous binds when performing LDAP group searches
                       (if true the initial credentials will still be used for the
-                      initial connection test).
+                      initial connection test). Use anonymous binds when performing
+                      LDAP group searches (if true the initial credentials will still
+                      be used for the initial connection test).
                     type: boolean
                   backend:
-                    description: The mount path for a backend, for example, the path
-                      given in "$ vault auth enable -path=my-ad ad".
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to ad. The mount path
+                      for a backend, for example, the path given in "$ vault auth
+                      enable -path=my-ad ad".
                     type: string
                   binddn:
                     description: Distinguished name of object to bind when performing
-                      user and group search.
+                      user and group search. Distinguished name of object to bind
+                      when performing user and group search.
                     type: string
                   bindpassSecretRef:
-                    description: LDAP password for searching for the user DN.
+                    description: Password to use along with binddn when performing
+                      user search. LDAP password for searching for the user DN.
                     properties:
                       key:
                         description: The key to select.
@@ -98,16 +104,21 @@ spec:
                     - namespace
                     type: object
                   caseSensitiveNames:
-                    description: If true, case sensitivity will be used when comparing
-                      usernames and groups for matching policies.
+                    description: If set, user and group names assigned to policies
+                      within the backend will be case sensitive. Otherwise, names
+                      will be normalized to lower case. If true, case sensitivity
+                      will be used when comparing usernames and groups for matching
+                      policies.
                     type: boolean
                   certificate:
                     description: CA certificate to use when verifying LDAP server
-                      certificate, must be x509 PEM encoded.
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying LDAP server certificate, must be x509 PEM encoded.
                     type: string
                   clientTlsCertSecretRef:
                     description: Client certificate to provide to the LDAP server,
-                      must be x509 PEM encoded.
+                      must be x509 PEM encoded. Client certificate to provide to the
+                      LDAP server, must be x509 PEM encoded.
                     properties:
                       key:
                         description: The key to select.
@@ -125,7 +136,8 @@ spec:
                     type: object
                   clientTlsKeySecretRef:
                     description: Client certificate key to provide to the LDAP server,
-                      must be x509 PEM encoded.
+                      must be x509 PEM encoded. Client certificate key to provide
+                      to the LDAP server, must be x509 PEM encoded.
                     properties:
                       key:
                         description: The key to select.
@@ -142,94 +154,138 @@ spec:
                     - namespace
                     type: object
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: Default lease duration for secrets in seconds. Default
+                      lease duration for secrets in seconds
                     type: number
                   denyNullBind:
                     description: Denies an unauthenticated LDAP bind request if the
-                      user's password is empty; defaults to true
+                      user's password is empty; defaults to true. Denies an unauthenticated
+                      LDAP bind request if the user's password is empty; defaults
+                      to true
                     type: boolean
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: Human-friendly description of the mount for the Active
+                      Directory backend. Human-friendly description of the mount for
+                      the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   discoverdn:
-                    description: Use anonymous bind to discover the bind DN of a user.
+                    description: Use anonymous bind to discover the bind Distinguished
+                      Name of a user. Use anonymous bind to discover the bind DN of
+                      a user.
                     type: boolean
                   formatter:
-                    description: Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
+                    description: Deprecated use password_policy. Text to insert the
+                      password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text
+                      to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
                     type: string
                   groupattr:
-                    description: 'LDAP attribute to follow on objects returned by
-                      <groupfilter> in order to enumerate user group membership. Examples:
-                      "cn" or "memberOf", etc. Default: cn'
+                    description: 'LDAP attribute to follow on objects returned by  in
+                      order to enumerate user group membership. Examples: cn or memberOf,
+                      etc. Defaults to cn. LDAP attribute to follow on objects returned
+                      by <groupfilter> in order to enumerate user group membership.
+                      Examples: "cn" or "memberOf", etc. Default: cn'
                     type: string
                   groupdn:
                     description: 'LDAP search base to use for group membership search
-                      (eg: ou=Groups,dc=example,dc=org)'
+                      (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for
+                      group membership search (eg: ou=Groups,dc=example,dc=org)'
                     type: string
                   groupfilter:
-                    description: 'Go template for querying group membership of user.
-                      The template can access the following context variables: UserDN,
-                      Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
+                    description: 'Go template for querying group membership of user  The
+                      template can access the following context variables: UserDN,
+                      Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
+                      Go template for querying group membership of user. The template
+                      can access the following context variables: UserDN, Username
+                      Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
                       Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))'
                     type: string
                   insecureTls:
-                    description: Skip LDAP server SSL Certificate verification - insecure
-                      and not recommended for production use.
+                    description: Skip LDAP server SSL Certificate verification. This
+                      is not recommended for production. Defaults to false. Skip LDAP
+                      server SSL Certificate verification - insecure and not recommended
+                      for production use.
                     type: boolean
                   lastRotationTolerance:
                     description: The number of seconds after a Vault rotation where,
+                      if Active Directory shows a later rotation, it should be considered
+                      out-of-band The number of seconds after a Vault rotation where,
                       if Active Directory shows a later rotation, it should be considered
                       out-of-band.
                     type: number
                   length:
-                    description: The desired length of passwords that Vault generates.
+                    description: Deprecated use password_policy. The desired length
+                      of passwords that Vault generates. Mutually exclusive with The
+                      desired length of passwords that Vault generates.
                     type: number
                   local:
                     description: Mark the secrets engine as local-only. Local engines
                       are not replicated or removed by replication.Tolerance duration
-                      to use when checking the last rotation time.
+                      to use when checking the last rotation time. Mark the secrets
+                      engine as local-only. Local engines are not replicated or removed
+                      by replication.Tolerance duration to use when checking the last
+                      rotation time.
                     type: boolean
                   maxLeaseTtlSeconds:
                     description: Maximum possible lease duration for secrets in seconds.
+                      Maximum possible lease duration for secrets in seconds.
                     type: number
                   maxTtl:
-                    description: In seconds, the maximum password time-to-live.
+                    description: In seconds, the maximum password time-to-live. In
+                      seconds, the maximum password time-to-live.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   passwordPolicy:
-                    description: Name of the password policy to use to generate passwords.
+                    description: 1.11+ Name of the password policy to use to generate
+                      passwords.
                     type: string
                   requestTimeout:
                     description: Timeout, in seconds, for the connection when making
                       requests against the server before returning back an error.
+                      Timeout, in seconds, for the connection when making requests
+                      against the server before returning back an error.
                     type: number
                   starttls:
                     description: Issue a StartTLS command after establishing unencrypted
+                      connection. Issue a StartTLS command after establishing unencrypted
                       connection.
                     type: boolean
                   tlsMaxVersion:
-                    description: Maximum TLS version to use. Accepted values are 'tls10',
-                      'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
+                    description: Maximum TLS version to use. Accepted values are tls10,
+                      tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version
+                      to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'.
+                      Defaults to 'tls12'
                     type: string
                   tlsMinVersion:
-                    description: Minimum TLS version to use. Accepted values are 'tls10',
-                      'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
+                    description: Minimum TLS version to use. Accepted values are tls10,
+                      tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version
+                      to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'.
+                      Defaults to 'tls12'
                     type: string
                   ttl:
-                    description: In seconds, the default password time-to-live.
+                    description: In seconds, the default password time-to-live. In
+                      seconds, the default password time-to-live.
                     type: number
                   upndomain:
                     description: Enables userPrincipalDomain login with [username]@UPNDomain.
+                      Enables userPrincipalDomain login with [username]@UPNDomain.
                     type: string
                   url:
-                    description: 'LDAP URL to connect to (default: ldap://127.0.0.1).
-                      Multiple URLs can be specified by concatenating them with commas;
-                      they will be tried in-order.'
+                    description: 'LDAP URL to connect to. Multiple URLs can be specified
+                      by concatenating them with commas; they will be tried in-order.
+                      Defaults to ldap://127.0.0.1. LDAP URL to connect to (default:
+                      ldap://127.0.0.1). Multiple URLs can be specified by concatenating
+                      them with commas; they will be tried in-order.'
                     type: string
                   usePre111GroupCnBehavior:
                     description: In Vault 1.1.1 a fix for handling group CN values
@@ -239,35 +295,269 @@ spec:
                       for matching group CNs will be used. This is only needed in
                       some upgrade scenarios for backwards compatibility. It is enabled
                       by default if the config is upgraded but disabled by default
-                      on new configurations.
+                      on new configurations. In Vault 1.1.1 a fix for handling group
+                      CN values of different cases unfortunately introduced a regression
+                      that could cause previously defined groups to not be found due
+                      to a change in the resulting name. If set true, the pre-1.1.1
+                      behavior for matching group CNs will be used. This is only needed
+                      in some upgrade scenarios for backwards compatibility. It is
+                      enabled by default if the config is upgraded but disabled by
+                      default on new configurations.
                     type: boolean
                   useTokenGroups:
                     description: If true, use the Active Directory tokenGroups constructed
                       attribute of the user to find the group memberships. This will
-                      find all security groups including nested ones.
+                      find all security groups including nested ones. If true, use
+                      the Active Directory tokenGroups constructed attribute of the
+                      user to find the group memberships. This will find all security
+                      groups including nested ones.
                     type: boolean
                   userattr:
-                    description: 'Attribute used for users (default: cn)'
+                    description: 'Attribute used when searching users. Defaults to
+                      cn. Attribute used for users (default: cn)'
                     type: string
                   userdn:
-                    description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)'
+                    description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
+                      LDAP domain to use for users (eg: ou=People,dc=example,dc=org)'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  anonymousGroupSearch:
+                    description: Use anonymous binds when performing LDAP group searches
+                      (if true the initial credentials will still be used for the
+                      initial connection test). Use anonymous binds when performing
+                      LDAP group searches (if true the initial credentials will still
+                      be used for the initial connection test).
+                    type: boolean
+                  backend:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to ad. The mount path
+                      for a backend, for example, the path given in "$ vault auth
+                      enable -path=my-ad ad".
+                    type: string
+                  binddn:
+                    description: Distinguished name of object to bind when performing
+                      user and group search. Distinguished name of object to bind
+                      when performing user and group search.
+                    type: string
+                  caseSensitiveNames:
+                    description: If set, user and group names assigned to policies
+                      within the backend will be case sensitive. Otherwise, names
+                      will be normalized to lower case. If true, case sensitivity
+                      will be used when comparing usernames and groups for matching
+                      policies.
+                    type: boolean
+                  certificate:
+                    description: CA certificate to use when verifying LDAP server
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying LDAP server certificate, must be x509 PEM encoded.
+                    type: string
+                  defaultLeaseTtlSeconds:
+                    description: Default lease duration for secrets in seconds. Default
+                      lease duration for secrets in seconds
+                    type: number
+                  denyNullBind:
+                    description: Denies an unauthenticated LDAP bind request if the
+                      user's password is empty; defaults to true. Denies an unauthenticated
+                      LDAP bind request if the user's password is empty; defaults
+                      to true
+                    type: boolean
+                  description:
+                    description: Human-friendly description of the mount for the Active
+                      Directory backend. Human-friendly description of the mount for
+                      the backend.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  discoverdn:
+                    description: Use anonymous bind to discover the bind Distinguished
+                      Name of a user. Use anonymous bind to discover the bind DN of
+                      a user.
+                    type: boolean
+                  formatter:
+                    description: Deprecated use password_policy. Text to insert the
+                      password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text
+                      to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
+                    type: string
+                  groupattr:
+                    description: 'LDAP attribute to follow on objects returned by  in
+                      order to enumerate user group membership. Examples: cn or memberOf,
+                      etc. Defaults to cn. LDAP attribute to follow on objects returned
+                      by <groupfilter> in order to enumerate user group membership.
+                      Examples: "cn" or "memberOf", etc. Default: cn'
+                    type: string
+                  groupdn:
+                    description: 'LDAP search base to use for group membership search
+                      (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for
+                      group membership search (eg: ou=Groups,dc=example,dc=org)'
+                    type: string
+                  groupfilter:
+                    description: 'Go template for querying group membership of user  The
+                      template can access the following context variables: UserDN,
+                      Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
+                      Go template for querying group membership of user. The template
+                      can access the following context variables: UserDN, Username
+                      Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
+                      Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))'
+                    type: string
+                  insecureTls:
+                    description: Skip LDAP server SSL Certificate verification. This
+                      is not recommended for production. Defaults to false. Skip LDAP
+                      server SSL Certificate verification - insecure and not recommended
+                      for production use.
+                    type: boolean
+                  lastRotationTolerance:
+                    description: The number of seconds after a Vault rotation where,
+                      if Active Directory shows a later rotation, it should be considered
+                      out-of-band The number of seconds after a Vault rotation where,
+                      if Active Directory shows a later rotation, it should be considered
+                      out-of-band.
+                    type: number
+                  length:
+                    description: Deprecated use password_policy. The desired length
+                      of passwords that Vault generates. Mutually exclusive with The
+                      desired length of passwords that Vault generates.
+                    type: number
+                  local:
+                    description: Mark the secrets engine as local-only. Local engines
+                      are not replicated or removed by replication.Tolerance duration
+                      to use when checking the last rotation time. Mark the secrets
+                      engine as local-only. Local engines are not replicated or removed
+                      by replication.Tolerance duration to use when checking the last
+                      rotation time.
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: Maximum possible lease duration for secrets in seconds.
+                      Maximum possible lease duration for secrets in seconds.
+                    type: number
+                  maxTtl:
+                    description: In seconds, the maximum password time-to-live. In
+                      seconds, the maximum password time-to-live.
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  passwordPolicy:
+                    description: 1.11+ Name of the password policy to use to generate
+                      passwords.
+                    type: string
+                  requestTimeout:
+                    description: Timeout, in seconds, for the connection when making
+                      requests against the server before returning back an error.
+                      Timeout, in seconds, for the connection when making requests
+                      against the server before returning back an error.
+                    type: number
+                  starttls:
+                    description: Issue a StartTLS command after establishing unencrypted
+                      connection. Issue a StartTLS command after establishing unencrypted
+                      connection.
+                    type: boolean
+                  tlsMaxVersion:
+                    description: Maximum TLS version to use. Accepted values are tls10,
+                      tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version
+                      to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'.
+                      Defaults to 'tls12'
+                    type: string
+                  tlsMinVersion:
+                    description: Minimum TLS version to use. Accepted values are tls10,
+                      tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version
+                      to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'.
+                      Defaults to 'tls12'
+                    type: string
+                  ttl:
+                    description: In seconds, the default password time-to-live. In
+                      seconds, the default password time-to-live.
+                    type: number
+                  upndomain:
+                    description: Enables userPrincipalDomain login with [username]@UPNDomain.
+                      Enables userPrincipalDomain login with [username]@UPNDomain.
+                    type: string
+                  url:
+                    description: 'LDAP URL to connect to. Multiple URLs can be specified
+                      by concatenating them with commas; they will be tried in-order.
+                      Defaults to ldap://127.0.0.1. LDAP URL to connect to (default:
+                      ldap://127.0.0.1). Multiple URLs can be specified by concatenating
+                      them with commas; they will be tried in-order.'
+                    type: string
+                  usePre111GroupCnBehavior:
+                    description: In Vault 1.1.1 a fix for handling group CN values
+                      of different cases unfortunately introduced a regression that
+                      could cause previously defined groups to not be found due to
+                      a change in the resulting name. If set true, the pre-1.1.1 behavior
+                      for matching group CNs will be used. This is only needed in
+                      some upgrade scenarios for backwards compatibility. It is enabled
+                      by default if the config is upgraded but disabled by default
+                      on new configurations. In Vault 1.1.1 a fix for handling group
+                      CN values of different cases unfortunately introduced a regression
+                      that could cause previously defined groups to not be found due
+                      to a change in the resulting name. If set true, the pre-1.1.1
+                      behavior for matching group CNs will be used. This is only needed
+                      in some upgrade scenarios for backwards compatibility. It is
+                      enabled by default if the config is upgraded but disabled by
+                      default on new configurations.
+                    type: boolean
+                  useTokenGroups:
+                    description: If true, use the Active Directory tokenGroups constructed
+                      attribute of the user to find the group memberships. This will
+                      find all security groups including nested ones. If true, use
+                      the Active Directory tokenGroups constructed attribute of the
+                      user to find the group memberships. This will find all security
+                      groups including nested ones.
+                    type: boolean
+                  userattr:
+                    description: 'Attribute used when searching users. Defaults to
+                      cn. Attribute used for users (default: cn)'
+                    type: string
+                  userdn:
+                    description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
+                      LDAP domain to use for users (eg: ou=People,dc=example,dc=org)'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -441,9 +731,12 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: binddn is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.binddn)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.binddn)
+                || has(self.initProvider.binddn)'
             - message: bindpassSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bindpassSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.bindpassSecretRef)'
           status:
             description: SecretBackendStatus defines the observed state of SecretBackend.
             properties:
@@ -452,115 +745,168 @@ spec:
                   anonymousGroupSearch:
                     description: Use anonymous binds when performing LDAP group searches
                       (if true the initial credentials will still be used for the
-                      initial connection test).
+                      initial connection test). Use anonymous binds when performing
+                      LDAP group searches (if true the initial credentials will still
+                      be used for the initial connection test).
                     type: boolean
                   backend:
-                    description: The mount path for a backend, for example, the path
-                      given in "$ vault auth enable -path=my-ad ad".
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to ad. The mount path
+                      for a backend, for example, the path given in "$ vault auth
+                      enable -path=my-ad ad".
                     type: string
                   binddn:
                     description: Distinguished name of object to bind when performing
-                      user and group search.
+                      user and group search. Distinguished name of object to bind
+                      when performing user and group search.
                     type: string
                   caseSensitiveNames:
-                    description: If true, case sensitivity will be used when comparing
-                      usernames and groups for matching policies.
+                    description: If set, user and group names assigned to policies
+                      within the backend will be case sensitive. Otherwise, names
+                      will be normalized to lower case. If true, case sensitivity
+                      will be used when comparing usernames and groups for matching
+                      policies.
                     type: boolean
                   certificate:
                     description: CA certificate to use when verifying LDAP server
-                      certificate, must be x509 PEM encoded.
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying LDAP server certificate, must be x509 PEM encoded.
                     type: string
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: Default lease duration for secrets in seconds. Default
+                      lease duration for secrets in seconds
                     type: number
                   denyNullBind:
                     description: Denies an unauthenticated LDAP bind request if the
-                      user's password is empty; defaults to true
+                      user's password is empty; defaults to true. Denies an unauthenticated
+                      LDAP bind request if the user's password is empty; defaults
+                      to true
                     type: boolean
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: Human-friendly description of the mount for the Active
+                      Directory backend. Human-friendly description of the mount for
+                      the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   discoverdn:
-                    description: Use anonymous bind to discover the bind DN of a user.
+                    description: Use anonymous bind to discover the bind Distinguished
+                      Name of a user. Use anonymous bind to discover the bind DN of
+                      a user.
                     type: boolean
                   formatter:
-                    description: Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
+                    description: Deprecated use password_policy. Text to insert the
+                      password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text
+                      to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".
                     type: string
                   groupattr:
-                    description: 'LDAP attribute to follow on objects returned by
-                      <groupfilter> in order to enumerate user group membership. Examples:
-                      "cn" or "memberOf", etc. Default: cn'
+                    description: 'LDAP attribute to follow on objects returned by  in
+                      order to enumerate user group membership. Examples: cn or memberOf,
+                      etc. Defaults to cn. LDAP attribute to follow on objects returned
+                      by <groupfilter> in order to enumerate user group membership.
+                      Examples: "cn" or "memberOf", etc. Default: cn'
                     type: string
                   groupdn:
                     description: 'LDAP search base to use for group membership search
-                      (eg: ou=Groups,dc=example,dc=org)'
+                      (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for
+                      group membership search (eg: ou=Groups,dc=example,dc=org)'
                     type: string
                   groupfilter:
-                    description: 'Go template for querying group membership of user.
-                      The template can access the following context variables: UserDN,
-                      Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
+                    description: 'Go template for querying group membership of user  The
+                      template can access the following context variables: UserDN,
+                      Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
+                      Go template for querying group membership of user. The template
+                      can access the following context variables: UserDN, Username
+                      Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
                       Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))'
                     type: string
                   id:
                     type: string
                   insecureTls:
-                    description: Skip LDAP server SSL Certificate verification - insecure
-                      and not recommended for production use.
+                    description: Skip LDAP server SSL Certificate verification. This
+                      is not recommended for production. Defaults to false. Skip LDAP
+                      server SSL Certificate verification - insecure and not recommended
+                      for production use.
                     type: boolean
                   lastRotationTolerance:
                     description: The number of seconds after a Vault rotation where,
+                      if Active Directory shows a later rotation, it should be considered
+                      out-of-band The number of seconds after a Vault rotation where,
                       if Active Directory shows a later rotation, it should be considered
                       out-of-band.
                     type: number
                   length:
-                    description: The desired length of passwords that Vault generates.
+                    description: Deprecated use password_policy. The desired length
+                      of passwords that Vault generates. Mutually exclusive with The
+                      desired length of passwords that Vault generates.
                     type: number
                   local:
                     description: Mark the secrets engine as local-only. Local engines
                       are not replicated or removed by replication.Tolerance duration
-                      to use when checking the last rotation time.
+                      to use when checking the last rotation time. Mark the secrets
+                      engine as local-only. Local engines are not replicated or removed
+                      by replication.Tolerance duration to use when checking the last
+                      rotation time.
                     type: boolean
                   maxLeaseTtlSeconds:
                     description: Maximum possible lease duration for secrets in seconds.
+                      Maximum possible lease duration for secrets in seconds.
                     type: number
                   maxTtl:
-                    description: In seconds, the maximum password time-to-live.
+                    description: In seconds, the maximum password time-to-live. In
+                      seconds, the maximum password time-to-live.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   passwordPolicy:
-                    description: Name of the password policy to use to generate passwords.
+                    description: 1.11+ Name of the password policy to use to generate
+                      passwords.
                     type: string
                   requestTimeout:
                     description: Timeout, in seconds, for the connection when making
                       requests against the server before returning back an error.
+                      Timeout, in seconds, for the connection when making requests
+                      against the server before returning back an error.
                     type: number
                   starttls:
                     description: Issue a StartTLS command after establishing unencrypted
+                      connection. Issue a StartTLS command after establishing unencrypted
                       connection.
                     type: boolean
                   tlsMaxVersion:
-                    description: Maximum TLS version to use. Accepted values are 'tls10',
-                      'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
+                    description: Maximum TLS version to use. Accepted values are tls10,
+                      tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version
+                      to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'.
+                      Defaults to 'tls12'
                     type: string
                   tlsMinVersion:
-                    description: Minimum TLS version to use. Accepted values are 'tls10',
-                      'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
+                    description: Minimum TLS version to use. Accepted values are tls10,
+                      tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version
+                      to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'.
+                      Defaults to 'tls12'
                     type: string
                   ttl:
-                    description: In seconds, the default password time-to-live.
+                    description: In seconds, the default password time-to-live. In
+                      seconds, the default password time-to-live.
                     type: number
                   upndomain:
                     description: Enables userPrincipalDomain login with [username]@UPNDomain.
+                      Enables userPrincipalDomain login with [username]@UPNDomain.
                     type: string
                   url:
-                    description: 'LDAP URL to connect to (default: ldap://127.0.0.1).
-                      Multiple URLs can be specified by concatenating them with commas;
-                      they will be tried in-order.'
+                    description: 'LDAP URL to connect to. Multiple URLs can be specified
+                      by concatenating them with commas; they will be tried in-order.
+                      Defaults to ldap://127.0.0.1. LDAP URL to connect to (default:
+                      ldap://127.0.0.1). Multiple URLs can be specified by concatenating
+                      them with commas; they will be tried in-order.'
                     type: string
                   usePre111GroupCnBehavior:
                     description: In Vault 1.1.1 a fix for handling group CN values
@@ -570,18 +916,30 @@ spec:
                       for matching group CNs will be used. This is only needed in
                       some upgrade scenarios for backwards compatibility. It is enabled
                       by default if the config is upgraded but disabled by default
-                      on new configurations.
+                      on new configurations. In Vault 1.1.1 a fix for handling group
+                      CN values of different cases unfortunately introduced a regression
+                      that could cause previously defined groups to not be found due
+                      to a change in the resulting name. If set true, the pre-1.1.1
+                      behavior for matching group CNs will be used. This is only needed
+                      in some upgrade scenarios for backwards compatibility. It is
+                      enabled by default if the config is upgraded but disabled by
+                      default on new configurations.
                     type: boolean
                   useTokenGroups:
                     description: If true, use the Active Directory tokenGroups constructed
                       attribute of the user to find the group memberships. This will
-                      find all security groups including nested ones.
+                      find all security groups including nested ones. If true, use
+                      the Active Directory tokenGroups constructed attribute of the
+                      user to find the group memberships. This will find all security
+                      groups including nested ones.
                     type: boolean
                   userattr:
-                    description: 'Attribute used for users (default: cn)'
+                    description: 'Attribute used when searching users. Defaults to
+                      cn. Attribute used for users (default: cn)'
                     type: string
                   userdn:
-                    description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)'
+                    description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
+                      LDAP domain to use for users (eg: ou=People,dc=example,dc=org)'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/ad.vault.upbound.io_secretroles.yaml b/package/crds/ad.vault.upbound.io_secretroles.yaml
index 3fca7962..b26aa862 100644
--- a/package/crds/ad.vault.upbound.io_secretroles.yaml
+++ b/package/crds/ad.vault.upbound.io_secretroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretroles.ad.vault.upbound.io
 spec:
   group: ad.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretRole is the Schema for the SecretRoles API. <no value>
+        description: SecretRole is the Schema for the SecretRoles API. Creates a role
+          on the Active Directory Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,37 +68,96 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The mount path for the AD backend.
+                    description: The path the AD secret backend is mounted at, with
+                      no leading or trailing /s. The mount path for the AD backend.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
-                    description: Name of the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Name of the role.
                     type: string
                   serviceAccountName:
-                    description: The username/logon name for the service account with
-                      which this role will be associated.
+                    description: Specifies the name of the Active Directory service
+                      account mapped to this role. The username/logon name for the
+                      service account with which this role will be associated.
                     type: string
                   ttl:
-                    description: In seconds, the default password time-to-live.
+                    description: The password time-to-live in seconds. Defaults to
+                      the configuration ttl if not provided. In seconds, the default
+                      password time-to-live.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path the AD secret backend is mounted at, with
+                      no leading or trailing /s. The mount path for the AD backend.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  role:
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Name of the role.
+                    type: string
+                  serviceAccountName:
+                    description: Specifies the name of the Active Directory service
+                      account mapped to this role. The username/logon name for the
+                      service account with which this role will be associated.
+                    type: string
+                  ttl:
+                    description: The password time-to-live in seconds. Defaults to
+                      the configuration ttl if not provided. In seconds, the default
+                      password time-to-live.
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -272,39 +331,56 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
             - message: serviceAccountName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceAccountName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.serviceAccountName)
+                || has(self.initProvider.serviceAccountName)'
           status:
             description: SecretRoleStatus defines the observed state of SecretRole.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: The mount path for the AD backend.
+                    description: The path the AD secret backend is mounted at, with
+                      no leading or trailing /s. The mount path for the AD backend.
                     type: string
                   id:
                     type: string
                   lastVaultRotation:
-                    description: Last time Vault rotated this service account's password.
+                    description: Timestamp of the last password rotation by Vault.
+                      Last time Vault rotated this service account's password.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   passwordLastSet:
-                    description: Last time Vault set this service account's password.
+                    description: Timestamp of the last password set by Vault. Last
+                      time Vault set this service account's password.
                     type: string
                   role:
-                    description: Name of the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Name of the role.
                     type: string
                   serviceAccountName:
-                    description: The username/logon name for the service account with
-                      which this role will be associated.
+                    description: Specifies the name of the Active Directory service
+                      account mapped to this role. The username/logon name for the
+                      service account with which this role will be associated.
                     type: string
                   ttl:
-                    description: In seconds, the default password time-to-live.
+                    description: The password time-to-live in seconds. Defaults to
+                      the configuration ttl if not provided. In seconds, the default
+                      password time-to-live.
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/alicloud.vault.upbound.io_authbackendroles.yaml b/package/crds/alicloud.vault.upbound.io_authbackendroles.yaml
index db492bb4..ed9783d5 100644
--- a/package/crds/alicloud.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/alicloud.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.alicloud.vault.upbound.io
 spec:
   group: alicloud.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendRole is the Schema for the AuthBackendRoles API. <no
-          value>
+        description: AuthBackendRole is the Schema for the AuthBackendRoles API. Managing
+          roles in an AliCloud auth backend in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,68 +68,200 @@ spec:
               forProvider:
                 properties:
                   arn:
-                    description: The role's arn.
+                    description: The role's arn. The role's arn.
                     type: string
                   backend:
-                    description: Auth backend.
+                    description: Path to the mounted AliCloud auth backend. Defaults
+                      to alicloud Auth backend.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
                     description: Name of the role. Must correspond with the name of
-                      the role reflected in the arn.
+                      the role reflected in the arn. Name of the role. Must correspond
+                      with the name of the role reflected in the arn.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  arn:
+                    description: The role's arn. The role's arn.
+                    type: string
+                  backend:
+                    description: Path to the mounted AliCloud auth backend. Defaults
+                      to alicloud Auth backend.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  role:
+                    description: Name of the role. Must correspond with the name of
+                      the role reflected in the arn. Name of the role. Must correspond
+                      with the name of the role reflected in the arn.
+                    type: string
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -304,62 +435,96 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: arn is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.arn)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.arn)
+                || has(self.initProvider.arn)'
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
               atProvider:
                 properties:
                   arn:
-                    description: The role's arn.
+                    description: The role's arn. The role's arn.
                     type: string
                   backend:
-                    description: Auth backend.
+                    description: Path to the mounted AliCloud auth backend. Defaults
+                      to alicloud Auth backend.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
                     description: Name of the role. Must correspond with the name of
-                      the role reflected in the arn.
+                      the role reflected in the arn. Name of the role. Must correspond
+                      with the name of the role reflected in the arn.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/approle.vault.upbound.io_authbackendlogins.yaml b/package/crds/approle.vault.upbound.io_authbackendlogins.yaml
index 2ac2c80a..62f03599 100644
--- a/package/crds/approle.vault.upbound.io_authbackendlogins.yaml
+++ b/package/crds/approle.vault.upbound.io_authbackendlogins.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendlogins.approle.vault.upbound.io
 spec:
   group: approle.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendLogin is the Schema for the AuthBackendLogins API.
-          <no value>
+          Log into Vault using the AppRole auth backend.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,33 +68,86 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The unique path of the Vault backend to log in with.
+                      Unique name of the auth backend to configure.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   roleId:
-                    description: The RoleID to log in with.
+                    description: The ID of the role to log in with. The RoleID to
+                      log in with.
                     type: string
                   secretId:
-                    description: The SecretID to log in with.
+                    description: The secret ID of the role to log in with. Required
+                      unless bind_secret_id is set to false on the role. The SecretID
+                      to log in with.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The unique path of the Vault backend to log in with.
+                      Unique name of the auth backend to configure.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  roleId:
+                    description: The ID of the role to log in with. The RoleID to
+                      log in with.
+                    type: string
+                  secretId:
+                    description: The secret ID of the role to log in with. Required
+                      unless bind_secret_id is set to false on the role. The SecretID
+                      to log in with.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -269,49 +321,66 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: roleId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.roleId)
+                || has(self.initProvider.roleId)'
           status:
             description: AuthBackendLoginStatus defines the observed state of AuthBackendLogin.
             properties:
               atProvider:
                 properties:
                   accessor:
-                    description: The accessor for the token.
+                    description: The accessor for the token. The accessor for the
+                      token.
                     type: string
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The unique path of the Vault backend to log in with.
+                      Unique name of the auth backend to configure.
                     type: string
                   clientToken:
-                    description: The token.
+                    description: The Vault token created. The token.
                     type: string
                   id:
                     type: string
                   leaseDuration:
-                    description: How long the token is valid for.
+                    description: How long the token is valid for, in seconds. How
+                      long the token is valid for.
                     type: number
                   leaseStarted:
+                    description: The date and time the lease started, in RFC 3339
+                      format.
                     type: string
                   metadata:
                     additionalProperties:
                       type: string
-                    description: Metadata associated with the token.
+                    description: The metadata associated with the token. Metadata
+                      associated with the token.
                     type: object
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies set on the token.
+                    description: A list of policies applied to the token. Policies
+                      set on the token.
                     items:
                       type: string
                     type: array
                   renewable:
-                    description: Whether the token is renewable or not.
+                    description: Whether the token is renewable or not. Whether the
+                      token is renewable or not.
                     type: boolean
                   roleId:
-                    description: The RoleID to log in with.
+                    description: The ID of the role to log in with. The RoleID to
+                      log in with.
                     type: string
                   secretId:
-                    description: The SecretID to log in with.
+                    description: The secret ID of the role to log in with. Required
+                      unless bind_secret_id is set to false on the role. The SecretID
+                      to log in with.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/approle.vault.upbound.io_authbackendroles.yaml b/package/crds/approle.vault.upbound.io_authbackendroles.yaml
index a66d9dd7..1d4cafd8 100644
--- a/package/crds/approle.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/approle.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.approle.vault.upbound.io
 spec:
   group: approle.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendRole is the Schema for the AuthBackendRoles API. <no
-          value>
+        description: AuthBackendRole is the Schema for the AuthBackendRoles API. Manages
+          AppRole auth backend roles in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,85 +68,250 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The unique name of the auth backend to configure.
+                      Defaults to approle. Unique name of the auth backend to configure.
                     type: string
                   bindSecretId:
-                    description: Whether or not to require secret_id to be present
-                      when logging in using this AppRole.
+                    description: Whether or not to require secret_id to be presented
+                      when logging in using this AppRole. Defaults to true. Whether
+                      or not to require secret_id to be present when logging in using
+                      this AppRole.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   roleId:
-                    description: The RoleID of the role. Autogenerated if not set.
+                    description: The RoleID of this role. If not specified, one will
+                      be auto-generated. The RoleID of the role. Autogenerated if
+                      not set.
                     type: string
                   roleName:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   secretIdBoundCidrs:
-                    description: List of CIDR blocks that can log in using the AppRole.
+                    description: If set, specifies blocks of IP addresses which can
+                      perform the login operation. List of CIDR blocks that can log
+                      in using the AppRole.
                     items:
                       type: string
                     type: array
                   secretIdNumUses:
-                    description: Number of times which a particular SecretID can be
+                    description: The number of times any particular SecretID can be
                       used to fetch a token from this AppRole, after which the SecretID
-                      will expire. Leaving this unset or setting it to 0 will allow
-                      unlimited uses.
+                      will expire. A value of zero will allow unlimited uses. Number
+                      of times which a particular SecretID can be used to fetch a
+                      token from this AppRole, after which the SecretID will expire.
+                      Leaving this unset or setting it to 0 will allow unlimited uses.
                     type: number
                   secretIdTtl:
-                    description: Number of seconds a SecretID remains valid for.
+                    description: The number of seconds after which any SecretID expires.
+                      Number of seconds a SecretID remains valid for.
                     type: number
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The unique name of the auth backend to configure.
+                      Defaults to approle. Unique name of the auth backend to configure.
+                    type: string
+                  bindSecretId:
+                    description: Whether or not to require secret_id to be presented
+                      when logging in using this AppRole. Defaults to true. Whether
+                      or not to require secret_id to be present when logging in using
+                      this AppRole.
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  roleId:
+                    description: The RoleID of this role. If not specified, one will
+                      be auto-generated. The RoleID of the role. Autogenerated if
+                      not set.
+                    type: string
+                  roleName:
+                    description: The name of the role. Name of the role.
+                    type: string
+                  secretIdBoundCidrs:
+                    description: If set, specifies blocks of IP addresses which can
+                      perform the login operation. List of CIDR blocks that can log
+                      in using the AppRole.
+                    items:
+                      type: string
+                    type: array
+                  secretIdNumUses:
+                    description: The number of times any particular SecretID can be
+                      used to fetch a token from this AppRole, after which the SecretID
+                      will expire. A value of zero will allow unlimited uses. Number
+                      of times which a particular SecretID can be used to fetch a
+                      token from this AppRole, after which the SecretID will expire.
+                      Leaving this unset or setting it to 0 will allow unlimited uses.
+                    type: number
+                  secretIdTtl:
+                    description: The number of seconds after which any SecretID expires.
+                      Number of seconds a SecretID remains valid for.
+                    type: number
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -321,77 +485,117 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: roleName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName)
+                || has(self.initProvider.roleName)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The unique name of the auth backend to configure.
+                      Defaults to approle. Unique name of the auth backend to configure.
                     type: string
                   bindSecretId:
-                    description: Whether or not to require secret_id to be present
-                      when logging in using this AppRole.
+                    description: Whether or not to require secret_id to be presented
+                      when logging in using this AppRole. Defaults to true. Whether
+                      or not to require secret_id to be present when logging in using
+                      this AppRole.
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   roleId:
-                    description: The RoleID of the role. Autogenerated if not set.
+                    description: The RoleID of this role. If not specified, one will
+                      be auto-generated. The RoleID of the role. Autogenerated if
+                      not set.
                     type: string
                   roleName:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   secretIdBoundCidrs:
-                    description: List of CIDR blocks that can log in using the AppRole.
+                    description: If set, specifies blocks of IP addresses which can
+                      perform the login operation. List of CIDR blocks that can log
+                      in using the AppRole.
                     items:
                       type: string
                     type: array
                   secretIdNumUses:
-                    description: Number of times which a particular SecretID can be
+                    description: The number of times any particular SecretID can be
                       used to fetch a token from this AppRole, after which the SecretID
-                      will expire. Leaving this unset or setting it to 0 will allow
-                      unlimited uses.
+                      will expire. A value of zero will allow unlimited uses. Number
+                      of times which a particular SecretID can be used to fetch a
+                      token from this AppRole, after which the SecretID will expire.
+                      Leaving this unset or setting it to 0 will allow unlimited uses.
                     type: number
                   secretIdTtl:
-                    description: Number of seconds a SecretID remains valid for.
+                    description: The number of seconds after which any SecretID expires.
+                      Number of seconds a SecretID remains valid for.
                     type: number
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/approle.vault.upbound.io_authbackendrolesecretids.yaml b/package/crds/approle.vault.upbound.io_authbackendrolesecretids.yaml
index 2c9bc5ee..adab14f8 100644
--- a/package/crds/approle.vault.upbound.io_authbackendrolesecretids.yaml
+++ b/package/crds/approle.vault.upbound.io_authbackendrolesecretids.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendrolesecretids.approle.vault.upbound.io
 spec:
   group: approle.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendRoleSecretID is the Schema for the AuthBackendRoleSecretIDs
-          API. <no value>
+          API. Manages AppRole auth backend role SecretIDs in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -73,22 +72,32 @@ spec:
                     description: Unique name of the auth backend to configure.
                     type: string
                   cidrList:
-                    description: List of CIDR blocks that can log in using the SecretID.
+                    description: If set, specifies blocks of IP addresses which can
+                      perform the login operation using this SecretID. List of CIDR
+                      blocks that can log in using the SecretID.
                     items:
                       type: string
                     type: array
                   metadata:
-                    description: JSON-encoded secret data to write.
+                    description: A JSON-encoded string containing metadata in key-value
+                      pairs to be set on tokens issued with this SecretID. JSON-encoded
+                      secret data to write.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   roleName:
-                    description: Name of the role.
+                    description: The name of the role to create the SecretID for.
+                      Name of the role.
                     type: string
                   secretIdSecretRef:
-                    description: The SecretID to be managed. If not specified, Vault
-                      auto-generates one.
+                    description: The SecretID to be created. If set, uses "Push" mode.  Defaults
+                      to Vault auto-generating SecretIDs. The SecretID to be managed.
+                      If not specified, Vault auto-generates one.
                     properties:
                       key:
                         description: The key to select.
@@ -105,29 +114,100 @@ spec:
                     - namespace
                     type: object
                   withWrappedAccessor:
-                    description: Use the wrapped secret-id accessor as the id of this
-                      resource. If false, a fresh secret-id will be regenerated whenever
-                      the wrapping token is expired or invalidated through unwrapping.
+                    description: Set to true to use the wrapped secret-id accessor
+                      as the resource ID. If false (default value), a fresh secret
+                      ID will be regenerated whenever the wrapping token is expired
+                      or invalidated through unwrapping. Use the wrapped secret-id
+                      accessor as the id of this resource. If false, a fresh secret-id
+                      will be regenerated whenever the wrapping token is expired or
+                      invalidated through unwrapping.
                     type: boolean
                   wrappingTtl:
-                    description: The TTL duration of the wrapped SecretID.
+                    description: If set, the SecretID response will be response-wrapped
+                      and available for the duration specified. Only a single unwrapping
+                      of the token is allowed. The TTL duration of the wrapped SecretID.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Unique name of the auth backend to configure.
+                    type: string
+                  cidrList:
+                    description: If set, specifies blocks of IP addresses which can
+                      perform the login operation using this SecretID. List of CIDR
+                      blocks that can log in using the SecretID.
+                    items:
+                      type: string
+                    type: array
+                  metadata:
+                    description: A JSON-encoded string containing metadata in key-value
+                      pairs to be set on tokens issued with this SecretID. JSON-encoded
+                      secret data to write.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  roleName:
+                    description: The name of the role to create the SecretID for.
+                      Name of the role.
+                    type: string
+                  withWrappedAccessor:
+                    description: Set to true to use the wrapped secret-id accessor
+                      as the resource ID. If false (default value), a fresh secret
+                      ID will be regenerated whenever the wrapping token is expired
+                      or invalidated through unwrapping. Use the wrapped secret-id
+                      accessor as the id of this resource. If false, a fresh secret-id
+                      will be regenerated whenever the wrapping token is expired or
+                      invalidated through unwrapping.
+                    type: boolean
+                  wrappingTtl:
+                    description: If set, the SecretID response will be response-wrapped
+                      and available for the duration specified. Only a single unwrapping
+                      of the token is allowed. The TTL duration of the wrapped SecretID.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -301,7 +381,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: roleName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName)
+                || has(self.initProvider.roleName)'
           status:
             description: AuthBackendRoleSecretIDStatus defines the observed state
               of AuthBackendRoleSecretID.
@@ -309,37 +391,54 @@ spec:
               atProvider:
                 properties:
                   accessor:
-                    description: The unique ID used to access this SecretID.
+                    description: The unique ID for this SecretID that can be safely
+                      logged. The unique ID used to access this SecretID.
                     type: string
                   backend:
                     description: Unique name of the auth backend to configure.
                     type: string
                   cidrList:
-                    description: List of CIDR blocks that can log in using the SecretID.
+                    description: If set, specifies blocks of IP addresses which can
+                      perform the login operation using this SecretID. List of CIDR
+                      blocks that can log in using the SecretID.
                     items:
                       type: string
                     type: array
                   id:
                     type: string
                   metadata:
-                    description: JSON-encoded secret data to write.
+                    description: A JSON-encoded string containing metadata in key-value
+                      pairs to be set on tokens issued with this SecretID. JSON-encoded
+                      secret data to write.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   roleName:
-                    description: Name of the role.
+                    description: The name of the role to create the SecretID for.
+                      Name of the role.
                     type: string
                   withWrappedAccessor:
-                    description: Use the wrapped secret-id accessor as the id of this
-                      resource. If false, a fresh secret-id will be regenerated whenever
-                      the wrapping token is expired or invalidated through unwrapping.
+                    description: Set to true to use the wrapped secret-id accessor
+                      as the resource ID. If false (default value), a fresh secret
+                      ID will be regenerated whenever the wrapping token is expired
+                      or invalidated through unwrapping. Use the wrapped secret-id
+                      accessor as the id of this resource. If false, a fresh secret-id
+                      will be regenerated whenever the wrapping token is expired or
+                      invalidated through unwrapping.
                     type: boolean
                   wrappingAccessor:
-                    description: The wrapped SecretID accessor.
+                    description: The unique ID for the response-wrapped SecretID that
+                      can be safely logged. The wrapped SecretID accessor.
                     type: string
                   wrappingTtl:
-                    description: The TTL duration of the wrapped SecretID.
+                    description: If set, the SecretID response will be response-wrapped
+                      and available for the duration specified. Only a single unwrapping
+                      of the token is allowed. The TTL duration of the wrapped SecretID.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/audit.vault.upbound.io_requestheaders.yaml b/package/crds/audit.vault.upbound.io_requestheaders.yaml
index 94b2d9cc..89c73c71 100644
--- a/package/crds/audit.vault.upbound.io_requestheaders.yaml
+++ b/package/crds/audit.vault.upbound.io_requestheaders.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: requestheaders.audit.vault.upbound.io
 spec:
   group: audit.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: RequestHeader is the Schema for the RequestHeaders API. <no value>
+        description: RequestHeader is the Schema for the RequestHeaders API. Manages
+          audited request headers in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,30 +69,69 @@ spec:
                 properties:
                   hmac:
                     description: Whether this header's value should be HMAC'd in the
-                      audit logs.
+                      audit logs. Whether this header's value should be HMAC'd in
+                      the audit logs.
                     type: boolean
                   name:
-                    description: The name of the request header to audit.
+                    description: The name of the request header to audit. The name
+                      of the request header to audit.
                     type: string
                   namespace:
                     description: Target namespace. (requires Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  hmac:
+                    description: Whether this header's value should be HMAC'd in the
+                      audit logs. Whether this header's value should be HMAC'd in
+                      the audit logs.
+                    type: boolean
+                  name:
+                    description: The name of the request header to audit. The name
+                      of the request header to audit.
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -266,7 +305,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: RequestHeaderStatus defines the observed state of RequestHeader.
             properties:
@@ -274,12 +315,14 @@ spec:
                 properties:
                   hmac:
                     description: Whether this header's value should be HMAC'd in the
-                      audit logs.
+                      audit logs. Whether this header's value should be HMAC'd in
+                      the audit logs.
                     type: boolean
                   id:
                     type: string
                   name:
-                    description: The name of the request header to audit.
+                    description: The name of the request header to audit. The name
+                      of the request header to audit.
                     type: string
                   namespace:
                     description: Target namespace. (requires Enterprise)
diff --git a/package/crds/auth.vault.upbound.io_backends.yaml b/package/crds/auth.vault.upbound.io_backends.yaml
index 3d9b2e75..245e6899 100644
--- a/package/crds/auth.vault.upbound.io_backends.yaml
+++ b/package/crds/auth.vault.upbound.io_backends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: backends.auth.vault.upbound.io
 spec:
   group: auth.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Backend is the Schema for the Backends API. <no value>
+        description: Backend is the Schema for the Backends API. Managing roles in
+          an Cert auth backend in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -77,7 +77,11 @@ spec:
                     description: Specifies if the auth method is local only
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
                     description: path to mount the backend. This defaults to the type.
@@ -108,6 +112,13 @@ spec:
                             type: string
                           type: array
                         tokenType:
+                          description: 'The type of token that should be generated.
+                            Can be service, batch, or default to use the mount''s
+                            tuned default (which unless changed will be service tokens).
+                            For token store roles, there are two additional possibilities:
+                            default-service and default-batch which specify the type
+                            to return unless the client requests a different type
+                            at generation time.'
                           type: string
                       type: object
                     type: array
@@ -115,21 +126,104 @@ spec:
                     description: Name of the auth backend
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  description:
+                    description: The description of the auth backend
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                    type: boolean
+                  local:
+                    description: Specifies if the auth method is local only
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: path to mount the backend. This defaults to the type.
+                    type: string
+                  tune:
+                    items:
+                      properties:
+                        allowedResponseHeaders:
+                          items:
+                            type: string
+                          type: array
+                        auditNonHmacRequestKeys:
+                          items:
+                            type: string
+                          type: array
+                        auditNonHmacResponseKeys:
+                          items:
+                            type: string
+                          type: array
+                        defaultLeaseTtl:
+                          type: string
+                        listingVisibility:
+                          type: string
+                        maxLeaseTtl:
+                          type: string
+                        passthroughRequestHeaders:
+                          items:
+                            type: string
+                          type: array
+                        tokenType:
+                          description: 'The type of token that should be generated.
+                            Can be service, batch, or default to use the mount''s
+                            tuned default (which unless changed will be service tokens).
+                            For token store roles, there are two additional possibilities:
+                            default-service and default-batch which specify the type
+                            to return unless the client requests a different type
+                            at generation time.'
+                          type: string
+                      type: object
+                    type: array
+                  type:
+                    description: Name of the auth backend
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -303,7 +397,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: type is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.type)
+                || has(self.initProvider.type)'
           status:
             description: BackendStatus defines the observed state of Backend.
             properties:
@@ -324,7 +420,11 @@ spec:
                     description: Specifies if the auth method is local only
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
                     description: path to mount the backend. This defaults to the type.
@@ -355,6 +455,13 @@ spec:
                             type: string
                           type: array
                         tokenType:
+                          description: 'The type of token that should be generated.
+                            Can be service, batch, or default to use the mount''s
+                            tuned default (which unless changed will be service tokens).
+                            For token store roles, there are two additional possibilities:
+                            default-service and default-batch which specify the type
+                            to return unless the client requests a different type
+                            at generation time.'
                           type: string
                       type: object
                     type: array
diff --git a/package/crds/aws.vault.upbound.io_authbackendcerts.yaml b/package/crds/aws.vault.upbound.io_authbackendcerts.yaml
index 79c7c75d..0d36d78c 100644
--- a/package/crds/aws.vault.upbound.io_authbackendcerts.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendcerts.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendcerts.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendCert is the Schema for the AuthBackendCerts API. <no
-          value>
+        description: AuthBackendCert is the Schema for the AuthBackendCerts API. Manages
+          a certificate for an AWS Auth Backend in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,38 +68,102 @@ spec:
               forProvider:
                 properties:
                   awsPublicCert:
-                    description: Base64 encoded AWS Public key required to verify
-                      PKCS7 signature of the EC2 instance metadata.
+                    description: The  Base64 encoded AWS Public key required to verify
+                      PKCS7 signature of the EC2 instance metadata. You can find this
+                      key in the AWS documentation. Base64 encoded AWS Public key
+                      required to verify PKCS7 signature of the EC2 instance metadata.
                     type: string
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
                     type: string
                   certName:
-                    description: Name of the certificate to configure.
+                    description: The name of the certificate. Name of the certificate
+                      to configure.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   type:
-                    description: The type of document that can be verified using the
-                      certificate. Must be either "pkcs7" or "identity".
+                    description: Either "pkcs7" or "identity", indicating the type
+                      of document which can be verified using the given certificate.
+                      Defaults to "pkcs7". The type of document that can be verified
+                      using the certificate. Must be either "pkcs7" or "identity".
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  awsPublicCert:
+                    description: The  Base64 encoded AWS Public key required to verify
+                      PKCS7 signature of the EC2 instance metadata. You can find this
+                      key in the AWS documentation. Base64 encoded AWS Public key
+                      required to verify PKCS7 signature of the EC2 instance metadata.
+                    type: string
+                  backend:
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
+                    type: string
+                  certName:
+                    description: The name of the certificate. Name of the certificate
+                      to configure.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  type:
+                    description: Either "pkcs7" or "identity", indicating the type
+                      of document which can be verified using the given certificate.
+                      Defaults to "pkcs7". The type of document that can be verified
+                      using the certificate. Must be either "pkcs7" or "identity".
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -274,32 +337,47 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: awsPublicCert is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.awsPublicCert)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.awsPublicCert)
+                || has(self.initProvider.awsPublicCert)'
             - message: certName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.certName)
+                || has(self.initProvider.certName)'
           status:
             description: AuthBackendCertStatus defines the observed state of AuthBackendCert.
             properties:
               atProvider:
                 properties:
                   awsPublicCert:
-                    description: Base64 encoded AWS Public key required to verify
-                      PKCS7 signature of the EC2 instance metadata.
+                    description: The  Base64 encoded AWS Public key required to verify
+                      PKCS7 signature of the EC2 instance metadata. You can find this
+                      key in the AWS documentation. Base64 encoded AWS Public key
+                      required to verify PKCS7 signature of the EC2 instance metadata.
                     type: string
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
                     type: string
                   certName:
-                    description: Name of the certificate to configure.
+                    description: The name of the certificate. Name of the certificate
+                      to configure.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   type:
-                    description: The type of document that can be verified using the
-                      certificate. Must be either "pkcs7" or "identity".
+                    description: Either "pkcs7" or "identity", indicating the type
+                      of document which can be verified using the given certificate.
+                      Defaults to "pkcs7". The type of document that can be verified
+                      using the certificate. Must be either "pkcs7" or "identity".
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_authbackendclients.yaml b/package/crds/aws.vault.upbound.io_authbackendclients.yaml
index a45ac64f..c782758a 100644
--- a/package/crds/aws.vault.upbound.io_authbackendclients.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendclients.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendclients.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendClient is the Schema for the AuthBackendClients API.
-          <no value>
+          Configures the client used by an AWS Auth Backend in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,7 +68,8 @@ spec:
               forProvider:
                 properties:
                   accessKeySecretRef:
-                    description: AWS Access key with permissions to query AWS APIs.
+                    description: The AWS access key that Vault should use for the
+                      auth backend. AWS Access key with permissions to query AWS APIs.
                     properties:
                       key:
                         description: The key to select.
@@ -86,26 +86,37 @@ spec:
                     - namespace
                     type: object
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
                     type: string
                   ec2Endpoint:
-                    description: URL to override the default generated endpoint for
-                      making AWS EC2 API calls.
+                    description: Override the URL Vault uses when making EC2 API calls.
+                      URL to override the default generated endpoint for making AWS
+                      EC2 API calls.
                     type: string
                   iamEndpoint:
-                    description: URL to override the default generated endpoint for
-                      making AWS IAM API calls.
+                    description: Override the URL Vault uses when making IAM API calls.
+                      URL to override the default generated endpoint for making AWS
+                      IAM API calls.
                     type: string
                   iamServerIdHeaderValue:
                     description: The value to require in the X-Vault-AWS-IAM-Server-ID
+                      header as part of GetCallerIdentity requests that are used in
+                      the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID
                       header as part of GetCallerIdentity requests that are used in
                       the iam auth method.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   secretKeySecretRef:
-                    description: AWS Secret key with permissions to query AWS APIs.
+                    description: The AWS secret key that Vault should use for the
+                      auth backend. AWS Secret key with permissions to query AWS APIs.
                     properties:
                       key:
                         description: The key to select.
@@ -122,29 +133,97 @@ spec:
                     - namespace
                     type: object
                   stsEndpoint:
-                    description: URL to override the default generated endpoint for
-                      making AWS STS API calls.
+                    description: Override the URL Vault uses when making STS API calls.
+                      URL to override the default generated endpoint for making AWS
+                      STS API calls.
+                    type: string
+                  stsRegion:
+                    description: Override the default region when making STS API calls.
+                      The sts_endpoint argument must be set when using sts_region.
+                      Region to override the default region for making AWS STS API
+                      calls.
+                    type: string
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
+                    type: string
+                  ec2Endpoint:
+                    description: Override the URL Vault uses when making EC2 API calls.
+                      URL to override the default generated endpoint for making AWS
+                      EC2 API calls.
+                    type: string
+                  iamEndpoint:
+                    description: Override the URL Vault uses when making IAM API calls.
+                      URL to override the default generated endpoint for making AWS
+                      IAM API calls.
+                    type: string
+                  iamServerIdHeaderValue:
+                    description: The value to require in the X-Vault-AWS-IAM-Server-ID
+                      header as part of GetCallerIdentity requests that are used in
+                      the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID
+                      header as part of GetCallerIdentity requests that are used in
+                      the iam auth method.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  stsEndpoint:
+                    description: Override the URL Vault uses when making STS API calls.
+                      URL to override the default generated endpoint for making AWS
+                      STS API calls.
                     type: string
                   stsRegion:
-                    description: Region to override the default region for making
-                      AWS STS API calls.
+                    description: Override the default region when making STS API calls.
+                      The sts_endpoint argument must be set when using sts_region.
+                      Region to override the default region for making AWS STS API
+                      calls.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -322,33 +401,46 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
                     type: string
                   ec2Endpoint:
-                    description: URL to override the default generated endpoint for
-                      making AWS EC2 API calls.
+                    description: Override the URL Vault uses when making EC2 API calls.
+                      URL to override the default generated endpoint for making AWS
+                      EC2 API calls.
                     type: string
                   iamEndpoint:
-                    description: URL to override the default generated endpoint for
-                      making AWS IAM API calls.
+                    description: Override the URL Vault uses when making IAM API calls.
+                      URL to override the default generated endpoint for making AWS
+                      IAM API calls.
                     type: string
                   iamServerIdHeaderValue:
                     description: The value to require in the X-Vault-AWS-IAM-Server-ID
+                      header as part of GetCallerIdentity requests that are used in
+                      the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID
                       header as part of GetCallerIdentity requests that are used in
                       the iam auth method.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   stsEndpoint:
-                    description: URL to override the default generated endpoint for
-                      making AWS STS API calls.
+                    description: Override the URL Vault uses when making STS API calls.
+                      URL to override the default generated endpoint for making AWS
+                      STS API calls.
                     type: string
                   stsRegion:
-                    description: Region to override the default region for making
-                      AWS STS API calls.
+                    description: Override the default region when making STS API calls.
+                      The sts_endpoint argument must be set when using sts_region.
+                      Region to override the default region for making AWS STS API
+                      calls.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml b/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml
index ea607550..642f5be8 100644
--- a/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendconfigidentities.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendConfigIdentity is the Schema for the AuthBackendConfigIdentitys
-          API. <no value>
+          API. Manages AWS auth backend identity configuration in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -73,41 +72,105 @@ spec:
                     description: Unique name of the auth backend to configure.
                     type: string
                   ec2Alias:
-                    description: Configures how to generate the identity alias when
-                      using the ec2 auth method.
+                    description: How to generate the identity alias when using the
+                      ec2 auth method. Valid choices are role_id, instance_id, and
+                      image_id. Defaults to role_id Configures how to generate the
+                      identity alias when using the ec2 auth method.
                     type: string
                   ec2Metadata:
                     description: The metadata to include on the token returned by
-                      the login endpoint.
+                      the login endpoint. This metadata will be added to both audit
+                      logs, and on the ec2_alias The metadata to include on the token
+                      returned by the login endpoint.
                     items:
                       type: string
                     type: array
                   iamAlias:
                     description: How to generate the identity alias when using the
-                      iam auth method.
+                      iam auth method. Valid choices are role_id, unique_id, and full_arn.
+                      Defaults to role_id How to generate the identity alias when
+                      using the iam auth method.
                     type: string
                   iamMetadata:
                     description: The metadata to include on the token returned by
-                      the login endpoint.
+                      the login endpoint. This metadata will be added to both audit
+                      logs, and on the iam_alias The metadata to include on the token
+                      returned by the login endpoint.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Unique name of the auth backend to configure.
+                    type: string
+                  ec2Alias:
+                    description: How to generate the identity alias when using the
+                      ec2 auth method. Valid choices are role_id, instance_id, and
+                      image_id. Defaults to role_id Configures how to generate the
+                      identity alias when using the ec2 auth method.
+                    type: string
+                  ec2Metadata:
+                    description: The metadata to include on the token returned by
+                      the login endpoint. This metadata will be added to both audit
+                      logs, and on the ec2_alias The metadata to include on the token
+                      returned by the login endpoint.
+                    items:
+                      type: string
+                    type: array
+                  iamAlias:
+                    description: How to generate the identity alias when using the
+                      iam auth method. Valid choices are role_id, unique_id, and full_arn.
+                      Defaults to role_id How to generate the identity alias when
+                      using the iam auth method.
+                    type: string
+                  iamMetadata:
+                    description: The metadata to include on the token returned by
+                      the login endpoint. This metadata will be added to both audit
+                      logs, and on the iam_alias The metadata to include on the token
+                      returned by the login endpoint.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -289,22 +352,30 @@ spec:
                     description: Unique name of the auth backend to configure.
                     type: string
                   ec2Alias:
-                    description: Configures how to generate the identity alias when
-                      using the ec2 auth method.
+                    description: How to generate the identity alias when using the
+                      ec2 auth method. Valid choices are role_id, instance_id, and
+                      image_id. Defaults to role_id Configures how to generate the
+                      identity alias when using the ec2 auth method.
                     type: string
                   ec2Metadata:
                     description: The metadata to include on the token returned by
-                      the login endpoint.
+                      the login endpoint. This metadata will be added to both audit
+                      logs, and on the ec2_alias The metadata to include on the token
+                      returned by the login endpoint.
                     items:
                       type: string
                     type: array
                   iamAlias:
                     description: How to generate the identity alias when using the
-                      iam auth method.
+                      iam auth method. Valid choices are role_id, unique_id, and full_arn.
+                      Defaults to role_id How to generate the identity alias when
+                      using the iam auth method.
                     type: string
                   iamMetadata:
                     description: The metadata to include on the token returned by
-                      the login endpoint.
+                      the login endpoint. This metadata will be added to both audit
+                      logs, and on the iam_alias The metadata to include on the token
+                      returned by the login endpoint.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/aws.vault.upbound.io_authbackendidentitywhitelists.yaml b/package/crds/aws.vault.upbound.io_authbackendidentitywhitelists.yaml
index d796c6fd..160753c7 100644
--- a/package/crds/aws.vault.upbound.io_authbackendidentitywhitelists.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendidentitywhitelists.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendidentitywhitelists.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -36,7 +35,8 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendIdentityWhitelist is the Schema for the AuthBackendIdentityWhitelists
-          API. <no value>
+          API. Configures the periodic tidying operation of the whitelisted identity
+          entries.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +59,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,35 +70,92 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path of the AWS backend being configured. Unique
+                      name of the auth backend to configure.
                     type: string
                   disablePeriodicTidy:
-                    description: If true, disables the periodic tidying of the identiy
-                      whitelist entries.
+                    description: If set to true, disables the periodic tidying of
+                      the identity-whitelist entries. If true, disables the periodic
+                      tidying of the identiy whitelist entries.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   safetyBuffer:
-                    description: The amount of extra time that must have passed beyond
-                      the roletag expiration, before it's removed from backend storage.
+                    description: The amount of extra time, in minutes, that must have
+                      passed beyond the roletag expiration, before it is removed from
+                      the backend storage. The amount of extra time that must have
+                      passed beyond the roletag expiration, before it's removed from
+                      backend storage.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path of the AWS backend being configured. Unique
+                      name of the auth backend to configure.
+                    type: string
+                  disablePeriodicTidy:
+                    description: If set to true, disables the periodic tidying of
+                      the identity-whitelist entries. If true, disables the periodic
+                      tidying of the identiy whitelist entries.
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  safetyBuffer:
+                    description: The amount of extra time, in minutes, that must have
+                      passed beyond the roletag expiration, before it is removed from
+                      the backend storage. The amount of extra time that must have
+                      passed beyond the roletag expiration, before it's removed from
+                      backend storage.
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -277,20 +334,29 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path of the AWS backend being configured. Unique
+                      name of the auth backend to configure.
                     type: string
                   disablePeriodicTidy:
-                    description: If true, disables the periodic tidying of the identiy
-                      whitelist entries.
+                    description: If set to true, disables the periodic tidying of
+                      the identity-whitelist entries. If true, disables the periodic
+                      tidying of the identiy whitelist entries.
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   safetyBuffer:
-                    description: The amount of extra time that must have passed beyond
-                      the roletag expiration, before it's removed from backend storage.
+                    description: The amount of extra time, in minutes, that must have
+                      passed beyond the roletag expiration, before it is removed from
+                      the backend storage. The amount of extra time that must have
+                      passed beyond the roletag expiration, before it's removed from
+                      backend storage.
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_authbackendlogins.yaml b/package/crds/aws.vault.upbound.io_authbackendlogins.yaml
index 249c4472..9a731fda 100644
--- a/package/crds/aws.vault.upbound.io_authbackendlogins.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendlogins.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendlogins.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendLogin is the Schema for the AuthBackendLogins API.
-          <no value>
+          Manages Vault tokens acquired using the AWS auth backend.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,58 +68,168 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: AWS Auth Backend to read the token from.
+                    description: The unique name of the AWS auth backend. Defaults
+                      to 'aws'. AWS Auth Backend to read the token from.
                     type: string
                   iamHttpRequestMethod:
-                    description: The HTTP method used in the signed request.
+                    description: The HTTP method used in the signed IAM request. The
+                      HTTP method used in the signed request.
                     type: string
                   iamRequestBody:
-                    description: The Base64-encoded body of the signed request.
+                    description: The base64-encoded body of the signed request. The
+                      Base64-encoded body of the signed request.
                     type: string
                   iamRequestHeaders:
-                    description: The Base64-encoded, JSON serialized representation
-                      of the sts:GetCallerIdentity HTTP request headers.
+                    description: The base64-encoded, JSON serialized representation
+                      of the GetCallerIdentity HTTP request headers. The Base64-encoded,
+                      JSON serialized representation of the sts:GetCallerIdentity
+                      HTTP request headers.
                     type: string
                   iamRequestUrl:
-                    description: The Base64-encoded HTTP URL used in the signed request.
+                    description: The base64-encoded HTTP URL used in the signed request.
+                      The Base64-encoded HTTP URL used in the signed request.
                     type: string
                   identity:
-                    description: Base64-encoded EC2 instance identity document to
-                      authenticate with.
+                    description: The base64-encoded EC2 instance identity document
+                      to authenticate with. Can be retrieved from the EC2 metadata
+                      server. Base64-encoded EC2 instance identity document to authenticate
+                      with.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   nonce:
-                    description: The nonce to be used for subsequent login requests.
+                    description: The unique nonce to be used for login requests. Can
+                      be set to a user-specified value, or will contain the server-generated
+                      value once a token is issued. EC2 instances can only acquire
+                      a single token until the whitelist is tidied again unless they
+                      keep track of this nonce. The nonce to be used for subsequent
+                      login requests.
                     type: string
                   pkcs7:
-                    description: PKCS7 signature of the identity document to authenticate
-                      with, with all newline characters removed.
+                    description: The PKCS#7 signature of the identity document to
+                      authenticate with, with all newline characters removed. Can
+                      be retrieved from the EC2 metadata server. PKCS7 signature of
+                      the identity document to authenticate with, with all newline
+                      characters removed.
                     type: string
                   role:
-                    description: AWS Auth Role to read the token from.
+                    description: The name of the AWS auth backend role to create tokens
+                      against. AWS Auth Role to read the token from.
                     type: string
                   signature:
-                    description: Base64-encoded SHA256 RSA signature of the instance
-                      identtiy document to authenticate with.
+                    description: The base64-encoded SHA256 RSA signature of the instance
+                      identity document to authenticate with, with all newline characters
+                      removed. Can be retrieved from the EC2 metadata server. Base64-encoded
+                      SHA256 RSA signature of the instance identtiy document to authenticate
+                      with.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The unique name of the AWS auth backend. Defaults
+                      to 'aws'. AWS Auth Backend to read the token from.
+                    type: string
+                  iamHttpRequestMethod:
+                    description: The HTTP method used in the signed IAM request. The
+                      HTTP method used in the signed request.
+                    type: string
+                  iamRequestBody:
+                    description: The base64-encoded body of the signed request. The
+                      Base64-encoded body of the signed request.
+                    type: string
+                  iamRequestHeaders:
+                    description: The base64-encoded, JSON serialized representation
+                      of the GetCallerIdentity HTTP request headers. The Base64-encoded,
+                      JSON serialized representation of the sts:GetCallerIdentity
+                      HTTP request headers.
+                    type: string
+                  iamRequestUrl:
+                    description: The base64-encoded HTTP URL used in the signed request.
+                      The Base64-encoded HTTP URL used in the signed request.
+                    type: string
+                  identity:
+                    description: The base64-encoded EC2 instance identity document
+                      to authenticate with. Can be retrieved from the EC2 metadata
+                      server. Base64-encoded EC2 instance identity document to authenticate
+                      with.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  nonce:
+                    description: The unique nonce to be used for login requests. Can
+                      be set to a user-specified value, or will contain the server-generated
+                      value once a token is issued. EC2 instances can only acquire
+                      a single token until the whitelist is tidied again unless they
+                      keep track of this nonce. The nonce to be used for subsequent
+                      login requests.
+                    type: string
+                  pkcs7:
+                    description: The PKCS#7 signature of the identity document to
+                      authenticate with, with all newline characters removed. Can
+                      be retrieved from the EC2 metadata server. PKCS7 signature of
+                      the identity document to authenticate with, with all newline
+                      characters removed.
+                    type: string
+                  role:
+                    description: The name of the AWS auth backend role to create tokens
+                      against. AWS Auth Role to read the token from.
+                    type: string
+                  signature:
+                    description: The base64-encoded SHA256 RSA signature of the instance
+                      identity document to authenticate with, with all newline characters
+                      removed. Can be retrieved from the EC2 metadata server. Base64-encoded
+                      SHA256 RSA signature of the instance identtiy document to authenticate
+                      with.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -298,71 +407,104 @@ spec:
               atProvider:
                 properties:
                   accessor:
-                    description: The accessor returned from Vault for this token.
+                    description: The token's accessor. The accessor returned from
+                      Vault for this token.
                     type: string
                   authType:
-                    description: The auth method used to generate this token.
+                    description: The authentication type used to generate this token.
+                      The auth method used to generate this token.
                     type: string
                   backend:
-                    description: AWS Auth Backend to read the token from.
+                    description: The unique name of the AWS auth backend. Defaults
+                      to 'aws'. AWS Auth Backend to read the token from.
                     type: string
                   iamHttpRequestMethod:
-                    description: The HTTP method used in the signed request.
+                    description: The HTTP method used in the signed IAM request. The
+                      HTTP method used in the signed request.
                     type: string
                   iamRequestBody:
-                    description: The Base64-encoded body of the signed request.
+                    description: The base64-encoded body of the signed request. The
+                      Base64-encoded body of the signed request.
                     type: string
                   iamRequestHeaders:
-                    description: The Base64-encoded, JSON serialized representation
-                      of the sts:GetCallerIdentity HTTP request headers.
+                    description: The base64-encoded, JSON serialized representation
+                      of the GetCallerIdentity HTTP request headers. The Base64-encoded,
+                      JSON serialized representation of the sts:GetCallerIdentity
+                      HTTP request headers.
                     type: string
                   iamRequestUrl:
-                    description: The Base64-encoded HTTP URL used in the signed request.
+                    description: The base64-encoded HTTP URL used in the signed request.
+                      The Base64-encoded HTTP URL used in the signed request.
                     type: string
                   id:
                     type: string
                   identity:
-                    description: Base64-encoded EC2 instance identity document to
-                      authenticate with.
+                    description: The base64-encoded EC2 instance identity document
+                      to authenticate with. Can be retrieved from the EC2 metadata
+                      server. Base64-encoded EC2 instance identity document to authenticate
+                      with.
                     type: string
                   leaseDuration:
-                    description: Lease duration in seconds relative to the time in
-                      lease_start_time.
+                    description: The duration in seconds the token will be valid,
+                      relative to the time in lease_start_time. Lease duration in
+                      seconds relative to the time in lease_start_time.
                     type: number
                   leaseStartTime:
-                    description: time at which the lease was read, using the clock
+                    description: the approximate time at which the token was created,
+                      using the clock of the system where Upbound official provider
+                      was running. time at which the lease was read, using the clock
                       of the system where Upbound official provider was running
                     type: string
                   metadata:
                     additionalProperties:
                       type: string
-                    description: The metadata reported by the Vault server.
+                    description: A map of information returned by the Vault server
+                      about the authentication used to generate this token. The metadata
+                      reported by the Vault server.
                     type: object
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   nonce:
-                    description: The nonce to be used for subsequent login requests.
+                    description: The unique nonce to be used for login requests. Can
+                      be set to a user-specified value, or will contain the server-generated
+                      value once a token is issued. EC2 instances can only acquire
+                      a single token until the whitelist is tidied again unless they
+                      keep track of this nonce. The nonce to be used for subsequent
+                      login requests.
                     type: string
                   pkcs7:
-                    description: PKCS7 signature of the identity document to authenticate
-                      with, with all newline characters removed.
+                    description: The PKCS#7 signature of the identity document to
+                      authenticate with, with all newline characters removed. Can
+                      be retrieved from the EC2 metadata server. PKCS7 signature of
+                      the identity document to authenticate with, with all newline
+                      characters removed.
                     type: string
                   policies:
-                    description: The policies assigned to this token.
+                    description: The Vault policies assigned to this token. The policies
+                      assigned to this token.
                     items:
                       type: string
                     type: array
                   renewable:
-                    description: True if the duration of this lease can be extended
+                    description: Set to true if the token can be extended through
+                      renewal. True if the duration of this lease can be extended
                       through renewal.
                     type: boolean
                   role:
-                    description: AWS Auth Role to read the token from.
+                    description: The name of the AWS auth backend role to create tokens
+                      against. AWS Auth Role to read the token from.
                     type: string
                   signature:
-                    description: Base64-encoded SHA256 RSA signature of the instance
-                      identtiy document to authenticate with.
+                    description: The base64-encoded SHA256 RSA signature of the instance
+                      identity document to authenticate with, with all newline characters
+                      removed. Can be retrieved from the EC2 metadata server. Base64-encoded
+                      SHA256 RSA signature of the instance identtiy document to authenticate
+                      with.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_authbackendroles.yaml b/package/crds/aws.vault.upbound.io_authbackendroles.yaml
index a393a8a5..f2f93f89 100644
--- a/package/crds/aws.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendRole is the Schema for the AuthBackendRoles API. <no
-          value>
+        description: AuthBackendRole is the Schema for the AuthBackendRoles API. Manages
+          AWS auth backend roles in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,24 +68,36 @@ spec:
               forProvider:
                 properties:
                   allowInstanceMigration:
-                    description: When true, allows migration of the underlying instance
-                      where the client resides. Use with caution.
+                    description: If set to true, allows migration of the underlying
+                      instance where the client resides. When true, allows migration
+                      of the underlying instance where the client resides. Use with
+                      caution.
                     type: boolean
                   authType:
-                    description: The auth type permitted for this role.
+                    description: The auth type permitted for this role. Valid choices
+                      are ec2 and iam. Defaults to iam. The auth type permitted for
+                      this role.
                     type: string
                   backend:
                     description: Unique name of the auth backend to configure.
                     type: string
                   boundAccountIds:
-                    description: Only EC2 instances with this account ID in their
-                      identity document will be permitted to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they should be using
+                      the account ID specified by this field. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances with this account ID
+                      in their identity document will be permitted to log in.
                     items:
                       type: string
                     type: array
                   boundAmiIds:
-                    description: Only EC2 instances using this AMI ID will be permitted
-                      to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they should be using
+                      the AMI ID specified by this field. auth_type must be set to
+                      ec2 or inferred_entity_type must be set to ec2_instance to use
+                      this constraint. Only EC2 instances using this AMI ID will be
+                      permitted to log in.
                     items:
                       type: string
                     type: array
@@ -97,118 +108,430 @@ spec:
                       type: string
                     type: array
                   boundIamInstanceProfileArns:
-                    description: Only EC2 instances associated with an IAM instance
-                      profile ARN that matches this value will be permitted to log
-                      in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they must be associated
+                      with an IAM instance profile ARN which has a prefix that matches
+                      the value specified by this field. The value is prefix-matched
+                      as though it were a glob ending in *. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances associated with an IAM
+                      instance profile ARN that matches this value will be permitted
+                      to log in.
                     items:
                       type: string
                     type: array
                   boundIamPrincipalArns:
-                    description: The IAM principal that must be authenticated using
-                      the iam auth method.
+                    description: If set, defines the IAM principal that must be authenticated
+                      when auth_type is set to iam. Wildcards are supported at the
+                      end of the ARN. The IAM principal that must be authenticated
+                      using the iam auth method.
                     items:
                       type: string
                     type: array
                   boundIamRoleArns:
-                    description: Only EC2 instances that match this IAM role ARN will
-                      be permitted to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they must match the
+                      IAM role ARN specified by this field. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances that match this IAM
+                      role ARN will be permitted to log in.
                     items:
                       type: string
                     type: array
                   boundRegions:
-                    description: Only EC2 instances in this region will be permitted
-                      to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that the region in their
+                      identity document must match the one specified by this field.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. Only EC2 instances
+                      in this region will be permitted to log in.
                     items:
                       type: string
                     type: array
                   boundSubnetIds:
-                    description: Only EC2 instances associated with this subnet ID
-                      will be permitted to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they be associated
+                      with the subnet ID that matches the value specified by this
+                      field. auth_type must be set to ec2 or inferred_entity_type
+                      must be set to ec2_instance to use this constraint. Only EC2
+                      instances associated with this subnet ID will be permitted to
+                      log in.
                     items:
                       type: string
                     type: array
                   boundVpcIds:
-                    description: Only EC2 instances associated with this VPC ID will
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they be associated
+                      with the VPC ID that matches the value specified by this field.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. Only EC2 instances
+                      associated with this VPC ID will be permitted to log in.
+                    items:
+                      type: string
+                    type: array
+                  disallowReauthentication:
+                    description: IF set to true, only allows a single token to be
+                      granted per instance ID. This can only be set when auth_type
+                      is set to ec2. When true, only allows a single token to be granted
+                      per instance ID.
+                    type: boolean
+                  inferredAwsRegion:
+                    description: When inferred_entity_type is set, this is the region
+                      to search for the inferred entities. Required if inferred_entity_type
+                      is set. This only applies when auth_type is set to iam. The
+                      region to search for the inferred entities in.
+                    type: string
+                  inferredEntityType:
+                    description: If set, instructs Vault to turn on inferencing. The
+                      only valid value is ec2_instance, which instructs Vault to infer
+                      that the role comes from an EC2 instance in an IAM instance
+                      profile. This only applies when auth_type is set to iam. The
+                      type of inferencing Vault should do.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  resolveAwsUniqueIds:
+                    description: Only valid when auth_type is iam. If set to true,
+                      the bound_iam_principal_arns are resolved to AWS Unique IDs
+                      for the bound principal ARN. This field is ignored when a bound_iam_principal_arn
+                      ends in a wildcard. Resolving to unique IDs more closely mimics
+                      the behavior of AWS services in that if an IAM user or role
+                      is deleted and a new one is recreated with the same name, those
+                      new users or roles won't get access to roles in Vault that were
+                      permissioned to the prior principals of the same name. Defaults
+                      to true. Once set to true, this cannot be changed to false without
+                      recreating the role. Whether or not Vault should resolve the
+                      bound_iam_principal_arn to an AWS Unique ID. When true, deleting
+                      a principal and recreating it with the same name won't automatically
+                      grant the new principal the same roles in Vault that the old
+                      principal had.
+                    type: boolean
+                  role:
+                    description: The name of the role. Name of the role.
+                    type: string
+                  roleTag:
+                    description: If set, enable role tags for this role. The value
+                      set for this field should be the key of the tag on the EC2 instance.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. The key of the tag
+                      on EC2 instance to use for role tags.
+                    type: string
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowInstanceMigration:
+                    description: If set to true, allows migration of the underlying
+                      instance where the client resides. When true, allows migration
+                      of the underlying instance where the client resides. Use with
+                      caution.
+                    type: boolean
+                  authType:
+                    description: The auth type permitted for this role. Valid choices
+                      are ec2 and iam. Defaults to iam. The auth type permitted for
+                      this role.
+                    type: string
+                  backend:
+                    description: Unique name of the auth backend to configure.
+                    type: string
+                  boundAccountIds:
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they should be using
+                      the account ID specified by this field. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances with this account ID
+                      in their identity document will be permitted to log in.
+                    items:
+                      type: string
+                    type: array
+                  boundAmiIds:
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they should be using
+                      the AMI ID specified by this field. auth_type must be set to
+                      ec2 or inferred_entity_type must be set to ec2_instance to use
+                      this constraint. Only EC2 instances using this AMI ID will be
+                      permitted to log in.
+                    items:
+                      type: string
+                    type: array
+                  boundEc2InstanceIds:
+                    description: Only EC2 instances that match this instance ID will
                       be permitted to log in.
                     items:
                       type: string
                     type: array
+                  boundIamInstanceProfileArns:
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they must be associated
+                      with an IAM instance profile ARN which has a prefix that matches
+                      the value specified by this field. The value is prefix-matched
+                      as though it were a glob ending in *. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances associated with an IAM
+                      instance profile ARN that matches this value will be permitted
+                      to log in.
+                    items:
+                      type: string
+                    type: array
+                  boundIamPrincipalArns:
+                    description: If set, defines the IAM principal that must be authenticated
+                      when auth_type is set to iam. Wildcards are supported at the
+                      end of the ARN. The IAM principal that must be authenticated
+                      using the iam auth method.
+                    items:
+                      type: string
+                    type: array
+                  boundIamRoleArns:
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they must match the
+                      IAM role ARN specified by this field. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances that match this IAM
+                      role ARN will be permitted to log in.
+                    items:
+                      type: string
+                    type: array
+                  boundRegions:
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that the region in their
+                      identity document must match the one specified by this field.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. Only EC2 instances
+                      in this region will be permitted to log in.
+                    items:
+                      type: string
+                    type: array
+                  boundSubnetIds:
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they be associated
+                      with the subnet ID that matches the value specified by this
+                      field. auth_type must be set to ec2 or inferred_entity_type
+                      must be set to ec2_instance to use this constraint. Only EC2
+                      instances associated with this subnet ID will be permitted to
+                      log in.
+                    items:
+                      type: string
+                    type: array
+                  boundVpcIds:
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they be associated
+                      with the VPC ID that matches the value specified by this field.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. Only EC2 instances
+                      associated with this VPC ID will be permitted to log in.
+                    items:
+                      type: string
+                    type: array
                   disallowReauthentication:
-                    description: When true, only allows a single token to be granted
+                    description: IF set to true, only allows a single token to be
+                      granted per instance ID. This can only be set when auth_type
+                      is set to ec2. When true, only allows a single token to be granted
                       per instance ID.
                     type: boolean
                   inferredAwsRegion:
-                    description: The region to search for the inferred entities in.
+                    description: When inferred_entity_type is set, this is the region
+                      to search for the inferred entities. Required if inferred_entity_type
+                      is set. This only applies when auth_type is set to iam. The
+                      region to search for the inferred entities in.
                     type: string
                   inferredEntityType:
-                    description: The type of inferencing Vault should do.
+                    description: If set, instructs Vault to turn on inferencing. The
+                      only valid value is ec2_instance, which instructs Vault to infer
+                      that the role comes from an EC2 instance in an IAM instance
+                      profile. This only applies when auth_type is set to iam. The
+                      type of inferencing Vault should do.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   resolveAwsUniqueIds:
-                    description: Whether or not Vault should resolve the bound_iam_principal_arn
-                      to an AWS Unique ID. When true, deleting a principal and recreating
-                      it with the same name won't automatically grant the new principal
-                      the same roles in Vault that the old principal had.
+                    description: Only valid when auth_type is iam. If set to true,
+                      the bound_iam_principal_arns are resolved to AWS Unique IDs
+                      for the bound principal ARN. This field is ignored when a bound_iam_principal_arn
+                      ends in a wildcard. Resolving to unique IDs more closely mimics
+                      the behavior of AWS services in that if an IAM user or role
+                      is deleted and a new one is recreated with the same name, those
+                      new users or roles won't get access to roles in Vault that were
+                      permissioned to the prior principals of the same name. Defaults
+                      to true. Once set to true, this cannot be changed to false without
+                      recreating the role. Whether or not Vault should resolve the
+                      bound_iam_principal_arn to an AWS Unique ID. When true, deleting
+                      a principal and recreating it with the same name won't automatically
+                      grant the new principal the same roles in Vault that the old
+                      principal had.
                     type: boolean
                   role:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   roleTag:
-                    description: The key of the tag on EC2 instance to use for role
-                      tags.
+                    description: If set, enable role tags for this role. The value
+                      set for this field should be the key of the tag on the EC2 instance.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. The key of the tag
+                      on EC2 instance to use for role tags.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -382,31 +705,45 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
               atProvider:
                 properties:
                   allowInstanceMigration:
-                    description: When true, allows migration of the underlying instance
-                      where the client resides. Use with caution.
+                    description: If set to true, allows migration of the underlying
+                      instance where the client resides. When true, allows migration
+                      of the underlying instance where the client resides. Use with
+                      caution.
                     type: boolean
                   authType:
-                    description: The auth type permitted for this role.
+                    description: The auth type permitted for this role. Valid choices
+                      are ec2 and iam. Defaults to iam. The auth type permitted for
+                      this role.
                     type: string
                   backend:
                     description: Unique name of the auth backend to configure.
                     type: string
                   boundAccountIds:
-                    description: Only EC2 instances with this account ID in their
-                      identity document will be permitted to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they should be using
+                      the account ID specified by this field. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances with this account ID
+                      in their identity document will be permitted to log in.
                     items:
                       type: string
                     type: array
                   boundAmiIds:
-                    description: Only EC2 instances using this AMI ID will be permitted
-                      to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they should be using
+                      the AMI ID specified by this field. auth_type must be set to
+                      ec2 or inferred_entity_type must be set to ec2_instance to use
+                      this constraint. Only EC2 instances using this AMI ID will be
+                      permitted to log in.
                     items:
                       type: string
                     type: array
@@ -417,106 +754,182 @@ spec:
                       type: string
                     type: array
                   boundIamInstanceProfileArns:
-                    description: Only EC2 instances associated with an IAM instance
-                      profile ARN that matches this value will be permitted to log
-                      in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they must be associated
+                      with an IAM instance profile ARN which has a prefix that matches
+                      the value specified by this field. The value is prefix-matched
+                      as though it were a glob ending in *. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances associated with an IAM
+                      instance profile ARN that matches this value will be permitted
+                      to log in.
                     items:
                       type: string
                     type: array
                   boundIamPrincipalArns:
-                    description: The IAM principal that must be authenticated using
-                      the iam auth method.
+                    description: If set, defines the IAM principal that must be authenticated
+                      when auth_type is set to iam. Wildcards are supported at the
+                      end of the ARN. The IAM principal that must be authenticated
+                      using the iam auth method.
                     items:
                       type: string
                     type: array
                   boundIamRoleArns:
-                    description: Only EC2 instances that match this IAM role ARN will
-                      be permitted to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they must match the
+                      IAM role ARN specified by this field. auth_type must be set
+                      to ec2 or inferred_entity_type must be set to ec2_instance to
+                      use this constraint. Only EC2 instances that match this IAM
+                      role ARN will be permitted to log in.
                     items:
                       type: string
                     type: array
                   boundRegions:
-                    description: Only EC2 instances in this region will be permitted
-                      to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that the region in their
+                      identity document must match the one specified by this field.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. Only EC2 instances
+                      in this region will be permitted to log in.
                     items:
                       type: string
                     type: array
                   boundSubnetIds:
-                    description: Only EC2 instances associated with this subnet ID
-                      will be permitted to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they be associated
+                      with the subnet ID that matches the value specified by this
+                      field. auth_type must be set to ec2 or inferred_entity_type
+                      must be set to ec2_instance to use this constraint. Only EC2
+                      instances associated with this subnet ID will be permitted to
+                      log in.
                     items:
                       type: string
                     type: array
                   boundVpcIds:
-                    description: Only EC2 instances associated with this VPC ID will
-                      be permitted to log in.
+                    description: If set, defines a constraint on the EC2 instances
+                      that can perform the login operation that they be associated
+                      with the VPC ID that matches the value specified by this field.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. Only EC2 instances
+                      associated with this VPC ID will be permitted to log in.
                     items:
                       type: string
                     type: array
                   disallowReauthentication:
-                    description: When true, only allows a single token to be granted
+                    description: IF set to true, only allows a single token to be
+                      granted per instance ID. This can only be set when auth_type
+                      is set to ec2. When true, only allows a single token to be granted
                       per instance ID.
                     type: boolean
                   id:
                     type: string
                   inferredAwsRegion:
-                    description: The region to search for the inferred entities in.
+                    description: When inferred_entity_type is set, this is the region
+                      to search for the inferred entities. Required if inferred_entity_type
+                      is set. This only applies when auth_type is set to iam. The
+                      region to search for the inferred entities in.
                     type: string
                   inferredEntityType:
-                    description: The type of inferencing Vault should do.
+                    description: If set, instructs Vault to turn on inferencing. The
+                      only valid value is ec2_instance, which instructs Vault to infer
+                      that the role comes from an EC2 instance in an IAM instance
+                      profile. This only applies when auth_type is set to iam. The
+                      type of inferencing Vault should do.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   resolveAwsUniqueIds:
-                    description: Whether or not Vault should resolve the bound_iam_principal_arn
-                      to an AWS Unique ID. When true, deleting a principal and recreating
-                      it with the same name won't automatically grant the new principal
-                      the same roles in Vault that the old principal had.
+                    description: Only valid when auth_type is iam. If set to true,
+                      the bound_iam_principal_arns are resolved to AWS Unique IDs
+                      for the bound principal ARN. This field is ignored when a bound_iam_principal_arn
+                      ends in a wildcard. Resolving to unique IDs more closely mimics
+                      the behavior of AWS services in that if an IAM user or role
+                      is deleted and a new one is recreated with the same name, those
+                      new users or roles won't get access to roles in Vault that were
+                      permissioned to the prior principals of the same name. Defaults
+                      to true. Once set to true, this cannot be changed to false without
+                      recreating the role. Whether or not Vault should resolve the
+                      bound_iam_principal_arn to an AWS Unique ID. When true, deleting
+                      a principal and recreating it with the same name won't automatically
+                      grant the new principal the same roles in Vault that the old
+                      principal had.
                     type: boolean
                   role:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   roleId:
-                    description: The Vault generated role ID.
+                    description: The Vault generated role ID. The Vault generated
+                      role ID.
                     type: string
                   roleTag:
-                    description: The key of the tag on EC2 instance to use for role
-                      tags.
+                    description: If set, enable role tags for this role. The value
+                      set for this field should be the key of the tag on the EC2 instance.
+                      auth_type must be set to ec2 or inferred_entity_type must be
+                      set to ec2_instance to use this constraint. The key of the tag
+                      on EC2 instance to use for role tags.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_authbackendroletagblacklists.yaml b/package/crds/aws.vault.upbound.io_authbackendroletagblacklists.yaml
index 609ff502..b3771edb 100644
--- a/package/crds/aws.vault.upbound.io_authbackendroletagblacklists.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendroletagblacklists.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroletagblacklists.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -36,7 +35,8 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendRoletagBlacklist is the Schema for the AuthBackendRoletagBlacklists
-          API. <no value>
+          API. Configures the periodic tidying operation of the blacklisted role tag
+          entries.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +59,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,35 +70,92 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the AWS auth backend being configured was
+                      mounted at. Unique name of the auth backend to configure.
                     type: string
                   disablePeriodicTidy:
-                    description: If true, disables the periodic tidying of the roletag
-                      blacklist entries.
+                    description: If set to true, disables the periodic tidying of
+                      the roletag blacklist entries. Defaults to false. If true, disables
+                      the periodic tidying of the roletag blacklist entries.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   safetyBuffer:
                     description: The amount of extra time that must have passed beyond
-                      the roletag expiration, before it's removed from backend storage.
+                      the roletag expiration, before it is removed from the backend
+                      storage. Defaults to 259,200 seconds, or 72 hours. The amount
+                      of extra time that must have passed beyond the roletag expiration,
+                      before it's removed from backend storage.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path the AWS auth backend being configured was
+                      mounted at. Unique name of the auth backend to configure.
+                    type: string
+                  disablePeriodicTidy:
+                    description: If set to true, disables the periodic tidying of
+                      the roletag blacklist entries. Defaults to false. If true, disables
+                      the periodic tidying of the roletag blacklist entries.
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  safetyBuffer:
+                    description: The amount of extra time that must have passed beyond
+                      the roletag expiration, before it is removed from the backend
+                      storage. Defaults to 259,200 seconds, or 72 hours. The amount
+                      of extra time that must have passed beyond the roletag expiration,
+                      before it's removed from backend storage.
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -272,7 +329,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
           status:
             description: AuthBackendRoletagBlacklistStatus defines the observed state
               of AuthBackendRoletagBlacklist.
@@ -280,20 +339,29 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the AWS auth backend being configured was
+                      mounted at. Unique name of the auth backend to configure.
                     type: string
                   disablePeriodicTidy:
-                    description: If true, disables the periodic tidying of the roletag
-                      blacklist entries.
+                    description: If set to true, disables the periodic tidying of
+                      the roletag blacklist entries. Defaults to false. If true, disables
+                      the periodic tidying of the roletag blacklist entries.
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   safetyBuffer:
                     description: The amount of extra time that must have passed beyond
-                      the roletag expiration, before it's removed from backend storage.
+                      the roletag expiration, before it is removed from the backend
+                      storage. Defaults to 259,200 seconds, or 72 hours. The amount
+                      of extra time that must have passed beyond the roletag expiration,
+                      before it's removed from backend storage.
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_authbackendroletags.yaml b/package/crds/aws.vault.upbound.io_authbackendroletags.yaml
index d4ab82ab..9ea85500 100644
--- a/package/crds/aws.vault.upbound.io_authbackendroletags.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendroletags.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroletags.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendRoleTag is the Schema for the AuthBackendRoleTags
-          API. <no value>
+          API. Reads role tags from a Vault AWS auth backend.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,51 +68,132 @@ spec:
               forProvider:
                 properties:
                   allowInstanceMigration:
-                    description: Allows migration of the underlying instance where
-                      the client resides.
+                    description: If set, allows migration of the underlying instances
+                      where the client resides. Use with caution. Allows migration
+                      of the underlying instance where the client resides.
                     type: boolean
                   backend:
-                    description: AWS auth backend to read tags from.
+                    description: The path to the AWS auth backend to read role tags
+                      from, with no leading or trailing /s. Defaults to "aws". AWS
+                      auth backend to read tags from.
                     type: string
                   disallowReauthentication:
-                    description: Only allow a single token to be granted per instance
-                      ID.
+                    description: If set, only allows a single token to be granted
+                      per instance ID. Only allow a single token to be granted per
+                      instance ID.
                     type: boolean
                   instanceId:
-                    description: Instance ID for which this tag is intended. The created
+                    description: Instance ID for which this tag is intended for. If
+                      set, the created tag can only be used by the instance with the
+                      given ID. Instance ID for which this tag is intended. The created
                       tag can only be used by the instance with the given ID.
                     type: string
                   maxTtl:
-                    description: The maximum allowed lifetime of tokens issued using
-                      this role.
+                    description: The maximum TTL of the tokens issued using this role.
+                      The maximum allowed lifetime of tokens issued using this role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be associated with the tag.
+                    description: The policies to be associated with the tag. Must
+                      be a subset of the policies associated with the role. Policies
+                      to be associated with the tag.
                     items:
                       type: string
                     type: array
                   role:
-                    description: Name of the role.
+                    description: The name of the AWS auth backend role to read role
+                      tags from, with no leading or trailing /s. Name of the role.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowInstanceMigration:
+                    description: If set, allows migration of the underlying instances
+                      where the client resides. Use with caution. Allows migration
+                      of the underlying instance where the client resides.
+                    type: boolean
+                  backend:
+                    description: The path to the AWS auth backend to read role tags
+                      from, with no leading or trailing /s. Defaults to "aws". AWS
+                      auth backend to read tags from.
+                    type: string
+                  disallowReauthentication:
+                    description: If set, only allows a single token to be granted
+                      per instance ID. Only allow a single token to be granted per
+                      instance ID.
+                    type: boolean
+                  instanceId:
+                    description: Instance ID for which this tag is intended for. If
+                      set, the created tag can only be used by the instance with the
+                      given ID. Instance ID for which this tag is intended. The created
+                      tag can only be used by the instance with the given ID.
+                    type: string
+                  maxTtl:
+                    description: The maximum TTL of the tokens issued using this role.
+                      The maximum allowed lifetime of tokens issued using this role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policies:
+                    description: The policies to be associated with the tag. Must
+                      be a subset of the policies associated with the role. Policies
+                      to be associated with the tag.
+                    items:
+                      type: string
+                    type: array
+                  role:
+                    description: The name of the AWS auth backend role to read role
+                      tags from, with no leading or trailing /s. Name of the role.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -287,47 +367,64 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
           status:
             description: AuthBackendRoleTagStatus defines the observed state of AuthBackendRoleTag.
             properties:
               atProvider:
                 properties:
                   allowInstanceMigration:
-                    description: Allows migration of the underlying instance where
-                      the client resides.
+                    description: If set, allows migration of the underlying instances
+                      where the client resides. Use with caution. Allows migration
+                      of the underlying instance where the client resides.
                     type: boolean
                   backend:
-                    description: AWS auth backend to read tags from.
+                    description: The path to the AWS auth backend to read role tags
+                      from, with no leading or trailing /s. Defaults to "aws". AWS
+                      auth backend to read tags from.
                     type: string
                   disallowReauthentication:
-                    description: Only allow a single token to be granted per instance
-                      ID.
+                    description: If set, only allows a single token to be granted
+                      per instance ID. Only allow a single token to be granted per
+                      instance ID.
                     type: boolean
                   id:
                     type: string
                   instanceId:
-                    description: Instance ID for which this tag is intended. The created
+                    description: Instance ID for which this tag is intended for. If
+                      set, the created tag can only be used by the instance with the
+                      given ID. Instance ID for which this tag is intended. The created
                       tag can only be used by the instance with the given ID.
                     type: string
                   maxTtl:
-                    description: The maximum allowed lifetime of tokens issued using
-                      this role.
+                    description: The maximum TTL of the tokens issued using this role.
+                      The maximum allowed lifetime of tokens issued using this role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be associated with the tag.
+                    description: The policies to be associated with the tag. Must
+                      be a subset of the policies associated with the role. Policies
+                      to be associated with the tag.
                     items:
                       type: string
                     type: array
                   role:
-                    description: Name of the role.
+                    description: The name of the AWS auth backend role to read role
+                      tags from, with no leading or trailing /s. Name of the role.
                     type: string
                   tagKey:
+                    description: The key of the role tag.
                     type: string
                   tagValue:
+                    description: The value to set the role key.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_authbackendstsroles.yaml b/package/crds/aws.vault.upbound.io_authbackendstsroles.yaml
index 137c2ff3..ddd9d92e 100644
--- a/package/crds/aws.vault.upbound.io_authbackendstsroles.yaml
+++ b/package/crds/aws.vault.upbound.io_authbackendstsroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendstsroles.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendStsRole is the Schema for the AuthBackendStsRoles
-          API. <no value>
+          API. Configures an STS role in the Vault AWS Auth backend.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,34 +68,90 @@ spec:
               forProvider:
                 properties:
                   accountId:
-                    description: AWS account ID to be associated with STS role.
+                    description: The AWS account ID to configure the STS role for.
+                      AWS account ID to be associated with STS role.
                     type: string
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   stsRole:
-                    description: AWS ARN for STS role to be assumed when interacting
-                      with the account specified.
+                    description: The STS role to assume when verifying requests made
+                      by EC2 instances in the account specified by account_id. AWS
+                      ARN for STS role to be assumed when interacting with the account
+                      specified.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  accountId:
+                    description: The AWS account ID to configure the STS role for.
+                      AWS account ID to be associated with STS role.
+                    type: string
+                  backend:
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  stsRole:
+                    description: The STS role to assume when verifying requests made
+                      by EC2 instances in the account specified by account_id. AWS
+                      ARN for STS role to be assumed when interacting with the account
+                      specified.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -270,28 +325,41 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: accountId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.accountId)
+                || has(self.initProvider.accountId)'
             - message: stsRole is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.stsRole)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.stsRole)
+                || has(self.initProvider.stsRole)'
           status:
             description: AuthBackendStsRoleStatus defines the observed state of AuthBackendStsRole.
             properties:
               atProvider:
                 properties:
                   accountId:
-                    description: AWS account ID to be associated with STS role.
+                    description: The AWS account ID to configure the STS role for.
+                      AWS account ID to be associated with STS role.
                     type: string
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the AWS auth backend being configured was
+                      mounted at.  Defaults to aws. Unique name of the auth backend
+                      to configure.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   stsRole:
-                    description: AWS ARN for STS role to be assumed when interacting
-                      with the account specified.
+                    description: The STS role to assume when verifying requests made
+                      by EC2 instances in the account specified by account_id. AWS
+                      ARN for STS role to be assumed when interacting with the account
+                      specified.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_secretbackendroles.yaml b/package/crds/aws.vault.upbound.io_secretbackendroles.yaml
index b84a75b0..757bcde2 100644
--- a/package/crds/aws.vault.upbound.io_secretbackendroles.yaml
+++ b/package/crds/aws.vault.upbound.io_secretbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendroles.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRole is the Schema for the SecretBackendRoles API.
-          <no value>
+          Creates a role on an AWS Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,18 +68,25 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The path of the AWS Secret Backend the role belongs
-                      to.
+                    description: The path the AWS secret backend is mounted at, with
+                      no leading or trailing /s. The path of the AWS Secret Backend
+                      the role belongs to.
                     type: string
                   credentialType:
-                    description: Role credential type.
+                    description: Specifies the type of credential to be used when
+                      retrieving credentials from the role. Must be one of iam_user,
+                      assumed_role, or federation_token. Role credential type.
                     type: string
                   defaultStsTtl:
                     description: The default TTL in seconds for STS credentials. When
                       a TTL is not specified when STS credentials are requested, and
                       a default TTL is specified on the role, then this default TTL
                       will be used. Valid only when credential_type is one of assumed_role
-                      or federation_token.
+                      or federation_token. The default TTL in seconds for STS credentials.
+                      When a TTL is not specified when STS credentials are requested,
+                      and a default TTL is specified on the role, then this default
+                      TTL will be used. Valid only when credential_type is one of
+                      assumed_role or federation_token.
                     type: number
                   iamGroups:
                     description: A list of IAM group names. IAM users generated against
@@ -88,7 +94,13 @@ spec:
                       type of assumed_role or federation_token, the policies sent
                       to the corresponding AWS call (sts:AssumeRole or sts:GetFederation)
                       will be the policies from each group in iam_groups combined
-                      with the policy_document and policy_arns parameters.
+                      with the policy_document and policy_arns parameters. A list
+                      of IAM group names. IAM users generated against this vault role
+                      will be added to these IAM Groups. For a credential type of
+                      assumed_role or federation_token, the policies sent to the corresponding
+                      AWS call (sts:AssumeRole or sts:GetFederation) will be the policies
+                      from each group in iam_groups combined with the policy_document
+                      and policy_arns parameters.
                     items:
                       type: string
                     type: array
@@ -96,53 +108,204 @@ spec:
                     description: The max allowed TTL in seconds for STS credentials
                       (credentials TTL are capped to max_sts_ttl). Valid only when
                       credential_type is one of assumed_role or federation_token.
+                      The max allowed TTL in seconds for STS credentials (credentials
+                      TTL are capped to max_sts_ttl). Valid only when credential_type
+                      is one of assumed_role or federation_token.
                     type: number
                   name:
-                    description: Unique name for the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   permissionsBoundaryArn:
                     description: The ARN of the AWS Permissions Boundary to attach
                       to IAM users created in the role. Valid only when credential_type
                       is iam_user. If not specified, then no permissions boundary
-                      policy will be attached.
+                      policy will be attached. The ARN of the AWS Permissions Boundary
+                      to attach to IAM users created in the role. Valid only when
+                      credential_type is iam_user. If not specified, then no permissions
+                      boundary policy will be attached.
                     type: string
                   policyArns:
-                    description: ARN for an existing IAM policy the role should use.
+                    description: Specifies a list of AWS managed policy ARNs. The
+                      behavior depends on the credential type. With iam_user, the
+                      policies will be attached to IAM users when they are requested.
+                      With assumed_role and federation_token, the policy ARNs will
+                      act as a filter on what the credentials can do, similar to policy_document.
+                      When credential_type is iam_user or federation_token, at least
+                      one of policy_document or policy_arns must be specified. ARN
+                      for an existing IAM policy the role should use.
                     items:
                       type: string
                     type: array
                   policyDocument:
-                    description: IAM policy the role should use in JSON format.
+                    description: The IAM policy document for the role. The behavior
+                      depends on the credential type. With iam_user, the policy document
+                      will be attached to the IAM user generated and augment the permissions
+                      the IAM user has. With assumed_role and federation_token, the
+                      policy document will act as a filter on what the credentials
+                      can do, similar to policy_arns. IAM policy the role should use
+                      in JSON format.
                     type: string
                   roleArns:
-                    description: ARNs of AWS roles allowed to be assumed. Only valid
-                      when credential_type is 'assumed_role'
+                    description: Specifies the ARNs of the AWS roles this Vault role
+                      is allowed to assume. Required when credential_type is assumed_role
+                      and prohibited otherwise. ARNs of AWS roles allowed to be assumed.
+                      Only valid when credential_type is 'assumed_role'
                     items:
                       type: string
                     type: array
                   userPath:
                     description: The path for the user name. Valid only when credential_type
-                      is iam_user. Default is /
+                      is iam_user. Default is /. The path for the user name. Valid
+                      only when credential_type is iam_user. Default is /
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path the AWS secret backend is mounted at, with
+                      no leading or trailing /s. The path of the AWS Secret Backend
+                      the role belongs to.
+                    type: string
+                  credentialType:
+                    description: Specifies the type of credential to be used when
+                      retrieving credentials from the role. Must be one of iam_user,
+                      assumed_role, or federation_token. Role credential type.
+                    type: string
+                  defaultStsTtl:
+                    description: The default TTL in seconds for STS credentials. When
+                      a TTL is not specified when STS credentials are requested, and
+                      a default TTL is specified on the role, then this default TTL
+                      will be used. Valid only when credential_type is one of assumed_role
+                      or federation_token. The default TTL in seconds for STS credentials.
+                      When a TTL is not specified when STS credentials are requested,
+                      and a default TTL is specified on the role, then this default
+                      TTL will be used. Valid only when credential_type is one of
+                      assumed_role or federation_token.
+                    type: number
+                  iamGroups:
+                    description: A list of IAM group names. IAM users generated against
+                      this vault role will be added to these IAM Groups. For a credential
+                      type of assumed_role or federation_token, the policies sent
+                      to the corresponding AWS call (sts:AssumeRole or sts:GetFederation)
+                      will be the policies from each group in iam_groups combined
+                      with the policy_document and policy_arns parameters. A list
+                      of IAM group names. IAM users generated against this vault role
+                      will be added to these IAM Groups. For a credential type of
+                      assumed_role or federation_token, the policies sent to the corresponding
+                      AWS call (sts:AssumeRole or sts:GetFederation) will be the policies
+                      from each group in iam_groups combined with the policy_document
+                      and policy_arns parameters.
+                    items:
+                      type: string
+                    type: array
+                  maxStsTtl:
+                    description: The max allowed TTL in seconds for STS credentials
+                      (credentials TTL are capped to max_sts_ttl). Valid only when
+                      credential_type is one of assumed_role or federation_token.
+                      The max allowed TTL in seconds for STS credentials (credentials
+                      TTL are capped to max_sts_ttl). Valid only when credential_type
+                      is one of assumed_role or federation_token.
+                    type: number
+                  name:
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  permissionsBoundaryArn:
+                    description: The ARN of the AWS Permissions Boundary to attach
+                      to IAM users created in the role. Valid only when credential_type
+                      is iam_user. If not specified, then no permissions boundary
+                      policy will be attached. The ARN of the AWS Permissions Boundary
+                      to attach to IAM users created in the role. Valid only when
+                      credential_type is iam_user. If not specified, then no permissions
+                      boundary policy will be attached.
+                    type: string
+                  policyArns:
+                    description: Specifies a list of AWS managed policy ARNs. The
+                      behavior depends on the credential type. With iam_user, the
+                      policies will be attached to IAM users when they are requested.
+                      With assumed_role and federation_token, the policy ARNs will
+                      act as a filter on what the credentials can do, similar to policy_document.
+                      When credential_type is iam_user or federation_token, at least
+                      one of policy_document or policy_arns must be specified. ARN
+                      for an existing IAM policy the role should use.
+                    items:
+                      type: string
+                    type: array
+                  policyDocument:
+                    description: The IAM policy document for the role. The behavior
+                      depends on the credential type. With iam_user, the policy document
+                      will be attached to the IAM user generated and augment the permissions
+                      the IAM user has. With assumed_role and federation_token, the
+                      policy document will act as a filter on what the credentials
+                      can do, similar to policy_arns. IAM policy the role should use
+                      in JSON format.
+                    type: string
+                  roleArns:
+                    description: Specifies the ARNs of the AWS roles this Vault role
+                      is allowed to assume. Required when credential_type is assumed_role
+                      and prohibited otherwise. ARNs of AWS roles allowed to be assumed.
+                      Only valid when credential_type is 'assumed_role'
+                    items:
+                      type: string
+                    type: array
+                  userPath:
+                    description: The path for the user name. Valid only when credential_type
+                      is iam_user. Default is /. The path for the user name. Valid
+                      only when credential_type is iam_user. Default is /
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -316,29 +479,42 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: credentialType is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.credentialType)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.credentialType)
+                || has(self.initProvider.credentialType)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendRoleStatus defines the observed state of SecretBackendRole.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: The path of the AWS Secret Backend the role belongs
-                      to.
+                    description: The path the AWS secret backend is mounted at, with
+                      no leading or trailing /s. The path of the AWS Secret Backend
+                      the role belongs to.
                     type: string
                   credentialType:
-                    description: Role credential type.
+                    description: Specifies the type of credential to be used when
+                      retrieving credentials from the role. Must be one of iam_user,
+                      assumed_role, or federation_token. Role credential type.
                     type: string
                   defaultStsTtl:
                     description: The default TTL in seconds for STS credentials. When
                       a TTL is not specified when STS credentials are requested, and
                       a default TTL is specified on the role, then this default TTL
                       will be used. Valid only when credential_type is one of assumed_role
-                      or federation_token.
+                      or federation_token. The default TTL in seconds for STS credentials.
+                      When a TTL is not specified when STS credentials are requested,
+                      and a default TTL is specified on the role, then this default
+                      TTL will be used. Valid only when credential_type is one of
+                      assumed_role or federation_token.
                     type: number
                   iamGroups:
                     description: A list of IAM group names. IAM users generated against
@@ -346,7 +522,13 @@ spec:
                       type of assumed_role or federation_token, the policies sent
                       to the corresponding AWS call (sts:AssumeRole or sts:GetFederation)
                       will be the policies from each group in iam_groups combined
-                      with the policy_document and policy_arns parameters.
+                      with the policy_document and policy_arns parameters. A list
+                      of IAM group names. IAM users generated against this vault role
+                      will be added to these IAM Groups. For a credential type of
+                      assumed_role or federation_token, the policies sent to the corresponding
+                      AWS call (sts:AssumeRole or sts:GetFederation) will be the policies
+                      from each group in iam_groups combined with the policy_document
+                      and policy_arns parameters.
                     items:
                       type: string
                     type: array
@@ -356,36 +538,63 @@ spec:
                     description: The max allowed TTL in seconds for STS credentials
                       (credentials TTL are capped to max_sts_ttl). Valid only when
                       credential_type is one of assumed_role or federation_token.
+                      The max allowed TTL in seconds for STS credentials (credentials
+                      TTL are capped to max_sts_ttl). Valid only when credential_type
+                      is one of assumed_role or federation_token.
                     type: number
                   name:
-                    description: Unique name for the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   permissionsBoundaryArn:
                     description: The ARN of the AWS Permissions Boundary to attach
                       to IAM users created in the role. Valid only when credential_type
                       is iam_user. If not specified, then no permissions boundary
-                      policy will be attached.
+                      policy will be attached. The ARN of the AWS Permissions Boundary
+                      to attach to IAM users created in the role. Valid only when
+                      credential_type is iam_user. If not specified, then no permissions
+                      boundary policy will be attached.
                     type: string
                   policyArns:
-                    description: ARN for an existing IAM policy the role should use.
+                    description: Specifies a list of AWS managed policy ARNs. The
+                      behavior depends on the credential type. With iam_user, the
+                      policies will be attached to IAM users when they are requested.
+                      With assumed_role and federation_token, the policy ARNs will
+                      act as a filter on what the credentials can do, similar to policy_document.
+                      When credential_type is iam_user or federation_token, at least
+                      one of policy_document or policy_arns must be specified. ARN
+                      for an existing IAM policy the role should use.
                     items:
                       type: string
                     type: array
                   policyDocument:
-                    description: IAM policy the role should use in JSON format.
+                    description: The IAM policy document for the role. The behavior
+                      depends on the credential type. With iam_user, the policy document
+                      will be attached to the IAM user generated and augment the permissions
+                      the IAM user has. With assumed_role and federation_token, the
+                      policy document will act as a filter on what the credentials
+                      can do, similar to policy_arns. IAM policy the role should use
+                      in JSON format.
                     type: string
                   roleArns:
-                    description: ARNs of AWS roles allowed to be assumed. Only valid
-                      when credential_type is 'assumed_role'
+                    description: Specifies the ARNs of the AWS roles this Vault role
+                      is allowed to assume. Required when credential_type is assumed_role
+                      and prohibited otherwise. ARNs of AWS roles allowed to be assumed.
+                      Only valid when credential_type is 'assumed_role'
                     items:
                       type: string
                     type: array
                   userPath:
                     description: The path for the user name. Valid only when credential_type
-                      is iam_user. Default is /
+                      is iam_user. Default is /. The path for the user name. Valid
+                      only when credential_type is iam_user. Default is /
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/aws.vault.upbound.io_secretbackends.yaml b/package/crds/aws.vault.upbound.io_secretbackends.yaml
index 1320b862..70285d2a 100644
--- a/package/crds/aws.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/aws.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.aws.vault.upbound.io
 spec:
   group: aws.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          an AWS secret backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,8 +68,11 @@ spec:
               forProvider:
                 properties:
                   accessKeySecretRef:
-                    description: The AWS Access Key ID to use when generating new
-                      credentials.
+                    description: The AWS Access Key ID this backend should use to
+                      issue new credentials. Vault uses the official AWS SDK to authenticate,
+                      and thus can also use standard AWS environment credentials,
+                      shared file credentials or IAM role/ECS task credentials. The
+                      AWS Access Key ID to use when generating new credentials.
                     properties:
                       key:
                         description: The key to select.
@@ -86,33 +89,49 @@ spec:
                     - namespace
                     type: object
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   iamEndpoint:
-                    description: Specifies a custom HTTP IAM endpoint to use.
+                    description: Specifies a custom HTTP IAM endpoint to use. Specifies
+                      a custom HTTP IAM endpoint to use.
                     type: string
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path to mount the backend at.
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to aws. Path to mount
+                      the backend at.
                     type: string
                   region:
-                    description: The AWS region to make API calls against. Defaults
-                      to us-east-1.
+                    description: The AWS region for API calls. Defaults to us-east-1.
+                      The AWS region to make API calls against. Defaults to us-east-1.
                     type: string
                   secretKeySecretRef:
-                    description: The AWS Secret Access Key to use when generating
-                      new credentials.
+                    description: The AWS Secret Key this backend should use to issue
+                      new credentials. Vault uses the official AWS SDK to authenticate,
+                      and thus can also use standard AWS environment credentials,
+                      shared file credentials or IAM role/ECS task credentials. The
+                      AWS Secret Access Key to use when generating new credentials.
                     properties:
                       key:
                         description: The key to select.
@@ -129,27 +148,106 @@ spec:
                     - namespace
                     type: object
                   stsEndpoint:
-                    description: Specifies a custom HTTP STS endpoint to use.
+                    description: Specifies a custom HTTP STS endpoint to use. Specifies
+                      a custom HTTP STS endpoint to use.
                     type: string
                   usernameTemplate:
-                    description: Template describing how dynamic usernames are generated.
+                    description: 'Template describing how dynamic usernames are generated.
+                      The username template is used to generate both IAM usernames
+                      (capped at 64 characters) and STS usernames (capped at 32 characters).
+                      If no template is provided the field defaults to the template:
+                      Template describing how dynamic usernames are generated.'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  defaultLeaseTtlSeconds:
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
+                    type: number
+                  description:
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  iamEndpoint:
+                    description: Specifies a custom HTTP IAM endpoint to use. Specifies
+                      a custom HTTP IAM endpoint to use.
+                    type: string
+                  maxLeaseTtlSeconds:
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to aws. Path to mount
+                      the backend at.
+                    type: string
+                  region:
+                    description: The AWS region for API calls. Defaults to us-east-1.
+                      The AWS region to make API calls against. Defaults to us-east-1.
+                    type: string
+                  stsEndpoint:
+                    description: Specifies a custom HTTP STS endpoint to use. Specifies
+                      a custom HTTP STS endpoint to use.
+                    type: string
+                  usernameTemplate:
+                    description: 'Template describing how dynamic usernames are generated.
+                      The username template is used to generate both IAM usernames
+                      (capped at 64 characters) and STS usernames (capped at 32 characters).
+                      If no template is provided the field defaults to the template:
+                      Template describing how dynamic usernames are generated.'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -327,37 +425,55 @@ spec:
               atProvider:
                 properties:
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   iamEndpoint:
-                    description: Specifies a custom HTTP IAM endpoint to use.
+                    description: Specifies a custom HTTP IAM endpoint to use. Specifies
+                      a custom HTTP IAM endpoint to use.
                     type: string
                   id:
                     type: string
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path to mount the backend at.
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to aws. Path to mount
+                      the backend at.
                     type: string
                   region:
-                    description: The AWS region to make API calls against. Defaults
-                      to us-east-1.
+                    description: The AWS region for API calls. Defaults to us-east-1.
+                      The AWS region to make API calls against. Defaults to us-east-1.
                     type: string
                   stsEndpoint:
-                    description: Specifies a custom HTTP STS endpoint to use.
+                    description: Specifies a custom HTTP STS endpoint to use. Specifies
+                      a custom HTTP STS endpoint to use.
                     type: string
                   usernameTemplate:
-                    description: Template describing how dynamic usernames are generated.
+                    description: 'Template describing how dynamic usernames are generated.
+                      The username template is used to generate both IAM usernames
+                      (capped at 64 characters) and STS usernames (capped at 32 characters).
+                      If no template is provided the field defaults to the template:
+                      Template describing how dynamic usernames are generated.'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml b/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml
index 0be86dca..1d62b464 100644
--- a/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml
+++ b/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendconfigs.azure.vault.upbound.io
 spec:
   group: azure.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendConfig is the Schema for the AuthBackendConfigs API.
-          <no value>
+          Configures the Azure Auth Backend in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,10 +68,14 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the Azure auth backend being configured
+                      was mounted at.  Defaults to azure. Unique name of the auth
+                      backend to configure.
                     type: string
                   clientIdSecretRef:
                     description: The client id for credentials to query the Azure
+                      APIs. Currently read permissions to query compute resources
+                      are required. The client id for credentials to query the Azure
                       APIs. Currently read permissions to query compute resources
                       are required.
                     properties:
@@ -92,7 +95,7 @@ spec:
                     type: object
                   clientSecretSecretRef:
                     description: The client secret for credentials to query the Azure
-                      APIs
+                      APIs. The client secret for credentials to query the Azure APIs
                     properties:
                       key:
                         description: The key to select.
@@ -110,17 +113,25 @@ spec:
                     type: object
                   environment:
                     description: 'The Azure cloud environment. Valid values: AzurePublicCloud,
-                      AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.'
+                      AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.  Defaults
+                      to AzurePublicCloud. The Azure cloud environment. Valid values:
+                      AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   resource:
                     description: The configured URL for the application registered
-                      in Azure Active Directory.
+                      in Azure Active Directory. The configured URL for the application
+                      registered in Azure Active Directory.
                     type: string
                   tenantIdSecretRef:
                     description: The tenant id for the Azure Active Directory organization.
+                      The tenant id for the Azure Active Directory organization.
                     properties:
                       key:
                         description: The key to select.
@@ -137,21 +148,69 @@ spec:
                     - namespace
                     type: object
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path the Azure auth backend being configured
+                      was mounted at.  Defaults to azure. Unique name of the auth
+                      backend to configure.
+                    type: string
+                  environment:
+                    description: 'The Azure cloud environment. Valid values: AzurePublicCloud,
+                      AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.  Defaults
+                      to AzurePublicCloud. The Azure cloud environment. Valid values:
+                      AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.'
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  resource:
+                    description: The configured URL for the application registered
+                      in Azure Active Directory. The configured URL for the application
+                      registered in Azure Active Directory.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -325,29 +384,41 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: resource is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resource)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.resource)
+                || has(self.initProvider.resource)'
             - message: tenantIdSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tenantIdSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)'
           status:
             description: AuthBackendConfigStatus defines the observed state of AuthBackendConfig.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The path the Azure auth backend being configured
+                      was mounted at.  Defaults to azure. Unique name of the auth
+                      backend to configure.
                     type: string
                   environment:
                     description: 'The Azure cloud environment. Valid values: AzurePublicCloud,
-                      AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.'
+                      AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.  Defaults
+                      to AzurePublicCloud. The Azure cloud environment. Valid values:
+                      AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.'
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   resource:
                     description: The configured URL for the application registered
-                      in Azure Active Directory.
+                      in Azure Active Directory. The configured URL for the application
+                      registered in Azure Active Directory.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/azure.vault.upbound.io_authbackendroles.yaml b/package/crds/azure.vault.upbound.io_authbackendroles.yaml
index 4fb697f6..a88bfd41 100644
--- a/package/crds/azure.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/azure.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.azure.vault.upbound.io
 spec:
   group: azure.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendRole is the Schema for the AuthBackendRoles API. <no
-          value>
+        description: AuthBackendRole is the Schema for the AuthBackendRoles API. Manages
+          Azure auth backend roles in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -72,95 +71,283 @@ spec:
                     description: Unique name of the auth backend to configure.
                     type: string
                   boundGroupIds:
-                    description: The list of group ids that login is restricted to.
+                    description: If set, defines a constraint on the groups that can
+                      perform the login operation that they should be using the group
+                      ID specified by this field. The list of group ids that login
+                      is restricted to.
                     items:
                       type: string
                     type: array
                   boundLocations:
-                    description: The list of locations that login is restricted to.
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that the location in their
+                      identity document must match the one specified by this field.
+                      The list of locations that login is restricted to.
                     items:
                       type: string
                     type: array
                   boundResourceGroups:
-                    description: The list of resource groups that login is restricted
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that they be associated
+                      with the resource group that matches the value specified by
+                      this field. The list of resource groups that login is restricted
                       to.
                     items:
                       type: string
                     type: array
                   boundScaleSets:
-                    description: The list of scale set names that the login is restricted
-                      to.
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that they must match the
+                      scale set specified by this field. The list of scale set names
+                      that the login is restricted to.
                     items:
                       type: string
                     type: array
                   boundServicePrincipalIds:
-                    description: The list of Service Principal IDs that login is restricted
-                      to.
+                    description: If set, defines a constraint on the service principals
+                      that can perform the login operation that they should be possess
+                      the ids specified by this field. The list of Service Principal
+                      IDs that login is restricted to.
                     items:
                       type: string
                     type: array
                   boundSubscriptionIds:
-                    description: The list of subscription IDs that login is restricted
+                    description: If set, defines a constraint on the subscriptions
+                      that can perform the login operation to ones which  matches
+                      the value specified by this field. The list of subscription
+                      IDs that login is restricted to.
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  role:
+                    description: The name of the role. Name of the role.
+                    type: string
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Unique name of the auth backend to configure.
+                    type: string
+                  boundGroupIds:
+                    description: If set, defines a constraint on the groups that can
+                      perform the login operation that they should be using the group
+                      ID specified by this field. The list of group ids that login
+                      is restricted to.
+                    items:
+                      type: string
+                    type: array
+                  boundLocations:
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that the location in their
+                      identity document must match the one specified by this field.
+                      The list of locations that login is restricted to.
+                    items:
+                      type: string
+                    type: array
+                  boundResourceGroups:
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that they be associated
+                      with the resource group that matches the value specified by
+                      this field. The list of resource groups that login is restricted
                       to.
                     items:
                       type: string
                     type: array
+                  boundScaleSets:
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that they must match the
+                      scale set specified by this field. The list of scale set names
+                      that the login is restricted to.
+                    items:
+                      type: string
+                    type: array
+                  boundServicePrincipalIds:
+                    description: If set, defines a constraint on the service principals
+                      that can perform the login operation that they should be possess
+                      the ids specified by this field. The list of Service Principal
+                      IDs that login is restricted to.
+                    items:
+                      type: string
+                    type: array
+                  boundSubscriptionIds:
+                    description: If set, defines a constraint on the subscriptions
+                      that can perform the login operation to ones which  matches
+                      the value specified by this field. The list of subscription
+                      IDs that login is restricted to.
+                    items:
+                      type: string
+                    type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -334,7 +521,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
@@ -344,80 +533,123 @@ spec:
                     description: Unique name of the auth backend to configure.
                     type: string
                   boundGroupIds:
-                    description: The list of group ids that login is restricted to.
+                    description: If set, defines a constraint on the groups that can
+                      perform the login operation that they should be using the group
+                      ID specified by this field. The list of group ids that login
+                      is restricted to.
                     items:
                       type: string
                     type: array
                   boundLocations:
-                    description: The list of locations that login is restricted to.
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that the location in their
+                      identity document must match the one specified by this field.
+                      The list of locations that login is restricted to.
                     items:
                       type: string
                     type: array
                   boundResourceGroups:
-                    description: The list of resource groups that login is restricted
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that they be associated
+                      with the resource group that matches the value specified by
+                      this field. The list of resource groups that login is restricted
                       to.
                     items:
                       type: string
                     type: array
                   boundScaleSets:
-                    description: The list of scale set names that the login is restricted
-                      to.
+                    description: If set, defines a constraint on the virtual machines
+                      that can perform the login operation that they must match the
+                      scale set specified by this field. The list of scale set names
+                      that the login is restricted to.
                     items:
                       type: string
                     type: array
                   boundServicePrincipalIds:
-                    description: The list of Service Principal IDs that login is restricted
-                      to.
+                    description: If set, defines a constraint on the service principals
+                      that can perform the login operation that they should be possess
+                      the ids specified by this field. The list of Service Principal
+                      IDs that login is restricted to.
                     items:
                       type: string
                     type: array
                   boundSubscriptionIds:
-                    description: The list of subscription IDs that login is restricted
-                      to.
+                    description: If set, defines a constraint on the subscriptions
+                      that can perform the login operation to ones which  matches
+                      the value specified by this field. The list of subscription
+                      IDs that login is restricted to.
                     items:
                       type: string
                     type: array
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/azure.vault.upbound.io_secretbackendroles.yaml b/package/crds/azure.vault.upbound.io_secretbackendroles.yaml
index 5ac2315f..dad05f8e 100644
--- a/package/crds/azure.vault.upbound.io_secretbackendroles.yaml
+++ b/package/crds/azure.vault.upbound.io_secretbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendroles.azure.vault.upbound.io
 spec:
   group: azure.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRole is the Schema for the SecretBackendRoles API.
-          <no value>
+          Creates an azure secret backend role for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -71,17 +70,22 @@ spec:
                   applicationObjectId:
                     description: Application Object ID for an existing service principal
                       that will be used instead of creating dynamic service principals.
+                      If present, azure_roles will be ignored. Application Object
+                      ID for an existing service principal that will be used instead
+                      of creating dynamic service principals.
                     type: string
                   azureGroups:
+                    description: List of Azure groups to be assigned to the generated
+                      service principal.
                     items:
                       properties:
                         groupName:
                           type: string
-                      required:
-                      - groupName
                       type: object
                     type: array
                   azureRoles:
+                    description: List of Azure roles to be assigned to the generated
+                      service principal.
                     items:
                       properties:
                         roleId:
@@ -90,44 +94,140 @@ spec:
                           type: string
                         scope:
                           type: string
-                      required:
-                      - scope
                       type: object
                     type: array
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: Path to the mounted Azure auth backend Unique name
+                      of the auth backend to configure.
                     type: string
                   description:
                     description: Human-friendly description of the mount for the backend.
                     type: string
                   maxTtl:
-                    description: Human-friendly description of the mount for the backend.
+                    description: –  Specifies the maximum TTL for service principals
+                      generated using this role. Accepts time suffixed strings ("1h")
+                      or an integer number of seconds. Defaults to the system/engine
+                      max TTL time. Human-friendly description of the mount for the
+                      backend.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
-                    description: Name of the role to create
+                    description: Name of the Azure role Name of the role to create
                     type: string
                   ttl:
+                    description: –  Specifies the default TTL for service principals
+                      generated using this role. Accepts time suffixed strings ("1h")
+                      or an integer number of seconds. Defaults to the system/engine
+                      default TTL time. Human-friendly description of the mount for
+                      the backend.
+                    type: string
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  applicationObjectId:
+                    description: Application Object ID for an existing service principal
+                      that will be used instead of creating dynamic service principals.
+                      If present, azure_roles will be ignored. Application Object
+                      ID for an existing service principal that will be used instead
+                      of creating dynamic service principals.
+                    type: string
+                  azureGroups:
+                    description: List of Azure groups to be assigned to the generated
+                      service principal.
+                    items:
+                      properties:
+                        groupName:
+                          type: string
+                      type: object
+                    type: array
+                  azureRoles:
+                    description: List of Azure roles to be assigned to the generated
+                      service principal.
+                    items:
+                      properties:
+                        roleId:
+                          type: string
+                        roleName:
+                          type: string
+                        scope:
+                          type: string
+                      type: object
+                    type: array
+                  backend:
+                    description: Path to the mounted Azure auth backend Unique name
+                      of the auth backend to configure.
+                    type: string
+                  description:
                     description: Human-friendly description of the mount for the backend.
                     type: string
+                  maxTtl:
+                    description: –  Specifies the maximum TTL for service principals
+                      generated using this role. Accepts time suffixed strings ("1h")
+                      or an integer number of seconds. Defaults to the system/engine
+                      max TTL time. Human-friendly description of the mount for the
+                      backend.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  role:
+                    description: Name of the Azure role Name of the role to create
+                    type: string
+                  ttl:
+                    description: –  Specifies the default TTL for service principals
+                      generated using this role. Accepts time suffixed strings ("1h")
+                      or an integer number of seconds. Defaults to the system/engine
+                      default TTL time. Human-friendly description of the mount for
+                      the backend.
+                    type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -301,7 +401,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
           status:
             description: SecretBackendRoleStatus defines the observed state of SecretBackendRole.
             properties:
@@ -310,8 +412,13 @@ spec:
                   applicationObjectId:
                     description: Application Object ID for an existing service principal
                       that will be used instead of creating dynamic service principals.
+                      If present, azure_roles will be ignored. Application Object
+                      ID for an existing service principal that will be used instead
+                      of creating dynamic service principals.
                     type: string
                   azureGroups:
+                    description: List of Azure groups to be assigned to the generated
+                      service principal.
                     items:
                       properties:
                         groupName:
@@ -321,6 +428,8 @@ spec:
                       type: object
                     type: array
                   azureRoles:
+                    description: List of Azure roles to be assigned to the generated
+                      service principal.
                     items:
                       properties:
                         roleId:
@@ -332,7 +441,8 @@ spec:
                       type: object
                     type: array
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: Path to the mounted Azure auth backend Unique name
+                      of the auth backend to configure.
                     type: string
                   description:
                     description: Human-friendly description of the mount for the backend.
@@ -340,16 +450,28 @@ spec:
                   id:
                     type: string
                   maxTtl:
-                    description: Human-friendly description of the mount for the backend.
+                    description: –  Specifies the maximum TTL for service principals
+                      generated using this role. Accepts time suffixed strings ("1h")
+                      or an integer number of seconds. Defaults to the system/engine
+                      max TTL time. Human-friendly description of the mount for the
+                      backend.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
-                    description: Name of the role to create
+                    description: Name of the Azure role Name of the role to create
                     type: string
                   ttl:
-                    description: Human-friendly description of the mount for the backend.
+                    description: –  Specifies the default TTL for service principals
+                      generated using this role. Accepts time suffixed strings ("1h")
+                      or an integer number of seconds. Defaults to the system/engine
+                      default TTL time. Human-friendly description of the mount for
+                      the backend.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/azure.vault.upbound.io_secretbackends.yaml b/package/crds/azure.vault.upbound.io_secretbackends.yaml
index 102325ee..49fd0edb 100644
--- a/package/crds/azure.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/azure.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.azure.vault.upbound.io
 spec:
   group: azure.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          an azure secret backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,9 +68,9 @@ spec:
               forProvider:
                 properties:
                   clientIdSecretRef:
-                    description: The client id for credentials to query the Azure
-                      APIs. Currently read permissions to query compute resources
-                      are required.
+                    description: The OAuth2 client id to connect to Azure. The client
+                      id for credentials to query the Azure APIs. Currently read permissions
+                      to query compute resources are required.
                     properties:
                       key:
                         description: The key to select.
@@ -87,8 +87,8 @@ spec:
                     - namespace
                     type: object
                   clientSecretSecretRef:
-                    description: The client secret for credentials to query the Azure
-                      APIs
+                    description: The OAuth2 client secret to connect to Azure. The
+                      client secret for credentials to query the Azure APIs
                     properties:
                       key:
                         description: The key to select.
@@ -109,19 +109,28 @@ spec:
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   environment:
-                    description: 'The Azure cloud environment. Valid values: AzurePublicCloud,
-                      AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.'
+                    description: 'The Azure environment. The Azure cloud environment.
+                      Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
+                      AzureGermanCloud.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path to mount the backend at.
+                    description: The unique path this backend should be mounted at.
+                      Defaults to azure. Path to mount the backend at.
                     type: string
                   subscriptionIdSecretRef:
                     description: The subscription id for the Azure Active Directory.
+                      The subscription id for the Azure Active Directory.
                     properties:
                       key:
                         description: The key to select.
@@ -138,7 +147,8 @@ spec:
                     - namespace
                     type: object
                   tenantIdSecretRef:
-                    description: The tenant id for the Azure Active Directory organization.
+                    description: The tenant id for the Azure Active Directory. The
+                      tenant id for the Azure Active Directory organization.
                     properties:
                       key:
                         description: The key to select.
@@ -155,25 +165,84 @@ spec:
                     - namespace
                     type: object
                   useMicrosoftGraphApi:
-                    description: Use the Microsoft Graph API. Should be set to true
-                      on vault-1.10+
+                    description: Indicates whether the secrets engine should use the
+                      Microsoft Graph API. This parameter has been deprecated and
+                      will be ignored in vault-1.12+. For more information, please
+                      refer to the Vault docs Use the Microsoft Graph API. Should
+                      be set to true on vault-1.10+
                     type: boolean
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  description:
+                    description: Human-friendly description of the mount for the backend.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  environment:
+                    description: 'The Azure environment. The Azure cloud environment.
+                      Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
+                      AzureGermanCloud.'
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The unique path this backend should be mounted at.
+                      Defaults to azure. Path to mount the backend at.
+                    type: string
+                  useMicrosoftGraphApi:
+                    description: Indicates whether the secrets engine should use the
+                      Microsoft Graph API. This parameter has been deprecated and
+                      will be ignored in vault-1.12+. For more information, please
+                      refer to the Vault docs Use the Microsoft Graph API. Should
+                      be set to true on vault-1.10+
+                    type: boolean
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -347,9 +416,11 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: subscriptionIdSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.subscriptionIdSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.subscriptionIdSecretRef)'
             - message: tenantIdSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tenantIdSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)'
           status:
             description: SecretBackendStatus defines the observed state of SecretBackend.
             properties:
@@ -360,22 +431,33 @@ spec:
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   environment:
-                    description: 'The Azure cloud environment. Valid values: AzurePublicCloud,
-                      AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.'
+                    description: 'The Azure environment. The Azure cloud environment.
+                      Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
+                      AzureGermanCloud.'
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path to mount the backend at.
+                    description: The unique path this backend should be mounted at.
+                      Defaults to azure. Path to mount the backend at.
                     type: string
                   useMicrosoftGraphApi:
-                    description: Use the Microsoft Graph API. Should be set to true
-                      on vault-1.10+
+                    description: Indicates whether the secrets engine should use the
+                      Microsoft Graph API. This parameter has been deprecated and
+                      will be ignored in vault-1.12+. For more information, please
+                      refer to the Vault docs Use the Microsoft Graph API. Should
+                      be set to true on vault-1.10+
                     type: boolean
                 type: object
               conditions:
diff --git a/package/crds/cert.vault.upbound.io_authbackendroles.yaml b/package/crds/cert.vault.upbound.io_authbackendroles.yaml
index c074e1a8..b46d047d 100644
--- a/package/crds/cert.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/cert.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.cert.vault.upbound.io
 spec:
   group: cert.vault.upbound.io
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -146,21 +145,123 @@ spec:
                     description: The type of token to generate, service or batch
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedCommonNames:
+                    items:
+                      type: string
+                    type: array
+                  allowedDnsSans:
+                    items:
+                      type: string
+                    type: array
+                  allowedEmailSans:
+                    items:
+                      type: string
+                    type: array
+                  allowedNames:
+                    items:
+                      type: string
+                    type: array
+                  allowedOrganizationUnits:
+                    items:
+                      type: string
+                    type: array
+                  allowedOrganizationalUnits:
+                    items:
+                      type: string
+                    type: array
+                  allowedUriSans:
+                    items:
+                      type: string
+                    type: array
+                  backend:
+                    type: string
+                  certificate:
+                    type: string
+                  displayName:
+                    type: string
+                  name:
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  requiredExtensions:
+                    items:
+                      type: string
+                    type: array
+                  tokenBoundCidrs:
+                    description: Specifies the blocks of IP addresses which are allowed
+                      to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: Generated Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If true, the 'default' policy will not automatically
+                      be added to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a token may be used,
+                      a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: The type of token to generate, service or batch
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -334,9 +435,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: certificate is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificate)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.certificate)
+                || has(self.initProvider.certificate)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
diff --git a/package/crds/consul.vault.upbound.io_secretbackendroles.yaml b/package/crds/consul.vault.upbound.io_secretbackendroles.yaml
index 7eeddbe4..c0495c66 100644
--- a/package/crds/consul.vault.upbound.io_secretbackendroles.yaml
+++ b/package/crds/consul.vault.upbound.io_secretbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendroles.consul.vault.upbound.io
 spec:
   group: consul.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRole is the Schema for the SecretBackendRoles API.
-          <no value>
+          Manages a Consul secrets role for a Consul secrets engine in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,83 +68,230 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The path of the Consul Secret Backend the role belongs
-                      to.
+                    description: The unique name of an existing Consul secrets backend
+                      mount. Must not begin or end with a /. One of path or backend
+                      is required. The path of the Consul Secret Backend the role
+                      belongs to.
                     type: string
                   consulNamespace:
                     description: The Consul namespace that the token will be created
-                      in. Applicable for Vault 1.10+ and Consul 1.7+
+                      in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul
+                      namespace that the token will be created in. Applicable for
+                      Vault 1.10+ and Consul 1.7+
                     type: string
                   consulPolicies:
-                    description: List of Consul policies to associate with this role
+                    description: SEE NOTE The list of Consul ACL policies to associate
+                      with these roles. List of Consul policies to associate with
+                      this role
                     items:
                       type: string
                     type: array
                   consulRoles:
-                    description: Set of Consul roles to attach to the token. Applicable
-                      for Vault 1.10+ with Consul 1.5+
+                    description: SEE NOTE Set of Consul roles to attach to the token.
+                      Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles
+                      to attach to the token. Applicable for Vault 1.10+ with Consul
+                      1.5+
                     items:
                       type: string
                     type: array
                   local:
                     description: Indicates that the token should not be replicated
-                      globally and instead be local to the current datacenter.
+                      globally and instead be local to the current datacenter. Indicates
+                      that the token should not be replicated globally and instead
+                      be local to the current datacenter.
                     type: boolean
                   maxTtl:
                     description: Maximum TTL for leases associated with this role,
+                      in seconds. Maximum TTL for leases associated with this role,
                       in seconds.
                     type: number
                   name:
-                    description: The name of an existing role against which to create
-                      this Consul credential
+                    description: The name of the Consul secrets engine role to create.
+                      The name of an existing role against which to create this Consul
+                      credential
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   nodeIdentities:
-                    description: Set of Consul node identities to attach to the token.
-                      Applicable for Vault 1.11+ with Consul 1.8+
+                    description: SEE NOTE Set of Consul node identities to attach
+                      to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set
+                      of Consul node identities to attach to the token. Applicable
+                      for Vault 1.11+ with Consul 1.8+
                     items:
                       type: string
                     type: array
                   partition:
-                    description: The Consul admin partition that the token will be
-                      created in. Applicable for Vault 1.10+ and Consul 1.11+
+                    description: The admin partition that the token will be created
+                      in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul
+                      admin partition that the token will be created in. Applicable
+                      for Vault 1.10+ and Consul 1.11+
                     type: string
                   policies:
-                    description: List of Consul policies to associate with this role
+                    description: 'The list of Consul ACL policies to associate with
+                      these roles. NOTE: The new parameter consul_policies should
+                      be used in favor of this. This parameter, policies, remains
+                      supported for legacy users, but Vault has deprecated this field.
+                      List of Consul policies to associate with this role'
                     items:
                       type: string
                     type: array
                   serviceIdentities:
-                    description: Set of Consul service identities to attach to the
-                      token. Applicable for Vault 1.11+ with Consul 1.5+
+                    description: SEE NOTE Set of Consul service identities to attach
+                      to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set
+                      of Consul service identities to attach to the token. Applicable
+                      for Vault 1.11+ with Consul 1.5+
                     items:
                       type: string
                     type: array
                   tokenType:
-                    description: Specifies the type of token to create when using
-                      this role. Valid values are "client" or "management".
+                    description: 'Specifies the type of token to create when using
+                      this role. Valid values are "client" or "management". Deprecated:
+                      Consul 1.11 and later removed the legacy ACL system which supported
+                      this field. Specifies the type of token to create when using
+                      this role. Valid values are "client" or "management".'
                     type: string
                   ttl:
-                    description: Specifies the TTL for this role.
+                    description: Specifies the TTL for this role. Specifies the TTL
+                      for this role.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The unique name of an existing Consul secrets backend
+                      mount. Must not begin or end with a /. One of path or backend
+                      is required. The path of the Consul Secret Backend the role
+                      belongs to.
+                    type: string
+                  consulNamespace:
+                    description: The Consul namespace that the token will be created
+                      in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul
+                      namespace that the token will be created in. Applicable for
+                      Vault 1.10+ and Consul 1.7+
+                    type: string
+                  consulPolicies:
+                    description: SEE NOTE The list of Consul ACL policies to associate
+                      with these roles. List of Consul policies to associate with
+                      this role
+                    items:
+                      type: string
+                    type: array
+                  consulRoles:
+                    description: SEE NOTE Set of Consul roles to attach to the token.
+                      Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles
+                      to attach to the token. Applicable for Vault 1.10+ with Consul
+                      1.5+
+                    items:
+                      type: string
+                    type: array
+                  local:
+                    description: Indicates that the token should not be replicated
+                      globally and instead be local to the current datacenter. Indicates
+                      that the token should not be replicated globally and instead
+                      be local to the current datacenter.
+                    type: boolean
+                  maxTtl:
+                    description: Maximum TTL for leases associated with this role,
+                      in seconds. Maximum TTL for leases associated with this role,
+                      in seconds.
+                    type: number
+                  name:
+                    description: The name of the Consul secrets engine role to create.
+                      The name of an existing role against which to create this Consul
+                      credential
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  nodeIdentities:
+                    description: SEE NOTE Set of Consul node identities to attach
+                      to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set
+                      of Consul node identities to attach to the token. Applicable
+                      for Vault 1.11+ with Consul 1.8+
+                    items:
+                      type: string
+                    type: array
+                  partition:
+                    description: The admin partition that the token will be created
+                      in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul
+                      admin partition that the token will be created in. Applicable
+                      for Vault 1.10+ and Consul 1.11+
+                    type: string
+                  policies:
+                    description: 'The list of Consul ACL policies to associate with
+                      these roles. NOTE: The new parameter consul_policies should
+                      be used in favor of this. This parameter, policies, remains
+                      supported for legacy users, but Vault has deprecated this field.
+                      List of Consul policies to associate with this role'
+                    items:
+                      type: string
+                    type: array
+                  serviceIdentities:
+                    description: SEE NOTE Set of Consul service identities to attach
+                      to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set
+                      of Consul service identities to attach to the token. Applicable
+                      for Vault 1.11+ with Consul 1.5+
+                    items:
+                      type: string
+                    type: array
+                  tokenType:
+                    description: 'Specifies the type of token to create when using
+                      this role. Valid values are "client" or "management". Deprecated:
+                      Consul 1.11 and later removed the legacy ACL system which supported
+                      this field. Specifies the type of token to create when using
+                      this role. Valid values are "client" or "management".'
+                    type: string
+                  ttl:
+                    description: Specifies the TTL for this role. Specifies the TTL
+                      for this role.
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -319,28 +465,38 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendRoleStatus defines the observed state of SecretBackendRole.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: The path of the Consul Secret Backend the role belongs
-                      to.
+                    description: The unique name of an existing Consul secrets backend
+                      mount. Must not begin or end with a /. One of path or backend
+                      is required. The path of the Consul Secret Backend the role
+                      belongs to.
                     type: string
                   consulNamespace:
                     description: The Consul namespace that the token will be created
-                      in. Applicable for Vault 1.10+ and Consul 1.7+
+                      in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul
+                      namespace that the token will be created in. Applicable for
+                      Vault 1.10+ and Consul 1.7+
                     type: string
                   consulPolicies:
-                    description: List of Consul policies to associate with this role
+                    description: SEE NOTE The list of Consul ACL policies to associate
+                      with these roles. List of Consul policies to associate with
+                      this role
                     items:
                       type: string
                     type: array
                   consulRoles:
-                    description: Set of Consul roles to attach to the token. Applicable
-                      for Vault 1.10+ with Consul 1.5+
+                    description: SEE NOTE Set of Consul roles to attach to the token.
+                      Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles
+                      to attach to the token. Applicable for Vault 1.10+ with Consul
+                      1.5+
                     items:
                       type: string
                     type: array
@@ -348,46 +504,68 @@ spec:
                     type: string
                   local:
                     description: Indicates that the token should not be replicated
-                      globally and instead be local to the current datacenter.
+                      globally and instead be local to the current datacenter. Indicates
+                      that the token should not be replicated globally and instead
+                      be local to the current datacenter.
                     type: boolean
                   maxTtl:
                     description: Maximum TTL for leases associated with this role,
+                      in seconds. Maximum TTL for leases associated with this role,
                       in seconds.
                     type: number
                   name:
-                    description: The name of an existing role against which to create
-                      this Consul credential
+                    description: The name of the Consul secrets engine role to create.
+                      The name of an existing role against which to create this Consul
+                      credential
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   nodeIdentities:
-                    description: Set of Consul node identities to attach to the token.
-                      Applicable for Vault 1.11+ with Consul 1.8+
+                    description: SEE NOTE Set of Consul node identities to attach
+                      to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set
+                      of Consul node identities to attach to the token. Applicable
+                      for Vault 1.11+ with Consul 1.8+
                     items:
                       type: string
                     type: array
                   partition:
-                    description: The Consul admin partition that the token will be
-                      created in. Applicable for Vault 1.10+ and Consul 1.11+
+                    description: The admin partition that the token will be created
+                      in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul
+                      admin partition that the token will be created in. Applicable
+                      for Vault 1.10+ and Consul 1.11+
                     type: string
                   policies:
-                    description: List of Consul policies to associate with this role
+                    description: 'The list of Consul ACL policies to associate with
+                      these roles. NOTE: The new parameter consul_policies should
+                      be used in favor of this. This parameter, policies, remains
+                      supported for legacy users, but Vault has deprecated this field.
+                      List of Consul policies to associate with this role'
                     items:
                       type: string
                     type: array
                   serviceIdentities:
-                    description: Set of Consul service identities to attach to the
-                      token. Applicable for Vault 1.11+ with Consul 1.5+
+                    description: SEE NOTE Set of Consul service identities to attach
+                      to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set
+                      of Consul service identities to attach to the token. Applicable
+                      for Vault 1.11+ with Consul 1.5+
                     items:
                       type: string
                     type: array
                   tokenType:
-                    description: Specifies the type of token to create when using
-                      this role. Valid values are "client" or "management".
+                    description: 'Specifies the type of token to create when using
+                      this role. Valid values are "client" or "management". Deprecated:
+                      Consul 1.11 and later removed the legacy ACL system which supported
+                      this field. Specifies the type of token to create when using
+                      this role. Valid values are "client" or "management".'
                     type: string
                   ttl:
-                    description: Specifies the TTL for this role.
+                    description: Specifies the TTL for this role. Specifies the TTL
+                      for this role.
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/consul.vault.upbound.io_secretbackends.yaml b/package/crds/consul.vault.upbound.io_secretbackends.yaml
index 1a038849..7f547f53 100644
--- a/package/crds/consul.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/consul.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.consul.vault.upbound.io
 spec:
   group: consul.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          a Consul secret backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,18 +69,24 @@ spec:
                 properties:
                   address:
                     description: Specifies the address of the Consul instance, provided
-                      as "host:port" like "127.0.0.1:8500".
+                      as "host:port" like "127.0.0.1:8500". Specifies the address
+                      of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
                     type: string
                   bootstrap:
-                    description: Denotes a backend resource that is used to bootstrap
-                      the Consul ACL system. Only one resource may be used to bootstrap.
+                    description: Denotes that the resource is used to bootstrap the
+                      Consul ACL system. Denotes a backend resource that is used to
+                      bootstrap the Consul ACL system. Only one resource may be used
+                      to bootstrap.
                     type: boolean
                   caCert:
                     description: CA certificate to use when verifying Consul server
-                      certificate, must be x509 PEM encoded.
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying Consul server certificate, must be x509 PEM encoded.
                     type: string
                   clientCertSecretRef:
                     description: Client certificate used for Consul's TLS communication,
+                      must be x509 PEM encoded and if this is set you need to also
+                      set client_key. Client certificate used for Consul's TLS communication,
                       must be x509 PEM encoded and if this is set you need to also
                       set client_key.
                     properties:
@@ -101,7 +107,9 @@ spec:
                   clientKeySecretRef:
                     description: Client key used for Consul's TLS communication, must
                       be x509 PEM encoded and if this is set you need to also set
-                      client_cert.
+                      client_cert. Client key used for Consul's TLS communication,
+                      must be x509 PEM encoded and if this is set you need to also
+                      set client_cert.
                     properties:
                       key:
                         description: The key to select.
@@ -118,32 +126,48 @@ spec:
                     - namespace
                     type: object
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   local:
-                    description: Specifies if the secret backend is local only
+                    description: Specifies if the secret backend is local only. Specifies
+                      if the secret backend is local only
                     type: boolean
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Unique name of the Vault Consul mount to configure
+                    description: The unique location this backend should be mounted
+                      at. Must not begin or end with a /. Defaults to consul. Unique
+                      name of the Vault Consul mount to configure
                     type: string
                   scheme:
-                    description: Specifies the URL scheme to use. Defaults to "http".
+                    description: Specifies the URL scheme to use. Defaults to http.
+                      Specifies the URL scheme to use. Defaults to "http".
                     type: string
                   tokenSecretRef:
-                    description: Specifies the Consul token to use when managing or
-                      issuing new tokens.
+                    description: The Consul management token this backend should use
+                      to issue new tokens. This field is required when bootstrap is
+                      false. Specifies the Consul token to use when managing or issuing
+                      new tokens.
                     properties:
                       key:
                         description: The key to select.
@@ -160,21 +184,100 @@ spec:
                     - namespace
                     type: object
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  address:
+                    description: Specifies the address of the Consul instance, provided
+                      as "host:port" like "127.0.0.1:8500". Specifies the address
+                      of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
+                    type: string
+                  bootstrap:
+                    description: Denotes that the resource is used to bootstrap the
+                      Consul ACL system. Denotes a backend resource that is used to
+                      bootstrap the Consul ACL system. Only one resource may be used
+                      to bootstrap.
+                    type: boolean
+                  caCert:
+                    description: CA certificate to use when verifying Consul server
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying Consul server certificate, must be x509 PEM encoded.
+                    type: string
+                  defaultLeaseTtlSeconds:
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
+                    type: number
+                  description:
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  local:
+                    description: Specifies if the secret backend is local only. Specifies
+                      if the secret backend is local only
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The unique location this backend should be mounted
+                      at. Must not begin or end with a /. Defaults to consul. Unique
+                      name of the Vault Consul mount to configure
+                    type: string
+                  scheme:
+                    description: Specifies the URL scheme to use. Defaults to http.
+                      Specifies the URL scheme to use. Defaults to "http".
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -348,7 +451,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: address is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.address)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.address)
+                || has(self.initProvider.address)'
           status:
             description: SecretBackendStatus defines the observed state of SecretBackend.
             properties:
@@ -356,41 +461,59 @@ spec:
                 properties:
                   address:
                     description: Specifies the address of the Consul instance, provided
-                      as "host:port" like "127.0.0.1:8500".
+                      as "host:port" like "127.0.0.1:8500". Specifies the address
+                      of the Consul instance, provided as "host:port" like "127.0.0.1:8500".
                     type: string
                   bootstrap:
-                    description: Denotes a backend resource that is used to bootstrap
-                      the Consul ACL system. Only one resource may be used to bootstrap.
+                    description: Denotes that the resource is used to bootstrap the
+                      Consul ACL system. Denotes a backend resource that is used to
+                      bootstrap the Consul ACL system. Only one resource may be used
+                      to bootstrap.
                     type: boolean
                   caCert:
                     description: CA certificate to use when verifying Consul server
-                      certificate, must be x509 PEM encoded.
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying Consul server certificate, must be x509 PEM encoded.
                     type: string
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   id:
                     type: string
                   local:
-                    description: Specifies if the secret backend is local only
+                    description: Specifies if the secret backend is local only. Specifies
+                      if the secret backend is local only
                     type: boolean
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Unique name of the Vault Consul mount to configure
+                    description: The unique location this backend should be mounted
+                      at. Must not begin or end with a /. Defaults to consul. Unique
+                      name of the Vault Consul mount to configure
                     type: string
                   scheme:
-                    description: Specifies the URL scheme to use. Defaults to "http".
+                    description: Specifies the URL scheme to use. Defaults to http.
+                      Specifies the URL scheme to use. Defaults to "http".
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/database.vault.upbound.io_secretbackendconnections.yaml b/package/crds/database.vault.upbound.io_secretbackendconnections.yaml
index ceefd7d1..91bcf6d0 100644
--- a/package/crds/database.vault.upbound.io_secretbackendconnections.yaml
+++ b/package/crds/database.vault.upbound.io_secretbackendconnections.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendconnections.database.vault.upbound.io
 spec:
   group: database.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendConnection is the Schema for the SecretBackendConnections
-          API. <no value>
+          API. Configures a database secret backend connection for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -71,33 +70,39 @@ spec:
                 properties:
                   allowedRoles:
                     description: A list of roles that are allowed to use this connection.
+                      A list of roles that are allowed to use this connection.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: Unique name of the Vault mount to configure.
+                    description: The unique name of the Vault mount to configure.
+                      Unique name of the Vault mount to configure.
                     type: string
                   cassandra:
-                    description: Connection parameters for the cassandra-database-plugin
+                    description: A nested block containing configuration options for
+                      Cassandra connections. Connection parameters for the cassandra-database-plugin
                       plugin.
                     items:
                       properties:
                         connectTimeout:
                           description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
                             timeout.
                           type: number
                         hosts:
-                          description: Cassandra hosts to connect to.
+                          description: The hosts to connect to. Cassandra hosts to
+                            connect to.
                           items:
                             type: string
                           type: array
                         insecureTls:
                           description: Whether to skip verification of the server
-                            certificate when using TLS.
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
                           type: boolean
                         passwordSecretRef:
-                          description: The password to use when authenticating with
-                            Cassandra.
+                          description: The password to authenticate with. The password
+                            to use when authenticating with Cassandra.
                           properties:
                             key:
                               description: The key to select.
@@ -114,7 +119,8 @@ spec:
                           - namespace
                           type: object
                         pemBundleSecretRef:
-                          description: Concatenated PEM blocks containing a certificate
+                          description: Concatenated PEM blocks configuring the certificate
+                            chain. Concatenated PEM blocks containing a certificate
                             and private key; a certificate, private key, and issuing
                             CA certificate; or just a CA certificate.
                           properties:
@@ -133,9 +139,10 @@ spec:
                           - namespace
                           type: object
                         pemJsonSecretRef:
-                          description: Specifies JSON containing a certificate and
-                            private key; a certificate, private key, and issuing CA
-                            certificate; or just a CA certificate.
+                          description: A JSON structure configuring the certificate
+                            chain. Specifies JSON containing a certificate and private
+                            key; a certificate, private key, and issuing CA certificate;
+                            or just a CA certificate.
                           properties:
                             key:
                               description: The key to select.
@@ -152,29 +159,36 @@ spec:
                           - namespace
                           type: object
                         port:
-                          description: The transport port to use to connect to Cassandra.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Cassandra.
                           type: number
                         protocolVersion:
-                          description: The CQL protocol version to use.
+                          description: The CQL protocol version to use. The CQL protocol
+                            version to use.
                           type: number
                         tls:
                           description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Cassandra.
                           type: boolean
                         username:
-                          description: The username to use when authenticating with
-                            Cassandra.
+                          description: The username to authenticate with. The username
+                            to use when authenticating with Cassandra.
                           type: string
                       type: object
                     type: array
                   couchbase:
-                    description: Connection parameters for the couchbase-database-plugin
+                    description: A nested block containing configuration options for
+                      Couchbase connections. Connection parameters for the couchbase-database-plugin
                       plugin.
                     items:
                       properties:
                         base64PemSecretRef:
-                          description: Required if `tls` is `true`. Specifies the
-                            certificate authority of the Couchbase server, as a PEM
-                            certificate that has been base64 encoded.
+                          description: Required if tls is true. Specifies the certificate
+                            authority of the Couchbase server, as a PEM certificate
+                            that has been base64 encoded. Required if `tls` is `true`.
+                            Specifies the certificate authority of the Couchbase server,
+                            as a PEM certificate that has been base64 encoded.
                           properties:
                             key:
                               description: The key to select.
@@ -192,22 +206,26 @@ spec:
                           type: object
                         bucketName:
                           description: Required for Couchbase versions prior to 6.5.0.
+                            This is only used to verify vault's connection to the
+                            server. Required for Couchbase versions prior to 6.5.0.
                             This is only used to verify vault's connection to the
                             server.
                           type: string
                         hosts:
-                          description: A set of Couchbase URIs to connect to. Must
-                            use `couchbases://` scheme if `tls` is `true`.
+                          description: The hosts to connect to. A set of Couchbase
+                            URIs to connect to. Must use `couchbases://` scheme if
+                            `tls` is `true`.
                           items:
                             type: string
                           type: array
                         insecureTls:
-                          description: Specifies whether to skip verification of the
-                            server certificate when using TLS.
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
                           type: boolean
                         passwordSecretRef:
-                          description: Specifies the password corresponding to the
-                            given username.
+                          description: The password to authenticate with. Specifies
+                            the password corresponding to the given username.
                           properties:
                             key:
                               description: The key to select.
@@ -224,53 +242,64 @@ spec:
                           - namespace
                           type: object
                         tls:
-                          description: Specifies whether to use TLS when connecting
-                            to Couchbase.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Couchbase.
                           type: boolean
                         username:
-                          description: Specifies the username for Vault to use.
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                       required:
-                      - hosts
                       - passwordSecretRef
-                      - username
                       type: object
                     type: array
                   data:
                     additionalProperties:
                       type: string
                     description: A map of sensitive data to pass to the endpoint.
-                      Useful for templated connection strings.
+                      Useful for templated connection strings. A map of sensitive
+                      data to pass to the endpoint. Useful for templated connection
+                      strings.
                     type: object
                   elasticsearch:
-                    description: Connection parameters for the elasticsearch-database-plugin.
+                    description: A nested block containing configuration options for
+                      Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin.
                     items:
                       properties:
                         caCert:
-                          description: The path to a PEM-encoded CA cert file to use
-                            to verify the Elasticsearch server's identity
+                          description: The contents of a PEM-encoded CA cert file
+                            to use to verify the Redis server's identity. The path
+                            to a PEM-encoded CA cert file to use to verify the Elasticsearch
+                            server's identity
                           type: string
                         caPath:
                           description: The path to a directory of PEM-encoded CA cert
-                            files to use to verify the Elasticsearch server's identity
+                            files to use to verify the Elasticsearch server's identity.
+                            The path to a directory of PEM-encoded CA cert files to
+                            use to verify the Elasticsearch server's identity
                           type: string
                         clientCert:
                           description: The path to the certificate for the Elasticsearch
-                            client to present for communication
+                            client to present for communication. The path to the certificate
+                            for the Elasticsearch client to present for communication
                           type: string
                         clientKey:
                           description: The path to the key for the Elasticsearch client
-                            to use for communication
+                            to use for communication. The path to the key for the
+                            Elasticsearch client to use for communication
                           type: string
                         insecure:
-                          description: Whether to disable certificate verification
+                          description: Whether to disable certificate verification.
+                            Whether to disable certificate verification
                           type: boolean
                         passwordSecretRef:
-                          description: The password to be used in the connection URL
+                          description: The password to authenticate with. The password
+                            to be used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -288,50 +317,59 @@ spec:
                           type: object
                         tlsServerName:
                           description: This, if set, is used to set the SNI host when
-                            connecting via TLS
+                            connecting via TLS. This, if set, is used to set the SNI
+                            host when connecting via TLS
                           type: string
                         url:
-                          description: The URL for Elasticsearch's API
+                          description: The url to connect to including the port; e.g.
+                            master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
+                            The URL for Elasticsearch's API
                           type: string
                         username:
-                          description: The username to be used in the connection URL
+                          description: The username to authenticate with. The username
+                            to be used in the connection URL
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                       required:
                       - passwordSecretRef
-                      - url
-                      - username
                       type: object
                     type: array
                   hana:
-                    description: Connection parameters for the hana-database-plugin
+                    description: A nested block containing configuration options for
+                      SAP HanaDB connections. Connection parameters for the hana-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -348,30 +386,34 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                       type: object
                     type: array
                   influxdb:
-                    description: Connection parameters for the influxdb-database-plugin
+                    description: A nested block containing configuration options for
+                      InfluxDB connections. Connection parameters for the influxdb-database-plugin
                       plugin.
                     items:
                       properties:
                         connectTimeout:
                           description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
                             timeout.
                           type: number
                         host:
-                          description: Influxdb host to connect to.
+                          description: The host to connect to. Influxdb host to connect
+                            to.
                           type: string
                         insecureTls:
                           description: Whether to skip verification of the server
-                            certificate when using TLS.
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
                           type: boolean
                         passwordSecretRef:
-                          description: Specifies the password corresponding to the
-                            given username.
+                          description: The password to authenticate with. Specifies
+                            the password corresponding to the given username.
                           properties:
                             key:
                               description: The key to select.
@@ -388,7 +430,8 @@ spec:
                           - namespace
                           type: object
                         pemBundleSecretRef:
-                          description: Concatenated PEM blocks containing a certificate
+                          description: Concatenated PEM blocks configuring the certificate
+                            chain. Concatenated PEM blocks containing a certificate
                             and private key; a certificate, private key, and issuing
                             CA certificate; or just a CA certificate.
                           properties:
@@ -407,9 +450,10 @@ spec:
                           - namespace
                           type: object
                         pemJsonSecretRef:
-                          description: Specifies JSON containing a certificate and
-                            private key; a certificate, private key, and issuing CA
-                            certificate; or just a CA certificate.
+                          description: A JSON structure configuring the certificate
+                            chain. Specifies JSON containing a certificate and private
+                            key; a certificate, private key, and issuing CA certificate;
+                            or just a CA certificate.
                           properties:
                             key:
                               description: The key to select.
@@ -426,47 +470,54 @@ spec:
                           - namespace
                           type: object
                         port:
-                          description: The transport port to use to connect to Influxdb.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Influxdb.
                           type: number
                         tls:
-                          description: Whether to use TLS when connecting to Influxdb.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Influxdb.
                           type: boolean
                         username:
-                          description: Specifies the username to use for superuser
-                            access.
+                          description: The username to authenticate with. Specifies
+                            the username to use for superuser access.
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                       required:
-                      - host
                       - passwordSecretRef
-                      - username
                       type: object
                     type: array
                   mongodb:
-                    description: Connection parameters for the mongodb-database-plugin
+                    description: A nested block containing configuration options for
+                      MongoDB connections. Connection parameters for the mongodb-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -483,22 +534,25 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mongodbatlas:
-                    description: Connection parameters for the mongodbatlas-database-plugin
+                    description: A nested block containing configuration options for
+                      MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin
                       plugin.
                     items:
                       properties:
                         privateKeySecretRef:
                           description: The Private Programmatic API Key used to connect
-                            with MongoDB Atlas API.
+                            with MongoDB Atlas API. The Private Programmatic API Key
+                            used to connect with MongoDB Atlas API.
                           properties:
                             key:
                               description: The key to select.
@@ -516,48 +570,56 @@ spec:
                           type: object
                         projectId:
                           description: The Project ID the Database User should be
-                            created within.
+                            created within. The Project ID the Database User should
+                            be created within.
                           type: string
                         publicKey:
                           description: The Public Programmatic API Key used to authenticate
-                            with the MongoDB Atlas API.
+                            with the MongoDB Atlas API. The Public Programmatic API
+                            Key used to authenticate with the MongoDB Atlas API.
                           type: string
                       required:
                       - privateKeySecretRef
-                      - projectId
-                      - publicKey
                       type: object
                     type: array
                   mssql:
-                    description: Connection parameters for the mssql-database-plugin
+                    description: A nested block containing configuration options for
+                      MSSQL connections. Connection parameters for the mssql-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         containedDb:
-                          description: Set to true when the target is a Contained
-                            Database, e.g. AzureSQL.
+                          description: For Vault v1.9+. Set to true when the target
+                            is a Contained Database, e.g. AzureSQL. See the Vault
+                            docs Set to true when the target is a Contained Database,
+                            e.g. AzureSQL.
                           type: boolean
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -574,36 +636,42 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mysql:
-                    description: Connection parameters for the mysql-database-plugin
+                    description: A nested block containing configuration options for
+                      MySQL connections. Connection parameters for the mysql-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -621,12 +689,16 @@ spec:
                           type: object
                         tlsCa:
                           description: x509 CA file for validating the certificate
-                            presented by the MySQL server. Must be PEM encoded.
+                            presented by the MySQL server. Must be PEM encoded. x509
+                            CA file for validating the certificate presented by the
+                            MySQL server. Must be PEM encoded.
                           type: string
                         tlsCertificateKeySecretRef:
                           description: x509 certificate for connecting to the database.
                             This must be a PEM encoded version of the private key
-                            and the certificate combined.
+                            and the certificate combined. x509 certificate for connecting
+                            to the database. This must be a PEM encoded version of
+                            the private key and the certificate combined.
                           properties:
                             key:
                               description: The key to select.
@@ -643,36 +715,42 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mysqlAurora:
-                    description: Connection parameters for the mysql-aurora-database-plugin
+                    description: A nested block containing configuration options for
+                      Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -689,36 +767,42 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mysqlLegacy:
-                    description: Connection parameters for the mysql-legacy-database-plugin
+                    description: A nested block containing configuration options for
+                      legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -735,36 +819,42 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mysqlRds:
-                    description: Connection parameters for the mysql-rds-database-plugin
+                    description: A nested block containing configuration options for
+                      RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -781,42 +871,53 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   name:
-                    description: Name of the database connection.
+                    description: A unique name to give the database connection. Name
+                      of the database connection.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   oracle:
-                    description: Connection parameters for the oracle-database-plugin
+                    description: A nested block containing configuration options for
+                      Oracle connections. Connection parameters for the oracle-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -833,45 +934,52 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   pluginName:
-                    description: Specifies the name of the plugin to use for this
-                      connection. Must be prefixed with the name of one of the supported
-                      database engine types.
+                    description: Specifies the name of the plugin to use. Specifies
+                      the name of the plugin to use for this connection. Must be prefixed
+                      with the name of one of the supported database engine types.
                     type: string
                   postgresql:
-                    description: Connection parameters for the postgresql-database-plugin
+                    description: A nested block containing configuration options for
+                      PostgreSQL connections. Connection parameters for the postgresql-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -888,33 +996,39 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   redis:
-                    description: Connection parameters for the redis-database-plugin
+                    description: A nested block containing configuration options for
+                      Redis connections. Connection parameters for the redis-database-plugin
                       plugin.
                     items:
                       properties:
                         caCert:
                           description: The contents of a PEM-encoded CA cert file
-                            to use to verify the Redis server's identity.
+                            to use to verify the Redis server's identity. The contents
+                            of a PEM-encoded CA cert file to use to verify the Redis
+                            server's identity.
                           type: string
                         host:
-                          description: Specifies the host to connect to
+                          description: The host to connect to. Specifies the host
+                            to connect to
                           type: string
                         insecureTls:
-                          description: Specifies whether to skip verification of the
-                            server certificate when using TLS.
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
                           type: boolean
                         passwordSecretRef:
-                          description: Specifies the password corresponding to the
-                            given username.
+                          description: The password to authenticate with. Specifies
+                            the password corresponding to the given username.
                           properties:
                             key:
                               description: The key to select.
@@ -931,29 +1045,32 @@ spec:
                           - namespace
                           type: object
                         port:
-                          description: The transport port to use to connect to Redis.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Redis.
                           type: number
                         tls:
-                          description: Specifies whether to use TLS when connecting
-                            to Redis.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Redis.
                           type: boolean
                         username:
-                          description: Specifies the username for Vault to use.
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
                           type: string
                       required:
-                      - host
                       - passwordSecretRef
-                      - username
                       type: object
                     type: array
                   redisElasticache:
-                    description: Connection parameters for the redis-elasticache-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      Redis ElastiCache connections. Connection parameters for the
+                      redis-elasticache-database-plugin plugin.
                     items:
                       properties:
                         passwordSecretRef:
-                          description: The AWS secret key id to use to talk to ElastiCache.
-                            If omitted the credentials chain provider is used instead.
+                          description: The password to authenticate with. The AWS
+                            secret key id to use to talk to ElastiCache. If omitted
+                            the credentials chain provider is used instead.
                           properties:
                             key:
                               description: The key to select.
@@ -970,17 +1087,22 @@ spec:
                           - namespace
                           type: object
                         region:
-                          description: The AWS region where the ElastiCache cluster
+                          description: The region where the ElastiCache cluster is
+                            hosted. If omitted Vault tries to infer from the environment
+                            instead. The AWS region where the ElastiCache cluster
                             is hosted. If omitted the plugin tries to infer the region
                             from the environment.
                           type: string
                         url:
-                          description: The configuration endpoint for the ElastiCache
-                            cluster to connect to.
+                          description: The url to connect to including the port; e.g.
+                            master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
+                            The configuration endpoint for the ElastiCache cluster
+                            to connect to.
                           type: string
                         usernameSecretRef:
-                          description: The AWS access key id to use to talk to ElastiCache.
-                            If omitted the credentials chain provider is used instead.
+                          description: The username to authenticate with. The AWS
+                            access key id to use to talk to ElastiCache. If omitted
+                            the credentials chain provider is used instead.
                           properties:
                             key:
                               description: The key to select.
@@ -996,8 +1118,6 @@ spec:
                           - name
                           - namespace
                           type: object
-                      required:
-                      - url
                       type: object
                     type: array
                   redshift:
@@ -1006,26 +1126,31 @@ spec:
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1042,42 +1167,49 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   rootRotationStatements:
                     description: A list of database statements to be executed to rotate
-                      the root user's credentials.
+                      the root user's credentials. A list of database statements to
+                      be executed to rotate the root user's credentials.
                     items:
                       type: string
                     type: array
                   snowflake:
-                    description: Connection parameters for the snowflake-database-plugin
+                    description: A nested block containing configuration options for
+                      Snowflake connections. Connection parameters for the snowflake-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1094,34 +1226,756 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   verifyConnection:
-                    description: Specifies if the connection is verified during initial
-                      configuration.
+                    description: Whether the connection should be verified on initial
+                      configuration or not. Specifies if the connection is verified
+                      during initial configuration.
                     type: boolean
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedRoles:
+                    description: A list of roles that are allowed to use this connection.
+                      A list of roles that are allowed to use this connection.
+                    items:
+                      type: string
+                    type: array
+                  backend:
+                    description: The unique name of the Vault mount to configure.
+                      Unique name of the Vault mount to configure.
+                    type: string
+                  cassandra:
+                    description: A nested block containing configuration options for
+                      Cassandra connections. Connection parameters for the cassandra-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectTimeout:
+                          description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
+                            timeout.
+                          type: number
+                        hosts:
+                          description: The hosts to connect to. Cassandra hosts to
+                            connect to.
+                          items:
+                            type: string
+                          type: array
+                        insecureTls:
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
+                          type: boolean
+                        port:
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Cassandra.
+                          type: number
+                        protocolVersion:
+                          description: The CQL protocol version to use. The CQL protocol
+                            version to use.
+                          type: number
+                        tls:
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Cassandra.
+                          type: boolean
+                        username:
+                          description: The username to authenticate with. The username
+                            to use when authenticating with Cassandra.
+                          type: string
+                      type: object
+                    type: array
+                  couchbase:
+                    description: A nested block containing configuration options for
+                      Couchbase connections. Connection parameters for the couchbase-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        bucketName:
+                          description: Required for Couchbase versions prior to 6.5.0.
+                            This is only used to verify vault's connection to the
+                            server. Required for Couchbase versions prior to 6.5.0.
+                            This is only used to verify vault's connection to the
+                            server.
+                          type: string
+                        hosts:
+                          description: The hosts to connect to. A set of Couchbase
+                            URIs to connect to. Must use `couchbases://` scheme if
+                            `tls` is `true`.
+                          items:
+                            type: string
+                          type: array
+                        insecureTls:
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
+                          type: boolean
+                        tls:
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Couchbase.
+                          type: boolean
+                        username:
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
+                            generated.
+                          type: string
+                      type: object
+                    type: array
+                  data:
+                    additionalProperties:
+                      type: string
+                    description: A map of sensitive data to pass to the endpoint.
+                      Useful for templated connection strings. A map of sensitive
+                      data to pass to the endpoint. Useful for templated connection
+                      strings.
+                    type: object
+                  elasticsearch:
+                    description: A nested block containing configuration options for
+                      Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin.
+                    items:
+                      properties:
+                        caCert:
+                          description: The contents of a PEM-encoded CA cert file
+                            to use to verify the Redis server's identity. The path
+                            to a PEM-encoded CA cert file to use to verify the Elasticsearch
+                            server's identity
+                          type: string
+                        caPath:
+                          description: The path to a directory of PEM-encoded CA cert
+                            files to use to verify the Elasticsearch server's identity.
+                            The path to a directory of PEM-encoded CA cert files to
+                            use to verify the Elasticsearch server's identity
+                          type: string
+                        clientCert:
+                          description: The path to the certificate for the Elasticsearch
+                            client to present for communication. The path to the certificate
+                            for the Elasticsearch client to present for communication
+                          type: string
+                        clientKey:
+                          description: The path to the key for the Elasticsearch client
+                            to use for communication. The path to the key for the
+                            Elasticsearch client to use for communication
+                          type: string
+                        insecure:
+                          description: Whether to disable certificate verification.
+                            Whether to disable certificate verification
+                          type: boolean
+                        tlsServerName:
+                          description: This, if set, is used to set the SNI host when
+                            connecting via TLS. This, if set, is used to set the SNI
+                            host when connecting via TLS
+                          type: string
+                        url:
+                          description: The url to connect to including the port; e.g.
+                            master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
+                            The URL for Elasticsearch's API
+                          type: string
+                        username:
+                          description: The username to authenticate with. The username
+                            to be used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
+                            generated.
+                          type: string
+                      type: object
+                    type: array
+                  hana:
+                    description: A nested block containing configuration options for
+                      SAP HanaDB connections. Connection parameters for the hana-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        disableEscaping:
+                          description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
+                            and password
+                          type: boolean
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                      type: object
+                    type: array
+                  influxdb:
+                    description: A nested block containing configuration options for
+                      InfluxDB connections. Connection parameters for the influxdb-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectTimeout:
+                          description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
+                            timeout.
+                          type: number
+                        host:
+                          description: The host to connect to. Influxdb host to connect
+                            to.
+                          type: string
+                        insecureTls:
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
+                          type: boolean
+                        port:
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Influxdb.
+                          type: number
+                        tls:
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Influxdb.
+                          type: boolean
+                        username:
+                          description: The username to authenticate with. Specifies
+                            the username to use for superuser access.
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
+                            generated.
+                          type: string
+                      type: object
+                    type: array
+                  mongodb:
+                    description: A nested block containing configuration options for
+                      MongoDB connections. Connection parameters for the mongodb-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  mongodbatlas:
+                    description: A nested block containing configuration options for
+                      MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        projectId:
+                          description: The Project ID the Database User should be
+                            created within. The Project ID the Database User should
+                            be created within.
+                          type: string
+                        publicKey:
+                          description: The Public Programmatic API Key used to authenticate
+                            with the MongoDB Atlas API. The Public Programmatic API
+                            Key used to authenticate with the MongoDB Atlas API.
+                          type: string
+                      type: object
+                    type: array
+                  mssql:
+                    description: A nested block containing configuration options for
+                      MSSQL connections. Connection parameters for the mssql-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        containedDb:
+                          description: For Vault v1.9+. Set to true when the target
+                            is a Contained Database, e.g. AzureSQL. See the Vault
+                            docs Set to true when the target is a Contained Database,
+                            e.g. AzureSQL.
+                          type: boolean
+                        disableEscaping:
+                          description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
+                            and password
+                          type: boolean
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  mysql:
+                    description: A nested block containing configuration options for
+                      MySQL connections. Connection parameters for the mysql-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        tlsCa:
+                          description: x509 CA file for validating the certificate
+                            presented by the MySQL server. Must be PEM encoded. x509
+                            CA file for validating the certificate presented by the
+                            MySQL server. Must be PEM encoded.
+                          type: string
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  mysqlAurora:
+                    description: A nested block containing configuration options for
+                      Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  mysqlLegacy:
+                    description: A nested block containing configuration options for
+                      legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  mysqlRds:
+                    description: A nested block containing configuration options for
+                      RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: A unique name to give the database connection. Name
+                      of the database connection.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  oracle:
+                    description: A nested block containing configuration options for
+                      Oracle connections. Connection parameters for the oracle-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  pluginName:
+                    description: Specifies the name of the plugin to use. Specifies
+                      the name of the plugin to use for this connection. Must be prefixed
+                      with the name of one of the supported database engine types.
+                    type: string
+                  postgresql:
+                    description: A nested block containing configuration options for
+                      PostgreSQL connections. Connection parameters for the postgresql-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        disableEscaping:
+                          description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
+                            and password
+                          type: boolean
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  redis:
+                    description: A nested block containing configuration options for
+                      Redis connections. Connection parameters for the redis-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        caCert:
+                          description: The contents of a PEM-encoded CA cert file
+                            to use to verify the Redis server's identity. The contents
+                            of a PEM-encoded CA cert file to use to verify the Redis
+                            server's identity.
+                          type: string
+                        host:
+                          description: The host to connect to. Specifies the host
+                            to connect to
+                          type: string
+                        insecureTls:
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
+                          type: boolean
+                        port:
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Redis.
+                          type: number
+                        tls:
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Redis.
+                          type: boolean
+                        username:
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
+                          type: string
+                      type: object
+                    type: array
+                  redisElasticache:
+                    description: A nested block containing configuration options for
+                      Redis ElastiCache connections. Connection parameters for the
+                      redis-elasticache-database-plugin plugin.
+                    items:
+                      properties:
+                        region:
+                          description: The region where the ElastiCache cluster is
+                            hosted. If omitted Vault tries to infer from the environment
+                            instead. The AWS region where the ElastiCache cluster
+                            is hosted. If omitted the plugin tries to infer the region
+                            from the environment.
+                          type: string
+                        url:
+                          description: The url to connect to including the port; e.g.
+                            master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
+                            The configuration endpoint for the ElastiCache cluster
+                            to connect to.
+                          type: string
+                      type: object
+                    type: array
+                  redshift:
+                    description: Connection parameters for the redshift-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        disableEscaping:
+                          description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
+                            and password
+                          type: boolean
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  rootRotationStatements:
+                    description: A list of database statements to be executed to rotate
+                      the root user's credentials. A list of database statements to
+                      be executed to rotate the root user's credentials.
+                    items:
+                      type: string
+                    type: array
+                  snowflake:
+                    description: A nested block containing configuration options for
+                      Snowflake connections. Connection parameters for the snowflake-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
+                          type: string
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                      type: object
+                    type: array
+                  verifyConnection:
+                    description: Whether the connection should be verified on initial
+                      configuration or not. Specifies if the connection is verified
+                      during initial configuration.
+                    type: boolean
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -1295,9 +2149,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendConnectionStatus defines the observed state
               of SecretBackendConnection.
@@ -1306,74 +2164,91 @@ spec:
                 properties:
                   allowedRoles:
                     description: A list of roles that are allowed to use this connection.
+                      A list of roles that are allowed to use this connection.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: Unique name of the Vault mount to configure.
+                    description: The unique name of the Vault mount to configure.
+                      Unique name of the Vault mount to configure.
                     type: string
                   cassandra:
-                    description: Connection parameters for the cassandra-database-plugin
+                    description: A nested block containing configuration options for
+                      Cassandra connections. Connection parameters for the cassandra-database-plugin
                       plugin.
                     items:
                       properties:
                         connectTimeout:
                           description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
                             timeout.
                           type: number
                         hosts:
-                          description: Cassandra hosts to connect to.
+                          description: The hosts to connect to. Cassandra hosts to
+                            connect to.
                           items:
                             type: string
                           type: array
                         insecureTls:
                           description: Whether to skip verification of the server
-                            certificate when using TLS.
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
                           type: boolean
                         port:
-                          description: The transport port to use to connect to Cassandra.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Cassandra.
                           type: number
                         protocolVersion:
-                          description: The CQL protocol version to use.
+                          description: The CQL protocol version to use. The CQL protocol
+                            version to use.
                           type: number
                         tls:
                           description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Cassandra.
                           type: boolean
                         username:
-                          description: The username to use when authenticating with
-                            Cassandra.
+                          description: The username to authenticate with. The username
+                            to use when authenticating with Cassandra.
                           type: string
                       type: object
                     type: array
                   couchbase:
-                    description: Connection parameters for the couchbase-database-plugin
+                    description: A nested block containing configuration options for
+                      Couchbase connections. Connection parameters for the couchbase-database-plugin
                       plugin.
                     items:
                       properties:
                         bucketName:
                           description: Required for Couchbase versions prior to 6.5.0.
+                            This is only used to verify vault's connection to the
+                            server. Required for Couchbase versions prior to 6.5.0.
                             This is only used to verify vault's connection to the
                             server.
                           type: string
                         hosts:
-                          description: A set of Couchbase URIs to connect to. Must
-                            use `couchbases://` scheme if `tls` is `true`.
+                          description: The hosts to connect to. A set of Couchbase
+                            URIs to connect to. Must use `couchbases://` scheme if
+                            `tls` is `true`.
                           items:
                             type: string
                           type: array
                         insecureTls:
-                          description: Specifies whether to skip verification of the
-                            server certificate when using TLS.
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
                           type: boolean
                         tls:
-                          description: Specifies whether to use TLS when connecting
-                            to Couchbase.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Couchbase.
                           type: boolean
                         username:
-                          description: Specifies the username for Vault to use.
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                       type: object
@@ -1382,417 +2257,521 @@ spec:
                     additionalProperties:
                       type: string
                     description: A map of sensitive data to pass to the endpoint.
-                      Useful for templated connection strings.
+                      Useful for templated connection strings. A map of sensitive
+                      data to pass to the endpoint. Useful for templated connection
+                      strings.
                     type: object
                   elasticsearch:
-                    description: Connection parameters for the elasticsearch-database-plugin.
+                    description: A nested block containing configuration options for
+                      Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin.
                     items:
                       properties:
                         caCert:
-                          description: The path to a PEM-encoded CA cert file to use
-                            to verify the Elasticsearch server's identity
+                          description: The contents of a PEM-encoded CA cert file
+                            to use to verify the Redis server's identity. The path
+                            to a PEM-encoded CA cert file to use to verify the Elasticsearch
+                            server's identity
                           type: string
                         caPath:
                           description: The path to a directory of PEM-encoded CA cert
-                            files to use to verify the Elasticsearch server's identity
+                            files to use to verify the Elasticsearch server's identity.
+                            The path to a directory of PEM-encoded CA cert files to
+                            use to verify the Elasticsearch server's identity
                           type: string
                         clientCert:
                           description: The path to the certificate for the Elasticsearch
-                            client to present for communication
+                            client to present for communication. The path to the certificate
+                            for the Elasticsearch client to present for communication
                           type: string
                         clientKey:
                           description: The path to the key for the Elasticsearch client
-                            to use for communication
+                            to use for communication. The path to the key for the
+                            Elasticsearch client to use for communication
                           type: string
                         insecure:
-                          description: Whether to disable certificate verification
+                          description: Whether to disable certificate verification.
+                            Whether to disable certificate verification
                           type: boolean
                         tlsServerName:
                           description: This, if set, is used to set the SNI host when
-                            connecting via TLS
+                            connecting via TLS. This, if set, is used to set the SNI
+                            host when connecting via TLS
                           type: string
                         url:
-                          description: The URL for Elasticsearch's API
+                          description: The url to connect to including the port; e.g.
+                            master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
+                            The URL for Elasticsearch's API
                           type: string
                         username:
-                          description: The username to be used in the connection URL
+                          description: The username to authenticate with. The username
+                            to be used in the connection URL
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                       type: object
                     type: array
                   hana:
-                    description: Connection parameters for the hana-database-plugin
+                    description: A nested block containing configuration options for
+                      SAP HanaDB connections. Connection parameters for the hana-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                       type: object
                     type: array
                   id:
                     type: string
                   influxdb:
-                    description: Connection parameters for the influxdb-database-plugin
+                    description: A nested block containing configuration options for
+                      InfluxDB connections. Connection parameters for the influxdb-database-plugin
                       plugin.
                     items:
                       properties:
                         connectTimeout:
                           description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
                             timeout.
                           type: number
                         host:
-                          description: Influxdb host to connect to.
+                          description: The host to connect to. Influxdb host to connect
+                            to.
                           type: string
                         insecureTls:
                           description: Whether to skip verification of the server
-                            certificate when using TLS.
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
                           type: boolean
                         port:
-                          description: The transport port to use to connect to Influxdb.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Influxdb.
                           type: number
                         tls:
-                          description: Whether to use TLS when connecting to Influxdb.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Influxdb.
                           type: boolean
                         username:
-                          description: Specifies the username to use for superuser
-                            access.
+                          description: The username to authenticate with. Specifies
+                            the username to use for superuser access.
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                       type: object
                     type: array
                   mongodb:
-                    description: Connection parameters for the mongodb-database-plugin
+                    description: A nested block containing configuration options for
+                      MongoDB connections. Connection parameters for the mongodb-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mongodbatlas:
-                    description: Connection parameters for the mongodbatlas-database-plugin
+                    description: A nested block containing configuration options for
+                      MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin
                       plugin.
                     items:
                       properties:
                         projectId:
                           description: The Project ID the Database User should be
-                            created within.
+                            created within. The Project ID the Database User should
+                            be created within.
                           type: string
                         publicKey:
                           description: The Public Programmatic API Key used to authenticate
-                            with the MongoDB Atlas API.
+                            with the MongoDB Atlas API. The Public Programmatic API
+                            Key used to authenticate with the MongoDB Atlas API.
                           type: string
                       type: object
                     type: array
                   mssql:
-                    description: Connection parameters for the mssql-database-plugin
+                    description: A nested block containing configuration options for
+                      MSSQL connections. Connection parameters for the mssql-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         containedDb:
-                          description: Set to true when the target is a Contained
-                            Database, e.g. AzureSQL.
+                          description: For Vault v1.9+. Set to true when the target
+                            is a Contained Database, e.g. AzureSQL. See the Vault
+                            docs Set to true when the target is a Contained Database,
+                            e.g. AzureSQL.
                           type: boolean
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mysql:
-                    description: Connection parameters for the mysql-database-plugin
+                    description: A nested block containing configuration options for
+                      MySQL connections. Connection parameters for the mysql-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         tlsCa:
                           description: x509 CA file for validating the certificate
-                            presented by the MySQL server. Must be PEM encoded.
+                            presented by the MySQL server. Must be PEM encoded. x509
+                            CA file for validating the certificate presented by the
+                            MySQL server. Must be PEM encoded.
                           type: string
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mysqlAurora:
-                    description: Connection parameters for the mysql-aurora-database-plugin
+                    description: A nested block containing configuration options for
+                      Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mysqlLegacy:
-                    description: Connection parameters for the mysql-legacy-database-plugin
+                    description: A nested block containing configuration options for
+                      legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   mysqlRds:
-                    description: Connection parameters for the mysql-rds-database-plugin
+                    description: A nested block containing configuration options for
+                      RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   name:
-                    description: Name of the database connection.
+                    description: A unique name to give the database connection. Name
+                      of the database connection.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   oracle:
-                    description: Connection parameters for the oracle-database-plugin
+                    description: A nested block containing configuration options for
+                      Oracle connections. Connection parameters for the oracle-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   pluginName:
-                    description: Specifies the name of the plugin to use for this
-                      connection. Must be prefixed with the name of one of the supported
-                      database engine types.
+                    description: Specifies the name of the plugin to use. Specifies
+                      the name of the plugin to use for this connection. Must be prefixed
+                      with the name of one of the supported database engine types.
                     type: string
                   postgresql:
-                    description: Connection parameters for the postgresql-database-plugin
+                    description: A nested block containing configuration options for
+                      PostgreSQL connections. Connection parameters for the postgresql-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   redis:
-                    description: Connection parameters for the redis-database-plugin
+                    description: A nested block containing configuration options for
+                      Redis connections. Connection parameters for the redis-database-plugin
                       plugin.
                     items:
                       properties:
                         caCert:
                           description: The contents of a PEM-encoded CA cert file
-                            to use to verify the Redis server's identity.
+                            to use to verify the Redis server's identity. The contents
+                            of a PEM-encoded CA cert file to use to verify the Redis
+                            server's identity.
                           type: string
                         host:
-                          description: Specifies the host to connect to
+                          description: The host to connect to. Specifies the host
+                            to connect to
                           type: string
                         insecureTls:
-                          description: Specifies whether to skip verification of the
-                            server certificate when using TLS.
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
                           type: boolean
                         port:
-                          description: The transport port to use to connect to Redis.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Redis.
                           type: number
                         tls:
-                          description: Specifies whether to use TLS when connecting
-                            to Redis.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Redis.
                           type: boolean
                         username:
-                          description: Specifies the username for Vault to use.
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
                           type: string
                       type: object
                     type: array
                   redisElasticache:
-                    description: Connection parameters for the redis-elasticache-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      Redis ElastiCache connections. Connection parameters for the
+                      redis-elasticache-database-plugin plugin.
                     items:
                       properties:
                         region:
-                          description: The AWS region where the ElastiCache cluster
+                          description: The region where the ElastiCache cluster is
+                            hosted. If omitted Vault tries to infer from the environment
+                            instead. The AWS region where the ElastiCache cluster
                             is hosted. If omitted the plugin tries to infer the region
                             from the environment.
                           type: string
                         url:
-                          description: The configuration endpoint for the ElastiCache
-                            cluster to connect to.
+                          description: The url to connect to including the port; e.g.
+                            master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379.
+                            The configuration endpoint for the ElastiCache cluster
+                            to connect to.
                           type: string
                       type: object
                     type: array
@@ -1802,69 +2781,83 @@ spec:
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   rootRotationStatements:
                     description: A list of database statements to be executed to rotate
-                      the root user's credentials.
+                      the root user's credentials. A list of database statements to
+                      be executed to rotate the root user's credentials.
                     items:
                       type: string
                     type: array
                   snowflake:
-                    description: Connection parameters for the snowflake-database-plugin
+                    description: A nested block containing configuration options for
+                      Snowflake connections. Connection parameters for the snowflake-database-plugin
                       plugin.
                     items:
                       properties:
                         connectionUrl:
-                          description: Connection string to use to connect to the
-                            database.
+                          description: A URL containing connection information. See
+                            the Vault docs for an example. Connection string to use
+                            to connect to the database.
                           type: string
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                       type: object
                     type: array
                   verifyConnection:
-                    description: Specifies if the connection is verified during initial
-                      configuration.
+                    description: Whether the connection should be verified on initial
+                      configuration or not. Specifies if the connection is verified
+                      during initial configuration.
                     type: boolean
                 type: object
               conditions:
diff --git a/package/crds/database.vault.upbound.io_secretbackendroles.yaml b/package/crds/database.vault.upbound.io_secretbackendroles.yaml
index d52ad1fa..a5a54819 100644
--- a/package/crds/database.vault.upbound.io_secretbackendroles.yaml
+++ b/package/crds/database.vault.upbound.io_secretbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendroles.database.vault.upbound.io
 spec:
   group: database.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRole is the Schema for the SecretBackendRoles API.
-          <no value>
+          Configures a database secret backend role for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,64 +68,152 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The path of the Database Secret Backend the role
-                      belongs to.
+                    description: The unique name of the Vault mount to configure.
+                      The path of the Database Secret Backend the role belongs to.
                     type: string
                   creationStatements:
-                    description: Database statements to execute to create and configure
+                    description: The database statements to execute when creating
+                      a user. Database statements to execute to create and configure
                       a user.
                     items:
                       type: string
                     type: array
                   dbName:
-                    description: Database connection to use for this role.
+                    description: The unique name of the database connection to use
+                      for the role. Database connection to use for this role.
                     type: string
                   defaultTtl:
-                    description: Default TTL for leases associated with this role,
-                      in seconds.
+                    description: The default number of seconds for leases for this
+                      role. Default TTL for leases associated with this role, in seconds.
                     type: number
                   maxTtl:
-                    description: Maximum TTL for leases associated with this role,
-                      in seconds.
+                    description: The maximum number of seconds for leases for this
+                      role. Maximum TTL for leases associated with this role, in seconds.
                     type: number
                   name:
-                    description: Unique name for the role.
+                    description: A unique name to give the role. Unique name for the
+                      role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   renewStatements:
-                    description: Database statements to execute to renew a user.
+                    description: The database statements to execute when renewing
+                      a user. Database statements to execute to renew a user.
                     items:
                       type: string
                     type: array
                   revocationStatements:
-                    description: Database statements to execute to revoke a user.
+                    description: The database statements to execute when revoking
+                      a user. Database statements to execute to revoke a user.
                     items:
                       type: string
                     type: array
                   rollbackStatements:
-                    description: Database statements to execute to rollback a create
-                      operation in the event of an error.
+                    description: The database statements to execute when rolling back
+                      creation due to an error. Database statements to execute to
+                      rollback a create operation in the event of an error.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The unique name of the Vault mount to configure.
+                      The path of the Database Secret Backend the role belongs to.
+                    type: string
+                  creationStatements:
+                    description: The database statements to execute when creating
+                      a user. Database statements to execute to create and configure
+                      a user.
+                    items:
+                      type: string
+                    type: array
+                  dbName:
+                    description: The unique name of the database connection to use
+                      for the role. Database connection to use for this role.
+                    type: string
+                  defaultTtl:
+                    description: The default number of seconds for leases for this
+                      role. Default TTL for leases associated with this role, in seconds.
+                    type: number
+                  maxTtl:
+                    description: The maximum number of seconds for leases for this
+                      role. Maximum TTL for leases associated with this role, in seconds.
+                    type: number
+                  name:
+                    description: A unique name to give the role. Unique name for the
+                      role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  renewStatements:
+                    description: The database statements to execute when renewing
+                      a user. Database statements to execute to renew a user.
+                    items:
+                      type: string
+                    type: array
+                  revocationStatements:
+                    description: The database statements to execute when revoking
+                      a user. Database statements to execute to revoke a user.
+                    items:
+                      type: string
+                    type: array
+                  rollbackStatements:
+                    description: The database statements to execute when rolling back
+                      creation due to an error. Database statements to execute to
+                      rollback a create operation in the event of an error.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -300,60 +387,78 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: creationStatements is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.creationStatements)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.creationStatements)
+                || has(self.initProvider.creationStatements)'
             - message: dbName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.dbName)
+                || has(self.initProvider.dbName)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendRoleStatus defines the observed state of SecretBackendRole.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: The path of the Database Secret Backend the role
-                      belongs to.
+                    description: The unique name of the Vault mount to configure.
+                      The path of the Database Secret Backend the role belongs to.
                     type: string
                   creationStatements:
-                    description: Database statements to execute to create and configure
+                    description: The database statements to execute when creating
+                      a user. Database statements to execute to create and configure
                       a user.
                     items:
                       type: string
                     type: array
                   dbName:
-                    description: Database connection to use for this role.
+                    description: The unique name of the database connection to use
+                      for the role. Database connection to use for this role.
                     type: string
                   defaultTtl:
-                    description: Default TTL for leases associated with this role,
-                      in seconds.
+                    description: The default number of seconds for leases for this
+                      role. Default TTL for leases associated with this role, in seconds.
                     type: number
                   id:
                     type: string
                   maxTtl:
-                    description: Maximum TTL for leases associated with this role,
-                      in seconds.
+                    description: The maximum number of seconds for leases for this
+                      role. Maximum TTL for leases associated with this role, in seconds.
                     type: number
                   name:
-                    description: Unique name for the role.
+                    description: A unique name to give the role. Unique name for the
+                      role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   renewStatements:
-                    description: Database statements to execute to renew a user.
+                    description: The database statements to execute when renewing
+                      a user. Database statements to execute to renew a user.
                     items:
                       type: string
                     type: array
                   revocationStatements:
-                    description: Database statements to execute to revoke a user.
+                    description: The database statements to execute when revoking
+                      a user. Database statements to execute to revoke a user.
                     items:
                       type: string
                     type: array
                   rollbackStatements:
-                    description: Database statements to execute to rollback a create
-                      operation in the event of an error.
+                    description: The database statements to execute when rolling back
+                      creation due to an error. Database statements to execute to
+                      rollback a create operation in the event of an error.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml b/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml
index 4cf63d87..8d2629cf 100644
--- a/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml
+++ b/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendstaticroles.database.vault.upbound.io
 spec:
   group: database.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendStaticRole is the Schema for the SecretBackendStaticRoles
-          API. <no value>
+          API. Configures a database secret backend static role for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,48 +69,116 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The path of the Database Secret Backend the role
-                      belongs to.
+                    description: The unique name of the Vault mount to configure.
+                      The path of the Database Secret Backend the role belongs to.
                     type: string
                   dbName:
-                    description: Database connection to use for this role.
+                    description: The unique name of the database connection to use
+                      for the static role. Database connection to use for this role.
                     type: string
                   name:
-                    description: Unique name for the static role.
+                    description: A unique name to give the static role. Unique name
+                      for the static role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   rotationPeriod:
                     description: The amount of time Vault should wait before rotating
-                      the password, in seconds.
+                      the password, in seconds. The amount of time Vault should wait
+                      before rotating the password, in seconds.
                     type: number
                   rotationStatements:
                     description: Database statements to execute to rotate the password
-                      for the configured database user.
+                      for the configured database user. Database statements to execute
+                      to rotate the password for the configured database user.
                     items:
                       type: string
                     type: array
                   username:
-                    description: The database username that this role corresponds
-                      to.
+                    description: The database username that this static role corresponds
+                      to. The database username that this role corresponds to.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The unique name of the Vault mount to configure.
+                      The path of the Database Secret Backend the role belongs to.
+                    type: string
+                  dbName:
+                    description: The unique name of the database connection to use
+                      for the static role. Database connection to use for this role.
+                    type: string
+                  name:
+                    description: A unique name to give the static role. Unique name
+                      for the static role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  rotationPeriod:
+                    description: The amount of time Vault should wait before rotating
+                      the password, in seconds. The amount of time Vault should wait
+                      before rotating the password, in seconds.
+                    type: number
+                  rotationStatements:
+                    description: Database statements to execute to rotate the password
+                      for the configured database user. Database statements to execute
+                      to rotate the password for the configured database user.
+                    items:
+                      type: string
+                    type: array
+                  username:
+                    description: The database username that this static role corresponds
+                      to. The database username that this role corresponds to.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -285,15 +352,25 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: dbName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.dbName)
+                || has(self.initProvider.dbName)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: rotationPeriod is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rotationPeriod)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.rotationPeriod)
+                || has(self.initProvider.rotationPeriod)'
             - message: username is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.username)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.username)
+                || has(self.initProvider.username)'
           status:
             description: SecretBackendStaticRoleStatus defines the observed state
               of SecretBackendStaticRole.
@@ -301,33 +378,41 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: The path of the Database Secret Backend the role
-                      belongs to.
+                    description: The unique name of the Vault mount to configure.
+                      The path of the Database Secret Backend the role belongs to.
                     type: string
                   dbName:
-                    description: Database connection to use for this role.
+                    description: The unique name of the database connection to use
+                      for the static role. Database connection to use for this role.
                     type: string
                   id:
                     type: string
                   name:
-                    description: Unique name for the static role.
+                    description: A unique name to give the static role. Unique name
+                      for the static role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   rotationPeriod:
                     description: The amount of time Vault should wait before rotating
-                      the password, in seconds.
+                      the password, in seconds. The amount of time Vault should wait
+                      before rotating the password, in seconds.
                     type: number
                   rotationStatements:
                     description: Database statements to execute to rotate the password
-                      for the configured database user.
+                      for the configured database user. Database statements to execute
+                      to rotate the password for the configured database user.
                     items:
                       type: string
                     type: array
                   username:
-                    description: The database username that this role corresponds
-                      to.
+                    description: The database username that this static role corresponds
+                      to. The database username that this role corresponds to.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/database.vault.upbound.io_secretsmounts.yaml b/package/crds/database.vault.upbound.io_secretsmounts.yaml
index 0c4bb9f9..0a3e3ac2 100644
--- a/package/crds/database.vault.upbound.io_secretsmounts.yaml
+++ b/package/crds/database.vault.upbound.io_secretsmounts.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretsmounts.database.vault.upbound.io
 spec:
   group: database.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretsMount is the Schema for the SecretsMounts API. <no value>
+        description: SecretsMount is the Schema for the SecretsMounts API. Configures
+          any number of database secrets engines under a single mount resource
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,59 +68,72 @@ spec:
               forProvider:
                 properties:
                   allowedManagedKeys:
-                    description: List of managed key registry entry names that the
-                      mount in question is allowed to access
+                    description: Set of managed key registry entry names that the
+                      mount in question is allowed to access List of managed key registry
+                      entry names that the mount in question is allowed to access
                     items:
                       type: string
                     type: array
                   auditNonHmacRequestKeys:
                     description: Specifies the list of keys that will not be HMAC'd
-                      by audit devices in the request data object.
+                      by audit devices in the request data object. Specifies the list
+                      of keys that will not be HMAC'd by audit devices in the request
+                      data object.
                     items:
                       type: string
                     type: array
                   auditNonHmacResponseKeys:
                     description: Specifies the list of keys that will not be HMAC'd
-                      by audit devices in the response data object.
+                      by audit devices in the response data object. Specifies the
+                      list of keys that will not be HMAC'd by audit devices in the
+                      response data object.
                     items:
                       type: string
                     type: array
                   cassandra:
-                    description: Connection parameters for the cassandra-database-plugin
+                    description: A nested block containing configuration options for
+                      Cassandra connections. See Connection parameters for the cassandra-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectTimeout:
                           description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
                             timeout.
                           type: number
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         hosts:
-                          description: Cassandra hosts to connect to.
+                          description: The hosts to connect to. Cassandra hosts to
+                            connect to.
                           items:
                             type: string
                           type: array
                         insecureTls:
                           description: Whether to skip verification of the server
-                            certificate when using TLS.
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The password to use when authenticating with
-                            Cassandra.
+                          description: The password to authenticate with. The password
+                            to use when authenticating with Cassandra.
                           properties:
                             key:
                               description: The key to select.
@@ -137,7 +150,8 @@ spec:
                           - namespace
                           type: object
                         pemBundleSecretRef:
-                          description: Concatenated PEM blocks containing a certificate
+                          description: Concatenated PEM blocks configuring the certificate
+                            chain. Concatenated PEM blocks containing a certificate
                             and private key; a certificate, private key, and issuing
                             CA certificate; or just a CA certificate.
                           properties:
@@ -156,9 +170,10 @@ spec:
                           - namespace
                           type: object
                         pemJsonSecretRef:
-                          description: Specifies JSON containing a certificate and
-                            private key; a certificate, private key, and issuing CA
-                            certificate; or just a CA certificate.
+                          description: A JSON structure configuring the certificate
+                            chain. Specifies JSON containing a certificate and private
+                            key; a certificate, private key, and issuing CA certificate;
+                            or just a CA certificate.
                           properties:
                             key:
                               description: The key to select.
@@ -175,52 +190,61 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         port:
-                          description: The transport port to use to connect to Cassandra.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Cassandra.
                           type: number
                         protocolVersion:
-                          description: The CQL protocol version to use.
+                          description: The CQL protocol version to use. The CQL protocol
+                            version to use.
                           type: number
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tls:
                           description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Cassandra.
                           type: boolean
                         username:
-                          description: The username to use when authenticating with
-                            Cassandra.
+                          description: The username to authenticate with. The username
+                            to use when authenticating with Cassandra.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   couchbase:
-                    description: Connection parameters for the couchbase-database-plugin
+                    description: A nested block containing configuration options for
+                      Couchbase connections. See Connection parameters for the couchbase-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         base64PemSecretRef:
-                          description: Required if `tls` is `true`. Specifies the
-                            certificate authority of the Couchbase server, as a PEM
-                            certificate that has been base64 encoded.
+                          description: Required if tls is true. Specifies the certificate
+                            authority of the Couchbase server, as a PEM certificate
+                            that has been base64 encoded. Required if `tls` is `true`.
+                            Specifies the certificate authority of the Couchbase server,
+                            as a PEM certificate that has been base64 encoded.
                           properties:
                             key:
                               description: The key to select.
@@ -238,6 +262,8 @@ spec:
                           type: object
                         bucketName:
                           description: Required for Couchbase versions prior to 6.5.0.
+                            This is only used to verify vault's connection to the
+                            server. Required for Couchbase versions prior to 6.5.0.
                             This is only used to verify vault's connection to the
                             server.
                           type: string
@@ -245,24 +271,29 @@ spec:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         hosts:
-                          description: A set of Couchbase URIs to connect to. Must
-                            use `couchbases://` scheme if `tls` is `true`.
+                          description: The hosts to connect to. A set of Couchbase
+                            URIs to connect to. Must use `couchbases://` scheme if
+                            `tls` is `true`.
                           items:
                             type: string
                           type: array
                         insecureTls:
-                          description: Specifies whether to skip verification of the
-                            server certificate when using TLS.
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: Specifies the password corresponding to the
-                            given username.
+                          description: The password to authenticate with. Specifies
+                            the password corresponding to the given username.
                           properties:
                             key:
                               description: The key to select.
@@ -279,85 +310,102 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tls:
-                          description: Specifies whether to use TLS when connecting
-                            to Couchbase.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Couchbase.
                           type: boolean
                         username:
-                          description: Specifies the username for Vault to use.
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       required:
-                      - hosts
-                      - name
                       - passwordSecretRef
-                      - username
                       type: object
                     type: array
                   defaultLeaseTtlSeconds:
                     description: Default lease duration for tokens and secrets in
-                      seconds
+                      seconds Default lease duration for tokens and secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount
+                    description: Human-friendly description of the mount Human-friendly
+                      description of the mount
                     type: string
                   elasticsearch:
-                    description: Connection parameters for the elasticsearch-database-plugin.
+                    description: A nested block containing configuration options for
+                      Elasticsearch connections. See Connection parameters for the
+                      elasticsearch-database-plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         caCert:
                           description: The path to a PEM-encoded CA cert file to use
-                            to verify the Elasticsearch server's identity
+                            to verify the Elasticsearch server's identity. The path
+                            to a PEM-encoded CA cert file to use to verify the Elasticsearch
+                            server's identity
                           type: string
                         caPath:
                           description: The path to a directory of PEM-encoded CA cert
-                            files to use to verify the Elasticsearch server's identity
+                            files to use to verify the Elasticsearch server's identity.
+                            The path to a directory of PEM-encoded CA cert files to
+                            use to verify the Elasticsearch server's identity
                           type: string
                         clientCert:
                           description: The path to the certificate for the Elasticsearch
-                            client to present for communication
+                            client to present for communication. The path to the certificate
+                            for the Elasticsearch client to present for communication
                           type: string
                         clientKey:
                           description: The path to the key for the Elasticsearch client
-                            to use for communication
+                            to use for communication. The path to the key for the
+                            Elasticsearch client to use for communication
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         insecure:
-                          description: Whether to disable certificate verification
+                          description: Whether to disable certificate verification.
+                            Whether to disable certificate verification
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The password to be used in the connection URL
+                          description: The password to authenticate with. The password
+                            to be used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -374,86 +422,103 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tlsServerName:
                           description: This, if set, is used to set the SNI host when
-                            connecting via TLS
+                            connecting via TLS. This, if set, is used to set the SNI
+                            host when connecting via TLS
                           type: string
                         url:
-                          description: The URL for Elasticsearch's API
+                          description: The URL for Elasticsearch's API. https requires
+                            certificate by trusted CA if used. The URL for Elasticsearch's
+                            API
                           type: string
                         username:
-                          description: The username to be used in the connection URL
+                          description: The username to authenticate with. The username
+                            to be used in the connection URL
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       required:
-                      - name
                       - passwordSecretRef
-                      - url
-                      - username
                       type: object
                     type: array
                   externalEntropyAccess:
-                    description: Enable the secrets engine to access Vault's external
+                    description: Boolean flag that can be explicitly set to true to
+                      enable the secrets engine to access Vault's external entropy
+                      source Enable the secrets engine to access Vault's external
                       entropy source
                     type: boolean
                   hana:
-                    description: Connection parameters for the hana-database-plugin
+                    description: A nested block containing configuration options for
+                      SAP HanaDB connections. See Connection parameters for the hana-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -470,62 +535,71 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   influxdb:
-                    description: Connection parameters for the influxdb-database-plugin
+                    description: A nested block containing configuration options for
+                      InfluxDB connections. See Connection parameters for the influxdb-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectTimeout:
                           description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
                             timeout.
                           type: number
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         host:
-                          description: Influxdb host to connect to.
+                          description: The host to connect to. Influxdb host to connect
+                            to.
                           type: string
                         insecureTls:
                           description: Whether to skip verification of the server
-                            certificate when using TLS.
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: Specifies the password corresponding to the
-                            given username.
+                          description: The password to authenticate with. Specifies
+                            the password corresponding to the given username.
                           properties:
                             key:
                               description: The key to select.
@@ -542,7 +616,8 @@ spec:
                           - namespace
                           type: object
                         pemBundleSecretRef:
-                          description: Concatenated PEM blocks containing a certificate
+                          description: Concatenated PEM blocks configuring the certificate
+                            chain. Concatenated PEM blocks containing a certificate
                             and private key; a certificate, private key, and issuing
                             CA certificate; or just a CA certificate.
                           properties:
@@ -561,9 +636,10 @@ spec:
                           - namespace
                           type: object
                         pemJsonSecretRef:
-                          description: Specifies JSON containing a certificate and
-                            private key; a certificate, private key, and issuing CA
-                            certificate; or just a CA certificate.
+                          description: A JSON structure configuring the certificate
+                            chain. Specifies JSON containing a certificate and private
+                            key; a certificate, private key, and issuing CA certificate;
+                            or just a CA certificate.
                           properties:
                             key:
                               description: The key to select.
@@ -580,86 +656,101 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         port:
-                          description: The transport port to use to connect to Influxdb.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Influxdb.
                           type: number
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tls:
-                          description: Whether to use TLS when connecting to Influxdb.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Influxdb.
                           type: boolean
                         username:
-                          description: Specifies the username to use for superuser
-                            access.
+                          description: The username to authenticate with. Specifies
+                            the username to use for superuser access.
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       required:
-                      - host
-                      - name
                       - passwordSecretRef
-                      - username
                       type: object
                     type: array
                   local:
-                    description: Local mount flag that can be explicitly set to true
-                      to enforce local mount in HA environment
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
                     type: boolean
                   maxLeaseTtlSeconds:
                     description: Maximum possible lease duration for tokens and secrets
+                      in seconds Maximum possible lease duration for tokens and secrets
                       in seconds
                     type: number
                   mongodb:
-                    description: Connection parameters for the mongodb-database-plugin
+                    description: A nested block containing configuration options for
+                      MongoDB connections. See Connection parameters for the mongodb-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -676,38 +767,42 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   mongodbatlas:
-                    description: Connection parameters for the mongodbatlas-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      MongoDB Atlas connections. See Connection parameters for the
+                      mongodbatlas-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
@@ -716,19 +811,24 @@ spec:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         privateKeySecretRef:
                           description: The Private Programmatic API Key used to connect
-                            with MongoDB Atlas API.
+                            with MongoDB Atlas API. The Private Programmatic API Key
+                            used to connect with MongoDB Atlas API.
                           properties:
                             key:
                               description: The key to select.
@@ -746,74 +846,87 @@ spec:
                           type: object
                         projectId:
                           description: The Project ID the Database User should be
-                            created within.
+                            created within. The Project ID the Database User should
+                            be created within.
                           type: string
                         publicKey:
                           description: The Public Programmatic API Key used to authenticate
-                            with the MongoDB Atlas API.
+                            with the MongoDB Atlas API. The Public Programmatic API
+                            Key used to authenticate with the MongoDB Atlas API.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       required:
-                      - name
                       - privateKeySecretRef
-                      - projectId
-                      - publicKey
                       type: object
                     type: array
                   mssql:
-                    description: Connection parameters for the mssql-database-plugin
+                    description: A nested block containing configuration options for
+                      MSSQL connections. See Connection parameters for the mssql-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         containedDb:
-                          description: Set to true when the target is a Contained
-                            Database, e.g. AzureSQL.
+                          description: For Vault v1.9+. Set to true when the target
+                            is a Contained Database, e.g. AzureSQL. See Vault docs
+                            Set to true when the target is a Contained Database, e.g.
+                            AzureSQL.
                           type: boolean
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -830,68 +943,79 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   mysql:
-                    description: Connection parameters for the mysql-database-plugin
+                    description: A nested block containing configuration options for
+                      MySQL connections. See Connection parameters for the mysql-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -908,24 +1032,30 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tlsCa:
                           description: x509 CA file for validating the certificate
-                            presented by the MySQL server. Must be PEM encoded.
+                            presented by the MySQL server. Must be PEM encoded. x509
+                            CA file for validating the certificate presented by the
+                            MySQL server. Must be PEM encoded.
                           type: string
                         tlsCertificateKeySecretRef:
                           description: x509 certificate for connecting to the database.
                             This must be a PEM encoded version of the private key
-                            and the certificate combined.
+                            and the certificate combined. x509 certificate for connecting
+                            to the database. This must be a PEM encoded version of
+                            the private key and the certificate combined.
                           properties:
                             key:
                               description: The key to select.
@@ -942,57 +1072,66 @@ spec:
                           - namespace
                           type: object
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   mysqlAurora:
-                    description: Connection parameters for the mysql-aurora-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      Aurora MySQL connections. See Connection parameters for the
+                      mysql-aurora-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1009,68 +1148,79 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   mysqlLegacy:
-                    description: Connection parameters for the mysql-legacy-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      legacy MySQL connections. See Connection parameters for the
+                      mysql-legacy-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1087,68 +1237,79 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   mysqlRds:
-                    description: Connection parameters for the mysql-rds-database-plugin
+                    description: A nested block containing configuration options for
+                      RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1165,29 +1326,31 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   namespace:
@@ -1197,45 +1360,55 @@ spec:
                     additionalProperties:
                       type: string
                     description: Specifies mount type specific options that are passed
-                      to the backend
+                      to the backend Specifies mount type specific options that are
+                      passed to the backend
                     type: object
                   oracle:
-                    description: Connection parameters for the oracle-database-plugin
+                    description: A nested block containing configuration options for
+                      Oracle connections. See Connection parameters for the oracle-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1252,75 +1425,88 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   path:
-                    description: Where the secret backend will be mounted
+                    description: Where the secret backend will be mounted Where the
+                      secret backend will be mounted
                     type: string
                   postgresql:
-                    description: Connection parameters for the postgresql-database-plugin
+                    description: A nested block containing configuration options for
+                      PostgreSQL connections. See Connection parameters for the postgresql-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1337,65 +1523,76 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   redis:
-                    description: Connection parameters for the redis-database-plugin
+                    description: A nested block containing configuration options for
+                      Redis connections. See Connection parameters for the redis-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         caCert:
-                          description: The contents of a PEM-encoded CA cert file
-                            to use to verify the Redis server's identity.
+                          description: The path to a PEM-encoded CA cert file to use
+                            to verify the Elasticsearch server's identity. The contents
+                            of a PEM-encoded CA cert file to use to verify the Redis
+                            server's identity.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         host:
-                          description: Specifies the host to connect to
+                          description: The host to connect to. Specifies the host
+                            to connect to
                           type: string
                         insecureTls:
-                          description: Specifies whether to skip verification of the
-                            server certificate when using TLS.
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: Specifies the password corresponding to the
-                            given username.
+                          description: The password to authenticate with. Specifies
+                            the password corresponding to the given username.
                           properties:
                             key:
                               description: The key to select.
@@ -1412,44 +1609,49 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         port:
-                          description: The transport port to use to connect to Redis.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Redis.
                           type: number
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tls:
-                          description: Specifies whether to use TLS when connecting
-                            to Redis.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Redis.
                           type: boolean
                         username:
-                          description: Specifies the username for Vault to use.
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       required:
-                      - host
-                      - name
                       - passwordSecretRef
-                      - username
                       type: object
                     type: array
                   redisElasticache:
-                    description: Connection parameters for the redis-elasticache-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      Redis ElastiCache connections. See Connection parameters for
+                      the redis-elasticache-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
@@ -1458,14 +1660,18 @@ spec:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The AWS secret key id to use to talk to ElastiCache.
-                            If omitted the credentials chain provider is used instead.
+                          description: The password to authenticate with. The AWS
+                            secret key id to use to talk to ElastiCache. If omitted
+                            the credentials chain provider is used instead.
                           properties:
                             key:
                               description: The key to select.
@@ -1482,28 +1688,34 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         region:
                           description: The AWS region where the ElastiCache cluster
                             is hosted. If omitted the plugin tries to infer the region
-                            from the environment.
+                            from the environment. The AWS region where the ElastiCache
+                            cluster is hosted. If omitted the plugin tries to infer
+                            the region from the environment.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         url:
-                          description: The configuration endpoint for the ElastiCache
-                            cluster to connect to.
+                          description: The URL for Elasticsearch's API. https requires
+                            certificate by trusted CA if used. The configuration endpoint
+                            for the ElastiCache cluster to connect to.
                           type: string
                         usernameSecretRef:
-                          description: The AWS access key id to use to talk to ElastiCache.
-                            If omitted the credentials chain provider is used instead.
+                          description: The username to authenticate with. The AWS
+                            access key id to use to talk to ElastiCache. If omitted
+                            the credentials chain provider is used instead.
                           properties:
                             key:
                               description: The key to select.
@@ -1520,55 +1732,63 @@ spec:
                           - namespace
                           type: object
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
-                      - url
                       type: object
                     type: array
                   redshift:
-                    description: Connection parameters for the redshift-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      AWS Redshift connections. See Connection parameters for the
+                      redshift-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1585,72 +1805,86 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                   sealWrap:
-                    description: Enable seal wrapping for the mount, causing values
-                      stored by the mount to be wrapped by the seal's encryption capability
+                    description: Boolean flag that can be explicitly set to true to
+                      enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
+                      Enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
                     type: boolean
                   snowflake:
-                    description: Connection parameters for the snowflake-database-plugin
+                    description: A nested block containing configuration options for
+                      Snowflake connections. See Connection parameters for the snowflake-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         passwordSecretRef:
-                          description: The root credential password used in the connection
-                            URL
+                          description: The password to authenticate with. The root
+                            credential password used in the connection URL
                           properties:
                             key:
                               description: The key to select.
@@ -1667,323 +1901,165 @@ spec:
                           - namespace
                           type: object
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
-                      required:
-                      - name
                       type: object
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
-                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
-              providerConfigRef:
-                default:
-                  name: default
-                description: ProviderConfigReference specifies how the provider that
-                  will be used to create, observe, update, and delete this managed
-                  resource should be configured.
-                properties:
-                  name:
-                    description: Name of the referenced object.
-                    type: string
-                  policy:
-                    description: Policies for referencing.
-                    properties:
-                      resolution:
-                        default: Required
-                        description: Resolution specifies whether resolution of this
-                          reference is required. The default is 'Required', which
-                          means the reconcile will fail if the reference cannot be
-                          resolved. 'Optional' means this reference will be a no-op
-                          if it cannot be resolved.
-                        enum:
-                        - Required
-                        - Optional
-                        type: string
-                      resolve:
-                        description: Resolve specifies when this reference should
-                          be resolved. The default is 'IfNotPresent', which will attempt
-                          to resolve the reference only when the corresponding field
-                          is not present. Use 'Always' to resolve the reference on
-                          every reconcile.
-                        enum:
-                        - Always
-                        - IfNotPresent
-                        type: string
-                    type: object
-                required:
-                - name
-                type: object
-              providerRef:
-                description: 'ProviderReference specifies the provider that will be
-                  used to create, observe, update, and delete this managed resource.
-                  Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`'
-                properties:
-                  name:
-                    description: Name of the referenced object.
-                    type: string
-                  policy:
-                    description: Policies for referencing.
-                    properties:
-                      resolution:
-                        default: Required
-                        description: Resolution specifies whether resolution of this
-                          reference is required. The default is 'Required', which
-                          means the reconcile will fail if the reference cannot be
-                          resolved. 'Optional' means this reference will be a no-op
-                          if it cannot be resolved.
-                        enum:
-                        - Required
-                        - Optional
-                        type: string
-                      resolve:
-                        description: Resolve specifies when this reference should
-                          be resolved. The default is 'IfNotPresent', which will attempt
-                          to resolve the reference only when the corresponding field
-                          is not present. Use 'Always' to resolve the reference on
-                          every reconcile.
-                        enum:
-                        - Always
-                        - IfNotPresent
-                        type: string
-                    type: object
-                required:
-                - name
-                type: object
-              publishConnectionDetailsTo:
-                description: PublishConnectionDetailsTo specifies the connection secret
-                  config which contains a name, metadata and a reference to secret
-                  store config to which any connection details for this managed resource
-                  should be written. Connection details frequently include the endpoint,
-                  username, and password required to connect to the managed resource.
-                properties:
-                  configRef:
-                    default:
-                      name: default
-                    description: SecretStoreConfigRef specifies which secret store
-                      config should be used for this ConnectionSecret.
-                    properties:
-                      name:
-                        description: Name of the referenced object.
-                        type: string
-                      policy:
-                        description: Policies for referencing.
-                        properties:
-                          resolution:
-                            default: Required
-                            description: Resolution specifies whether resolution of
-                              this reference is required. The default is 'Required',
-                              which means the reconcile will fail if the reference
-                              cannot be resolved. 'Optional' means this reference
-                              will be a no-op if it cannot be resolved.
-                            enum:
-                            - Required
-                            - Optional
-                            type: string
-                          resolve:
-                            description: Resolve specifies when this reference should
-                              be resolved. The default is 'IfNotPresent', which will
-                              attempt to resolve the reference only when the corresponding
-                              field is not present. Use 'Always' to resolve the reference
-                              on every reconcile.
-                            enum:
-                            - Always
-                            - IfNotPresent
-                            type: string
-                        type: object
-                    required:
-                    - name
-                    type: object
-                  metadata:
-                    description: Metadata is the metadata for connection secret.
-                    properties:
-                      annotations:
-                        additionalProperties:
-                          type: string
-                        description: Annotations are the annotations to be added to
-                          connection secret. - For Kubernetes secrets, this will be
-                          used as "metadata.annotations". - It is up to Secret Store
-                          implementation for others store types.
-                        type: object
-                      labels:
-                        additionalProperties:
-                          type: string
-                        description: Labels are the labels/tags to be added to connection
-                          secret. - For Kubernetes secrets, this will be used as "metadata.labels".
-                          - It is up to Secret Store implementation for others store
-                          types.
-                        type: object
-                      type:
-                        description: Type is the SecretType for the connection secret.
-                          - Only valid for Kubernetes Secret Stores.
-                        type: string
-                    type: object
-                  name:
-                    description: Name is the name of the connection secret.
-                    type: string
-                required:
-                - name
-                type: object
-              writeConnectionSecretToRef:
-                description: WriteConnectionSecretToReference specifies the namespace
-                  and name of a Secret to which any connection details for this managed
-                  resource should be written. Connection details frequently include
-                  the endpoint, username, and password required to connect to the
-                  managed resource. This field is planned to be replaced in a future
-                  release in favor of PublishConnectionDetailsTo. Currently, both
-                  could be set independently and connection details would be published
-                  to both without affecting each other.
-                properties:
-                  name:
-                    description: Name of the secret.
-                    type: string
-                  namespace:
-                    description: Namespace of the secret.
-                    type: string
-                required:
-                - name
-                - namespace
-                type: object
-            required:
-            - forProvider
-            type: object
-            x-kubernetes-validations:
-            - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
-          status:
-            description: SecretsMountStatus defines the observed state of SecretsMount.
-            properties:
-              atProvider:
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
                 properties:
-                  accessor:
-                    description: Accessor of the mount
-                    type: string
                   allowedManagedKeys:
-                    description: List of managed key registry entry names that the
-                      mount in question is allowed to access
+                    description: Set of managed key registry entry names that the
+                      mount in question is allowed to access List of managed key registry
+                      entry names that the mount in question is allowed to access
                     items:
                       type: string
                     type: array
                   auditNonHmacRequestKeys:
                     description: Specifies the list of keys that will not be HMAC'd
-                      by audit devices in the request data object.
+                      by audit devices in the request data object. Specifies the list
+                      of keys that will not be HMAC'd by audit devices in the request
+                      data object.
                     items:
                       type: string
                     type: array
                   auditNonHmacResponseKeys:
                     description: Specifies the list of keys that will not be HMAC'd
-                      by audit devices in the response data object.
+                      by audit devices in the response data object. Specifies the
+                      list of keys that will not be HMAC'd by audit devices in the
+                      response data object.
                     items:
                       type: string
                     type: array
                   cassandra:
-                    description: Connection parameters for the cassandra-database-plugin
+                    description: A nested block containing configuration options for
+                      Cassandra connections. See Connection parameters for the cassandra-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectTimeout:
                           description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
                             timeout.
                           type: number
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         hosts:
-                          description: Cassandra hosts to connect to.
+                          description: The hosts to connect to. Cassandra hosts to
+                            connect to.
                           items:
                             type: string
                           type: array
                         insecureTls:
                           description: Whether to skip verification of the server
-                            certificate when using TLS.
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         port:
-                          description: The transport port to use to connect to Cassandra.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Cassandra.
                           type: number
                         protocolVersion:
-                          description: The CQL protocol version to use.
+                          description: The CQL protocol version to use. The CQL protocol
+                            version to use.
                           type: number
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tls:
                           description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Cassandra.
                           type: boolean
                         username:
-                          description: The username to use when authenticating with
-                            Cassandra.
+                          description: The username to authenticate with. The username
+                            to use when authenticating with Cassandra.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   couchbase:
-                    description: Connection parameters for the couchbase-database-plugin
+                    description: A nested block containing configuration options for
+                      Couchbase connections. See Connection parameters for the couchbase-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         bucketName:
                           description: Required for Couchbase versions prior to 6.5.0.
+                            This is only used to verify vault's connection to the
+                            server. Required for Couchbase versions prior to 6.5.0.
                             This is only used to verify vault's connection to the
                             server.
                           type: string
@@ -1991,329 +2067,402 @@ spec:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         hosts:
-                          description: A set of Couchbase URIs to connect to. Must
-                            use `couchbases://` scheme if `tls` is `true`.
+                          description: The hosts to connect to. A set of Couchbase
+                            URIs to connect to. Must use `couchbases://` scheme if
+                            `tls` is `true`.
                           items:
                             type: string
                           type: array
                         insecureTls:
-                          description: Specifies whether to skip verification of the
-                            server certificate when using TLS.
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tls:
-                          description: Specifies whether to use TLS when connecting
-                            to Couchbase.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Couchbase.
                           type: boolean
                         username:
-                          description: Specifies the username for Vault to use.
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   defaultLeaseTtlSeconds:
                     description: Default lease duration for tokens and secrets in
-                      seconds
+                      seconds Default lease duration for tokens and secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount
+                    description: Human-friendly description of the mount Human-friendly
+                      description of the mount
                     type: string
                   elasticsearch:
-                    description: Connection parameters for the elasticsearch-database-plugin.
+                    description: A nested block containing configuration options for
+                      Elasticsearch connections. See Connection parameters for the
+                      elasticsearch-database-plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         caCert:
                           description: The path to a PEM-encoded CA cert file to use
-                            to verify the Elasticsearch server's identity
+                            to verify the Elasticsearch server's identity. The path
+                            to a PEM-encoded CA cert file to use to verify the Elasticsearch
+                            server's identity
                           type: string
                         caPath:
                           description: The path to a directory of PEM-encoded CA cert
-                            files to use to verify the Elasticsearch server's identity
+                            files to use to verify the Elasticsearch server's identity.
+                            The path to a directory of PEM-encoded CA cert files to
+                            use to verify the Elasticsearch server's identity
                           type: string
                         clientCert:
                           description: The path to the certificate for the Elasticsearch
-                            client to present for communication
+                            client to present for communication. The path to the certificate
+                            for the Elasticsearch client to present for communication
                           type: string
                         clientKey:
                           description: The path to the key for the Elasticsearch client
-                            to use for communication
+                            to use for communication. The path to the key for the
+                            Elasticsearch client to use for communication
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         insecure:
-                          description: Whether to disable certificate verification
+                          description: Whether to disable certificate verification.
+                            Whether to disable certificate verification
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tlsServerName:
                           description: This, if set, is used to set the SNI host when
-                            connecting via TLS
+                            connecting via TLS. This, if set, is used to set the SNI
+                            host when connecting via TLS
                           type: string
                         url:
-                          description: The URL for Elasticsearch's API
+                          description: The URL for Elasticsearch's API. https requires
+                            certificate by trusted CA if used. The URL for Elasticsearch's
+                            API
                           type: string
                         username:
-                          description: The username to be used in the connection URL
+                          description: The username to authenticate with. The username
+                            to be used in the connection URL
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
-                  engineCount:
-                    description: Total number of database secret engines configured
-                      under the mount.
-                    type: number
                   externalEntropyAccess:
-                    description: Enable the secrets engine to access Vault's external
+                    description: Boolean flag that can be explicitly set to true to
+                      enable the secrets engine to access Vault's external entropy
+                      source Enable the secrets engine to access Vault's external
                       entropy source
                     type: boolean
                   hana:
-                    description: Connection parameters for the hana-database-plugin
+                    description: A nested block containing configuration options for
+                      SAP HanaDB connections. See Connection parameters for the hana-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
-                  id:
-                    type: string
                   influxdb:
-                    description: Connection parameters for the influxdb-database-plugin
+                    description: A nested block containing configuration options for
+                      InfluxDB connections. See Connection parameters for the influxdb-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectTimeout:
                           description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
                             timeout.
                           type: number
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         host:
-                          description: Influxdb host to connect to.
+                          description: The host to connect to. Influxdb host to connect
+                            to.
                           type: string
                         insecureTls:
                           description: Whether to skip verification of the server
-                            certificate when using TLS.
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         port:
-                          description: The transport port to use to connect to Influxdb.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Influxdb.
                           type: number
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tls:
-                          description: Whether to use TLS when connecting to Influxdb.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Influxdb.
                           type: boolean
                         username:
-                          description: Specifies the username to use for superuser
-                            access.
+                          description: The username to authenticate with. Specifies
+                            the username to use for superuser access.
                           type: string
                         usernameTemplate:
                           description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
                             generated.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   local:
-                    description: Local mount flag that can be explicitly set to true
-                      to enforce local mount in HA environment
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
                     type: boolean
                   maxLeaseTtlSeconds:
                     description: Maximum possible lease duration for tokens and secrets
+                      in seconds Maximum possible lease duration for tokens and secrets
                       in seconds
                     type: number
                   mongodb:
-                    description: Connection parameters for the mongodb-database-plugin
+                    description: A nested block containing configuration options for
+                      MongoDB connections. See Connection parameters for the mongodb-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   mongodbatlas:
-                    description: Connection parameters for the mongodbatlas-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      MongoDB Atlas connections. See Connection parameters for the
+                      mongodbatlas-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
@@ -2322,335 +2471,413 @@ spec:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         projectId:
                           description: The Project ID the Database User should be
-                            created within.
+                            created within. The Project ID the Database User should
+                            be created within.
                           type: string
                         publicKey:
                           description: The Public Programmatic API Key used to authenticate
-                            with the MongoDB Atlas API.
+                            with the MongoDB Atlas API. The Public Programmatic API
+                            Key used to authenticate with the MongoDB Atlas API.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   mssql:
-                    description: Connection parameters for the mssql-database-plugin
+                    description: A nested block containing configuration options for
+                      MSSQL connections. See Connection parameters for the mssql-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         containedDb:
-                          description: Set to true when the target is a Contained
-                            Database, e.g. AzureSQL.
+                          description: For Vault v1.9+. Set to true when the target
+                            is a Contained Database, e.g. AzureSQL. See Vault docs
+                            Set to true when the target is a Contained Database, e.g.
+                            AzureSQL.
                           type: boolean
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   mysql:
-                    description: Connection parameters for the mysql-database-plugin
+                    description: A nested block containing configuration options for
+                      MySQL connections. See Connection parameters for the mysql-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tlsCa:
                           description: x509 CA file for validating the certificate
-                            presented by the MySQL server. Must be PEM encoded.
+                            presented by the MySQL server. Must be PEM encoded. x509
+                            CA file for validating the certificate presented by the
+                            MySQL server. Must be PEM encoded.
                           type: string
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   mysqlAurora:
-                    description: Connection parameters for the mysql-aurora-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      Aurora MySQL connections. See Connection parameters for the
+                      mysql-aurora-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   mysqlLegacy:
-                    description: Connection parameters for the mysql-legacy-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      legacy MySQL connections. See Connection parameters for the
+                      mysql-legacy-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   mysqlRds:
-                    description: Connection parameters for the mysql-rds-database-plugin
+                    description: A nested block containing configuration options for
+                      RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
@@ -2661,196 +2888,242 @@ spec:
                     additionalProperties:
                       type: string
                     description: Specifies mount type specific options that are passed
-                      to the backend
+                      to the backend Specifies mount type specific options that are
+                      passed to the backend
                     type: object
                   oracle:
-                    description: Connection parameters for the oracle-database-plugin
+                    description: A nested block containing configuration options for
+                      Oracle connections. See Connection parameters for the oracle-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   path:
-                    description: Where the secret backend will be mounted
+                    description: Where the secret backend will be mounted Where the
+                      secret backend will be mounted
                     type: string
                   postgresql:
-                    description: Connection parameters for the postgresql-database-plugin
+                    description: A nested block containing configuration options for
+                      PostgreSQL connections. See Connection parameters for the postgresql-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   redis:
-                    description: Connection parameters for the redis-database-plugin
+                    description: A nested block containing configuration options for
+                      Redis connections. See Connection parameters for the redis-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         caCert:
-                          description: The contents of a PEM-encoded CA cert file
-                            to use to verify the Redis server's identity.
+                          description: The path to a PEM-encoded CA cert file to use
+                            to verify the Elasticsearch server's identity. The contents
+                            of a PEM-encoded CA cert file to use to verify the Redis
+                            server's identity.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         host:
-                          description: Specifies the host to connect to
+                          description: The host to connect to. Specifies the host
+                            to connect to
                           type: string
                         insecureTls:
-                          description: Specifies whether to skip verification of the
-                            server certificate when using TLS.
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
                           type: boolean
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         port:
-                          description: The transport port to use to connect to Redis.
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Redis.
                           type: number
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         tls:
-                          description: Specifies whether to use TLS when connecting
-                            to Redis.
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Redis.
                           type: boolean
                         username:
-                          description: Specifies the username for Vault to use.
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   redisElasticache:
-                    description: Connection parameters for the redis-elasticache-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      Redis ElastiCache connections. See Connection parameters for
+                      the redis-elasticache-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
@@ -2859,158 +3132,1799 @@ spec:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         region:
                           description: The AWS region where the ElastiCache cluster
                             is hosted. If omitted the plugin tries to infer the region
-                            from the environment.
+                            from the environment. The AWS region where the ElastiCache
+                            cluster is hosted. If omitted the plugin tries to infer
+                            the region from the environment.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         url:
-                          description: The configuration endpoint for the ElastiCache
-                            cluster to connect to.
+                          description: The URL for Elasticsearch's API. https requires
+                            certificate by trusted CA if used. The configuration endpoint
+                            for the ElastiCache cluster to connect to.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   redshift:
-                    description: Connection parameters for the redshift-database-plugin
-                      plugin.
+                    description: A nested block containing configuration options for
+                      AWS Redshift connections. See Connection parameters for the
+                      redshift-database-plugin plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         disableEscaping:
                           description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
                             and password
                           type: boolean
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
                   sealWrap:
-                    description: Enable seal wrapping for the mount, causing values
-                      stored by the mount to be wrapped by the seal's encryption capability
+                    description: Boolean flag that can be explicitly set to true to
+                      enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
+                      Enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
                     type: boolean
                   snowflake:
-                    description: Connection parameters for the snowflake-database-plugin
+                    description: A nested block containing configuration options for
+                      Snowflake connections. See Connection parameters for the snowflake-database-plugin
                       plugin.
                     items:
                       properties:
                         allowedRoles:
                           description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
                             connection.
                           items:
                             type: string
                           type: array
                         connectionUrl:
-                          description: Connection string to use to connect to the
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
                             database.
                           type: string
                         data:
                           additionalProperties:
                             type: string
                           description: A map of sensitive data to pass to the endpoint.
-                            Useful for templated connection strings.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
                           type: object
                         maxConnectionLifetime:
-                          description: Maximum number of seconds a connection may
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
                             be reused.
                           type: number
                         maxIdleConnections:
-                          description: Maximum number of idle connections to the database.
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
                           type: number
                         maxOpenConnections:
-                          description: Maximum number of open connections to the database.
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
                           type: number
                         name:
-                          description: Name of the database connection.
+                          description: for any configured database engine is changed
+                            Name of the database connection.
                           type: string
                         pluginName:
-                          description: Specifies the name of the plugin to use for
-                            this connection. Must be prefixed with the name of one
-                            of the supported database engine types.
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
                           type: string
                         rootRotationStatements:
                           description: A list of database statements to be executed
-                            to rotate the root user's credentials.
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
                           items:
                             type: string
                           type: array
                         username:
-                          description: The root credential username used in the connection
-                            URL
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
                           type: string
                         usernameTemplate:
-                          description: Username generation template.
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
+              providerConfigRef:
+                default:
+                  name: default
+                description: ProviderConfigReference specifies how the provider that
+                  will be used to create, observe, update, and delete this managed
+                  resource should be configured.
+                properties:
+                  name:
+                    description: Name of the referenced object.
+                    type: string
+                  policy:
+                    description: Policies for referencing.
+                    properties:
+                      resolution:
+                        default: Required
+                        description: Resolution specifies whether resolution of this
+                          reference is required. The default is 'Required', which
+                          means the reconcile will fail if the reference cannot be
+                          resolved. 'Optional' means this reference will be a no-op
+                          if it cannot be resolved.
+                        enum:
+                        - Required
+                        - Optional
+                        type: string
+                      resolve:
+                        description: Resolve specifies when this reference should
+                          be resolved. The default is 'IfNotPresent', which will attempt
+                          to resolve the reference only when the corresponding field
+                          is not present. Use 'Always' to resolve the reference on
+                          every reconcile.
+                        enum:
+                        - Always
+                        - IfNotPresent
+                        type: string
+                    type: object
+                required:
+                - name
+                type: object
+              providerRef:
+                description: 'ProviderReference specifies the provider that will be
+                  used to create, observe, update, and delete this managed resource.
+                  Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`'
+                properties:
+                  name:
+                    description: Name of the referenced object.
+                    type: string
+                  policy:
+                    description: Policies for referencing.
+                    properties:
+                      resolution:
+                        default: Required
+                        description: Resolution specifies whether resolution of this
+                          reference is required. The default is 'Required', which
+                          means the reconcile will fail if the reference cannot be
+                          resolved. 'Optional' means this reference will be a no-op
+                          if it cannot be resolved.
+                        enum:
+                        - Required
+                        - Optional
+                        type: string
+                      resolve:
+                        description: Resolve specifies when this reference should
+                          be resolved. The default is 'IfNotPresent', which will attempt
+                          to resolve the reference only when the corresponding field
+                          is not present. Use 'Always' to resolve the reference on
+                          every reconcile.
+                        enum:
+                        - Always
+                        - IfNotPresent
+                        type: string
+                    type: object
+                required:
+                - name
+                type: object
+              publishConnectionDetailsTo:
+                description: PublishConnectionDetailsTo specifies the connection secret
+                  config which contains a name, metadata and a reference to secret
+                  store config to which any connection details for this managed resource
+                  should be written. Connection details frequently include the endpoint,
+                  username, and password required to connect to the managed resource.
+                properties:
+                  configRef:
+                    default:
+                      name: default
+                    description: SecretStoreConfigRef specifies which secret store
+                      config should be used for this ConnectionSecret.
+                    properties:
+                      name:
+                        description: Name of the referenced object.
+                        type: string
+                      policy:
+                        description: Policies for referencing.
+                        properties:
+                          resolution:
+                            default: Required
+                            description: Resolution specifies whether resolution of
+                              this reference is required. The default is 'Required',
+                              which means the reconcile will fail if the reference
+                              cannot be resolved. 'Optional' means this reference
+                              will be a no-op if it cannot be resolved.
+                            enum:
+                            - Required
+                            - Optional
+                            type: string
+                          resolve:
+                            description: Resolve specifies when this reference should
+                              be resolved. The default is 'IfNotPresent', which will
+                              attempt to resolve the reference only when the corresponding
+                              field is not present. Use 'Always' to resolve the reference
+                              on every reconcile.
+                            enum:
+                            - Always
+                            - IfNotPresent
+                            type: string
+                        type: object
+                    required:
+                    - name
+                    type: object
+                  metadata:
+                    description: Metadata is the metadata for connection secret.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations are the annotations to be added to
+                          connection secret. - For Kubernetes secrets, this will be
+                          used as "metadata.annotations". - It is up to Secret Store
+                          implementation for others store types.
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: Labels are the labels/tags to be added to connection
+                          secret. - For Kubernetes secrets, this will be used as "metadata.labels".
+                          - It is up to Secret Store implementation for others store
+                          types.
+                        type: object
+                      type:
+                        description: Type is the SecretType for the connection secret.
+                          - Only valid for Kubernetes Secret Stores.
+                        type: string
+                    type: object
+                  name:
+                    description: Name is the name of the connection secret.
+                    type: string
+                required:
+                - name
+                type: object
+              writeConnectionSecretToRef:
+                description: WriteConnectionSecretToReference specifies the namespace
+                  and name of a Secret to which any connection details for this managed
+                  resource should be written. Connection details frequently include
+                  the endpoint, username, and password required to connect to the
+                  managed resource. This field is planned to be replaced in a future
+                  release in favor of PublishConnectionDetailsTo. Currently, both
+                  could be set independently and connection details would be published
+                  to both without affecting each other.
+                properties:
+                  name:
+                    description: Name of the secret.
+                    type: string
+                  namespace:
+                    description: Namespace of the secret.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
+            required:
+            - forProvider
+            type: object
+            x-kubernetes-validations:
+            - message: path is a required parameter
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
+          status:
+            description: SecretsMountStatus defines the observed state of SecretsMount.
+            properties:
+              atProvider:
+                properties:
+                  accessor:
+                    description: Accessor of the mount
+                    type: string
+                  allowedManagedKeys:
+                    description: Set of managed key registry entry names that the
+                      mount in question is allowed to access List of managed key registry
+                      entry names that the mount in question is allowed to access
+                    items:
+                      type: string
+                    type: array
+                  auditNonHmacRequestKeys:
+                    description: Specifies the list of keys that will not be HMAC'd
+                      by audit devices in the request data object. Specifies the list
+                      of keys that will not be HMAC'd by audit devices in the request
+                      data object.
+                    items:
+                      type: string
+                    type: array
+                  auditNonHmacResponseKeys:
+                    description: Specifies the list of keys that will not be HMAC'd
+                      by audit devices in the response data object. Specifies the
+                      list of keys that will not be HMAC'd by audit devices in the
+                      response data object.
+                    items:
+                      type: string
+                    type: array
+                  cassandra:
+                    description: A nested block containing configuration options for
+                      Cassandra connections. See Connection parameters for the cassandra-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectTimeout:
+                          description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
+                            timeout.
+                          type: number
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        hosts:
+                          description: The hosts to connect to. Cassandra hosts to
+                            connect to.
+                          items:
+                            type: string
+                          type: array
+                        insecureTls:
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
+                          type: boolean
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        port:
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Cassandra.
+                          type: number
+                        protocolVersion:
+                          description: The CQL protocol version to use. The CQL protocol
+                            version to use.
+                          type: number
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        tls:
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Cassandra.
+                          type: boolean
+                        username:
+                          description: The username to authenticate with. The username
+                            to use when authenticating with Cassandra.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  couchbase:
+                    description: A nested block containing configuration options for
+                      Couchbase connections. See Connection parameters for the couchbase-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        bucketName:
+                          description: Required for Couchbase versions prior to 6.5.0.
+                            This is only used to verify vault's connection to the
+                            server. Required for Couchbase versions prior to 6.5.0.
+                            This is only used to verify vault's connection to the
+                            server.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        hosts:
+                          description: The hosts to connect to. A set of Couchbase
+                            URIs to connect to. Must use `couchbases://` scheme if
+                            `tls` is `true`.
+                          items:
+                            type: string
+                          type: array
+                        insecureTls:
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
+                          type: boolean
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        tls:
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Couchbase.
+                          type: boolean
+                        username:
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
+                            generated.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  defaultLeaseTtlSeconds:
+                    description: Default lease duration for tokens and secrets in
+                      seconds Default lease duration for tokens and secrets in seconds
+                    type: number
+                  description:
+                    description: Human-friendly description of the mount Human-friendly
+                      description of the mount
+                    type: string
+                  elasticsearch:
+                    description: A nested block containing configuration options for
+                      Elasticsearch connections. See Connection parameters for the
+                      elasticsearch-database-plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        caCert:
+                          description: The path to a PEM-encoded CA cert file to use
+                            to verify the Elasticsearch server's identity. The path
+                            to a PEM-encoded CA cert file to use to verify the Elasticsearch
+                            server's identity
+                          type: string
+                        caPath:
+                          description: The path to a directory of PEM-encoded CA cert
+                            files to use to verify the Elasticsearch server's identity.
+                            The path to a directory of PEM-encoded CA cert files to
+                            use to verify the Elasticsearch server's identity
+                          type: string
+                        clientCert:
+                          description: The path to the certificate for the Elasticsearch
+                            client to present for communication. The path to the certificate
+                            for the Elasticsearch client to present for communication
+                          type: string
+                        clientKey:
+                          description: The path to the key for the Elasticsearch client
+                            to use for communication. The path to the key for the
+                            Elasticsearch client to use for communication
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        insecure:
+                          description: Whether to disable certificate verification.
+                            Whether to disable certificate verification
+                          type: boolean
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        tlsServerName:
+                          description: This, if set, is used to set the SNI host when
+                            connecting via TLS. This, if set, is used to set the SNI
+                            host when connecting via TLS
+                          type: string
+                        url:
+                          description: The URL for Elasticsearch's API. https requires
+                            certificate by trusted CA if used. The URL for Elasticsearch's
+                            API
+                          type: string
+                        username:
+                          description: The username to authenticate with. The username
+                            to be used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
+                            generated.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  engineCount:
+                    description: The total number of database secrets engines configured.
+                      Total number of database secret engines configured under the
+                      mount.
+                    type: number
+                  externalEntropyAccess:
+                    description: Boolean flag that can be explicitly set to true to
+                      enable the secrets engine to access Vault's external entropy
+                      source Enable the secrets engine to access Vault's external
+                      entropy source
+                    type: boolean
+                  hana:
+                    description: A nested block containing configuration options for
+                      SAP HanaDB connections. See Connection parameters for the hana-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        disableEscaping:
+                          description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
+                            and password
+                          type: boolean
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  id:
+                    type: string
+                  influxdb:
+                    description: A nested block containing configuration options for
+                      InfluxDB connections. See Connection parameters for the influxdb-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectTimeout:
+                          description: The number of seconds to use as a connection
+                            timeout. The number of seconds to use as a connection
+                            timeout.
+                          type: number
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        host:
+                          description: The host to connect to. Influxdb host to connect
+                            to.
+                          type: string
+                        insecureTls:
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Whether to skip verification
+                            of the server certificate when using TLS.
+                          type: boolean
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        port:
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Influxdb.
+                          type: number
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        tls:
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Whether to use TLS when connecting to Influxdb.
+                          type: boolean
+                        username:
+                          description: The username to authenticate with. Specifies
+                            the username to use for superuser access.
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Template describing how dynamic usernames are
+                            generated.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  local:
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: Maximum possible lease duration for tokens and secrets
+                      in seconds Maximum possible lease duration for tokens and secrets
+                      in seconds
+                    type: number
+                  mongodb:
+                    description: A nested block containing configuration options for
+                      MongoDB connections. See Connection parameters for the mongodb-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  mongodbatlas:
+                    description: A nested block containing configuration options for
+                      MongoDB Atlas connections. See Connection parameters for the
+                      mongodbatlas-database-plugin plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        projectId:
+                          description: The Project ID the Database User should be
+                            created within. The Project ID the Database User should
+                            be created within.
+                          type: string
+                        publicKey:
+                          description: The Public Programmatic API Key used to authenticate
+                            with the MongoDB Atlas API. The Public Programmatic API
+                            Key used to authenticate with the MongoDB Atlas API.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  mssql:
+                    description: A nested block containing configuration options for
+                      MSSQL connections. See Connection parameters for the mssql-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        containedDb:
+                          description: For Vault v1.9+. Set to true when the target
+                            is a Contained Database, e.g. AzureSQL. See Vault docs
+                            Set to true when the target is a Contained Database, e.g.
+                            AzureSQL.
+                          type: boolean
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        disableEscaping:
+                          description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
+                            and password
+                          type: boolean
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  mysql:
+                    description: A nested block containing configuration options for
+                      MySQL connections. See Connection parameters for the mysql-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        tlsCa:
+                          description: x509 CA file for validating the certificate
+                            presented by the MySQL server. Must be PEM encoded. x509
+                            CA file for validating the certificate presented by the
+                            MySQL server. Must be PEM encoded.
+                          type: string
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  mysqlAurora:
+                    description: A nested block containing configuration options for
+                      Aurora MySQL connections. See Connection parameters for the
+                      mysql-aurora-database-plugin plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  mysqlLegacy:
+                    description: A nested block containing configuration options for
+                      legacy MySQL connections. See Connection parameters for the
+                      mysql-legacy-database-plugin plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  mysqlRds:
+                    description: A nested block containing configuration options for
+                      RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  options:
+                    additionalProperties:
+                      type: string
+                    description: Specifies mount type specific options that are passed
+                      to the backend Specifies mount type specific options that are
+                      passed to the backend
+                    type: object
+                  oracle:
+                    description: A nested block containing configuration options for
+                      Oracle connections. See Connection parameters for the oracle-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  path:
+                    description: Where the secret backend will be mounted Where the
+                      secret backend will be mounted
+                    type: string
+                  postgresql:
+                    description: A nested block containing configuration options for
+                      PostgreSQL connections. See Connection parameters for the postgresql-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        disableEscaping:
+                          description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
+                            and password
+                          type: boolean
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  redis:
+                    description: A nested block containing configuration options for
+                      Redis connections. See Connection parameters for the redis-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        caCert:
+                          description: The path to a PEM-encoded CA cert file to use
+                            to verify the Elasticsearch server's identity. The contents
+                            of a PEM-encoded CA cert file to use to verify the Redis
+                            server's identity.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        host:
+                          description: The host to connect to. Specifies the host
+                            to connect to
+                          type: string
+                        insecureTls:
+                          description: Whether to skip verification of the server
+                            certificate when using TLS. Specifies whether to skip
+                            verification of the server certificate when using TLS.
+                          type: boolean
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        port:
+                          description: The default port to connect to if no port is
+                            specified as part of the host. The transport port to use
+                            to connect to Redis.
+                          type: number
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        tls:
+                          description: Whether to use TLS when connecting to Cassandra.
+                            Specifies whether to use TLS when connecting to Redis.
+                          type: boolean
+                        username:
+                          description: The username to authenticate with. Specifies
+                            the username for Vault to use.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  redisElasticache:
+                    description: A nested block containing configuration options for
+                      Redis ElastiCache connections. See Connection parameters for
+                      the redis-elasticache-database-plugin plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        region:
+                          description: The AWS region where the ElastiCache cluster
+                            is hosted. If omitted the plugin tries to infer the region
+                            from the environment. The AWS region where the ElastiCache
+                            cluster is hosted. If omitted the plugin tries to infer
+                            the region from the environment.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        url:
+                          description: The URL for Elasticsearch's API. https requires
+                            certificate by trusted CA if used. The configuration endpoint
+                            for the ElastiCache cluster to connect to.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  redshift:
+                    description: A nested block containing configuration options for
+                      AWS Redshift connections. See Connection parameters for the
+                      redshift-database-plugin plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        disableEscaping:
+                          description: Disable special character escaping in username
+                            and password. Disable special character escaping in username
+                            and password
+                          type: boolean
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
+                          type: string
+                        verifyConnection:
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
+                          type: boolean
+                      type: object
+                    type: array
+                  sealWrap:
+                    description: Boolean flag that can be explicitly set to true to
+                      enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
+                      Enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
+                    type: boolean
+                  snowflake:
+                    description: A nested block containing configuration options for
+                      Snowflake connections. See Connection parameters for the snowflake-database-plugin
+                      plugin.
+                    items:
+                      properties:
+                        allowedRoles:
+                          description: A list of roles that are allowed to use this
+                            connection. A list of roles that are allowed to use this
+                            connection.
+                          items:
+                            type: string
+                          type: array
+                        connectionUrl:
+                          description: A URL containing connection information. See
+                            Vault docs Connection string to use to connect to the
+                            database.
+                          type: string
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A map of sensitive data to pass to the endpoint.
+                            Useful for templated connection strings. A map of sensitive
+                            data to pass to the endpoint. Useful for templated connection
+                            strings.
+                          type: object
+                        maxConnectionLifetime:
+                          description: The maximum number of seconds to keep a connection
+                            alive for. Maximum number of seconds a connection may
+                            be reused.
+                          type: number
+                        maxIdleConnections:
+                          description: The maximum number of idle connections to maintain.
+                            Maximum number of idle connections to the database.
+                          type: number
+                        maxOpenConnections:
+                          description: The maximum number of open connections to use.
+                            Maximum number of open connections to the database.
+                          type: number
+                        name:
+                          description: for any configured database engine is changed
+                            Name of the database connection.
+                          type: string
+                        pluginName:
+                          description: Specifies the name of the plugin to use. Specifies
+                            the name of the plugin to use for this connection. Must
+                            be prefixed with the name of one of the supported database
+                            engine types.
+                          type: string
+                        rootRotationStatements:
+                          description: A list of database statements to be executed
+                            to rotate the root user's credentials. A list of database
+                            statements to be executed to rotate the root user's credentials.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: The username to authenticate with. The root
+                            credential username used in the connection URL
+                          type: string
+                        usernameTemplate:
+                          description: Template describing how dynamic usernames are
+                            generated. Username generation template.
                           type: string
                         verifyConnection:
-                          description: Specifies if the connection is verified during
-                            initial configuration.
+                          description: Whether the connection should be verified on
+                            initial configuration or not. Specifies if the connection
+                            is verified during initial configuration.
                           type: boolean
                       type: object
                     type: array
diff --git a/package/crds/egp.vault.upbound.io_policies.yaml b/package/crds/egp.vault.upbound.io_policies.yaml
index 693b4ff0..3cb53c62 100644
--- a/package/crds/egp.vault.upbound.io_policies.yaml
+++ b/package/crds/egp.vault.upbound.io_policies.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: policies.egp.vault.upbound.io
 spec:
   group: egp.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Policy is the Schema for the Policys API. <no value>
+        description: Policy is the Schema for the Policys API. Writes Sentinel endpoint
+          governing policies for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,39 +68,96 @@ spec:
               forProvider:
                 properties:
                   enforcementLevel:
-                    description: 'Enforcement level of Sentinel policy. Can be one
-                      of: ''advisory'', ''soft-mandatory'' or ''hard-mandatory'''
+                    description: 'Enforcement level of Sentinel policy. Can be either
+                      advisory or soft-mandatory or hard-mandatory Enforcement level
+                      of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory''
+                      or ''hard-mandatory'''
                     type: string
                   name:
-                    description: Name of the policy
+                    description: The name of the policy Name of the policy
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   paths:
                     description: List of paths to which the policy will be applied
+                      to List of paths to which the policy will be applied
                     items:
                       type: string
                     type: array
                   policy:
-                    description: The policy document
+                    description: String containing a Sentinel policy The policy document
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  enforcementLevel:
+                    description: 'Enforcement level of Sentinel policy. Can be either
+                      advisory or soft-mandatory or hard-mandatory Enforcement level
+                      of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory''
+                      or ''hard-mandatory'''
+                    type: string
+                  name:
+                    description: The name of the policy Name of the policy
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  paths:
+                    description: List of paths to which the policy will be applied
+                      to List of paths to which the policy will be applied
+                    items:
+                      type: string
+                    type: array
+                  policy:
+                    description: String containing a Sentinel policy The policy document
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -274,37 +331,52 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: enforcementLevel is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enforcementLevel)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.enforcementLevel)
+                || has(self.initProvider.enforcementLevel)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: paths is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.paths)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.paths)
+                || has(self.initProvider.paths)'
             - message: policy is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.policy)
+                || has(self.initProvider.policy)'
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
               atProvider:
                 properties:
                   enforcementLevel:
-                    description: 'Enforcement level of Sentinel policy. Can be one
-                      of: ''advisory'', ''soft-mandatory'' or ''hard-mandatory'''
+                    description: 'Enforcement level of Sentinel policy. Can be either
+                      advisory or soft-mandatory or hard-mandatory Enforcement level
+                      of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory''
+                      or ''hard-mandatory'''
                     type: string
                   id:
                     type: string
                   name:
-                    description: Name of the policy
+                    description: The name of the policy Name of the policy
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   paths:
                     description: List of paths to which the policy will be applied
+                      to List of paths to which the policy will be applied
                     items:
                       type: string
                     type: array
                   policy:
-                    description: The policy document
+                    description: String containing a Sentinel policy The policy document
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/gcp.vault.upbound.io_authbackendroles.yaml b/package/crds/gcp.vault.upbound.io_authbackendroles.yaml
index 622ae46a..e58ae7fb 100644
--- a/package/crds/gcp.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/gcp.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.gcp.vault.upbound.io
 spec:
   group: gcp.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendRole is the Schema for the AuthBackendRoles API. <no
-          value>
+        description: AuthBackendRole is the Schema for the AuthBackendRoles API. Managing
+          roles in an GCP auth backend in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -71,92 +70,312 @@ spec:
                   addGroupAliases:
                     type: boolean
                   allowGceInference:
+                    description: A flag to determine if this role should allow GCE
+                      instances to authenticate by inferring service accounts from
+                      the GCE identity metadata token.
                     type: boolean
                   backend:
+                    description: Path to the mounted GCP auth backend
                     type: string
                   boundInstanceGroups:
+                    description: The instance groups that an authorized instance must
+                      belong to in order to be authenticated. If specified, either
+                      bound_zones or bound_regions must be set too.
                     items:
                       type: string
                     type: array
                   boundLabels:
+                    description: A comma-separated list of GCP labels formatted as
+                      "key:value" strings that must be set on authorized GCE instances.
+                      Because GCP labels are not currently ACL'd, we recommend that
+                      this be used in conjunction with other restrictions.
                     items:
                       type: string
                     type: array
                   boundProjects:
+                    description: An array of GCP project IDs. Only entities belonging
+                      to this project can authenticate under the role.
                     items:
                       type: string
                     type: array
                   boundRegions:
+                    description: The list of regions that a GCE instance must belong
+                      to in order to be authenticated. If bound_instance_groups is
+                      provided, it is assumed to be a regional group and the group
+                      must belong to this region. If bound_zones are provided, this
+                      attribute is ignored.
                     items:
                       type: string
                     type: array
                   boundServiceAccounts:
+                    description: 'GCP Service Accounts allowed to issue tokens under
+                      this role. (Note: Required if role is iam)'
                     items:
                       type: string
                     type: array
                   boundZones:
+                    description: The list of zones that a GCE instance must belong
+                      to in order to be authenticated. If bound_instance_groups is
+                      provided, it is assumed to be a zonal group and the group must
+                      belong to this zone.
                     items:
                       type: string
                     type: array
                   maxJwtExp:
+                    description: The number of seconds past the time of authentication
+                      that the login param JWT must expire within. For example, if
+                      a user attempts to login with a token that expires within an
+                      hour and this is set to 15 minutes, Vault will return an error
+                      prompting the user to create a new signed JWT with a shorter
+                      exp. The GCE metadata tokens currently do not allow the exp
+                      claim to be customized.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
+                    description: Name of the GCP role
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                   type:
+                    description: Type of GCP authentication role (either gce or iam)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  addGroupAliases:
+                    type: boolean
+                  allowGceInference:
+                    description: A flag to determine if this role should allow GCE
+                      instances to authenticate by inferring service accounts from
+                      the GCE identity metadata token.
+                    type: boolean
+                  backend:
+                    description: Path to the mounted GCP auth backend
+                    type: string
+                  boundInstanceGroups:
+                    description: The instance groups that an authorized instance must
+                      belong to in order to be authenticated. If specified, either
+                      bound_zones or bound_regions must be set too.
+                    items:
+                      type: string
+                    type: array
+                  boundLabels:
+                    description: A comma-separated list of GCP labels formatted as
+                      "key:value" strings that must be set on authorized GCE instances.
+                      Because GCP labels are not currently ACL'd, we recommend that
+                      this be used in conjunction with other restrictions.
+                    items:
+                      type: string
+                    type: array
+                  boundProjects:
+                    description: An array of GCP project IDs. Only entities belonging
+                      to this project can authenticate under the role.
+                    items:
+                      type: string
+                    type: array
+                  boundRegions:
+                    description: The list of regions that a GCE instance must belong
+                      to in order to be authenticated. If bound_instance_groups is
+                      provided, it is assumed to be a regional group and the group
+                      must belong to this region. If bound_zones are provided, this
+                      attribute is ignored.
+                    items:
+                      type: string
+                    type: array
+                  boundServiceAccounts:
+                    description: 'GCP Service Accounts allowed to issue tokens under
+                      this role. (Note: Required if role is iam)'
+                    items:
+                      type: string
+                    type: array
+                  boundZones:
+                    description: The list of zones that a GCE instance must belong
+                      to in order to be authenticated. If bound_instance_groups is
+                      provided, it is assumed to be a zonal group and the group must
+                      belong to this zone.
+                    items:
+                      type: string
+                    type: array
+                  maxJwtExp:
+                    description: The number of seconds past the time of authentication
+                      that the login param JWT must expire within. For example, if
+                      a user attempts to login with a token that expires within an
+                      hour and this is set to 15 minutes, Vault will return an error
+                      prompting the user to create a new signed JWT with a shorter
+                      exp. The GCE metadata tokens currently do not allow the exp
+                      claim to be customized.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  role:
+                    description: Name of the GCP role
+                    type: string
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                  type:
+                    description: Type of GCP authentication role (either gce or iam)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -330,9 +549,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
             - message: type is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.type)
+                || has(self.initProvider.type)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
@@ -341,77 +564,138 @@ spec:
                   addGroupAliases:
                     type: boolean
                   allowGceInference:
+                    description: A flag to determine if this role should allow GCE
+                      instances to authenticate by inferring service accounts from
+                      the GCE identity metadata token.
                     type: boolean
                   backend:
+                    description: Path to the mounted GCP auth backend
                     type: string
                   boundInstanceGroups:
+                    description: The instance groups that an authorized instance must
+                      belong to in order to be authenticated. If specified, either
+                      bound_zones or bound_regions must be set too.
                     items:
                       type: string
                     type: array
                   boundLabels:
+                    description: A comma-separated list of GCP labels formatted as
+                      "key:value" strings that must be set on authorized GCE instances.
+                      Because GCP labels are not currently ACL'd, we recommend that
+                      this be used in conjunction with other restrictions.
                     items:
                       type: string
                     type: array
                   boundProjects:
+                    description: An array of GCP project IDs. Only entities belonging
+                      to this project can authenticate under the role.
                     items:
                       type: string
                     type: array
                   boundRegions:
+                    description: The list of regions that a GCE instance must belong
+                      to in order to be authenticated. If bound_instance_groups is
+                      provided, it is assumed to be a regional group and the group
+                      must belong to this region. If bound_zones are provided, this
+                      attribute is ignored.
                     items:
                       type: string
                     type: array
                   boundServiceAccounts:
+                    description: 'GCP Service Accounts allowed to issue tokens under
+                      this role. (Note: Required if role is iam)'
                     items:
                       type: string
                     type: array
                   boundZones:
+                    description: The list of zones that a GCE instance must belong
+                      to in order to be authenticated. If bound_instance_groups is
+                      provided, it is assumed to be a zonal group and the group must
+                      belong to this zone.
                     items:
                       type: string
                     type: array
                   id:
                     type: string
                   maxJwtExp:
+                    description: The number of seconds past the time of authentication
+                      that the login param JWT must expire within. For example, if
+                      a user attempts to login with a token that expires within an
+                      hour and this is set to 15 minutes, Vault will return an error
+                      prompting the user to create a new signed JWT with a shorter
+                      exp. The GCE metadata tokens currently do not allow the exp
+                      claim to be customized.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
+                    description: Name of the GCP role
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                   type:
+                    description: Type of GCP authentication role (either gce or iam)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/gcp.vault.upbound.io_authbackends.yaml b/package/crds/gcp.vault.upbound.io_authbackends.yaml
index 96b934b3..46236f13 100644
--- a/package/crds/gcp.vault.upbound.io_authbackends.yaml
+++ b/package/crds/gcp.vault.upbound.io_authbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackends.gcp.vault.upbound.io
 spec:
   group: gcp.vault.upbound.io
@@ -57,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -130,21 +129,90 @@ spec:
                   projectId:
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  clientEmail:
+                    type: string
+                  clientId:
+                    type: string
+                  customEndpoint:
+                    description: Specifies overrides to service endpoints used when
+                      making API requests to GCP.
+                    items:
+                      properties:
+                        api:
+                          description: Replaces the service endpoint used in API requests
+                            to https://www.googleapis.com.
+                          type: string
+                        compute:
+                          description: Replaces the service endpoint used in API requests
+                            to `https://compute.googleapis.com`.
+                          type: string
+                        crm:
+                          description: Replaces the service endpoint used in API requests
+                            to `https://cloudresourcemanager.googleapis.com`.
+                          type: string
+                        iam:
+                          description: Replaces the service endpoint used in API requests
+                            to `https://iam.googleapis.com`.
+                          type: string
+                      type: object
+                    type: array
+                  description:
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                    type: boolean
+                  local:
+                    description: Specifies if the auth method is local only
+                    type: boolean
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  path:
+                    type: string
+                  privateKeyId:
+                    type: string
+                  projectId:
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
diff --git a/package/crds/gcp.vault.upbound.io_secretbackends.yaml b/package/crds/gcp.vault.upbound.io_secretbackends.yaml
index 353804a1..4719ae78 100644
--- a/package/crds/gcp.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/gcp.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.gcp.vault.upbound.io
 spec:
   group: gcp.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          an GCP secret backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,7 +68,8 @@ spec:
               forProvider:
                 properties:
                   credentialsSecretRef:
-                    description: JSON-encoded credentials to use to connect to GCP
+                    description: The GCP service account credentials in JSON format.
+                      JSON-encoded credentials to use to connect to GCP
                     properties:
                       key:
                         description: The key to select.
@@ -85,43 +86,116 @@ spec:
                     - namespace
                     type: object
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Defaults to '0'. Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   local:
-                    description: Local mount flag that can be explicitly set to true
-                      to enforce local mount in HA environment
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
                     type: boolean
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Defaults to '0'. Maximum possible lease
+                      duration for secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path to mount the backend at.
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to gcp. Path to mount
+                      the backend at.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  defaultLeaseTtlSeconds:
+                    description: The default TTL for credentials issued by this backend.
+                      Defaults to '0'. Default lease duration for secrets in seconds
+                    type: number
+                  description:
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  local:
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Defaults to '0'. Maximum possible lease
+                      duration for secrets in seconds
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to gcp. Path to mount
+                      the backend at.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -299,28 +373,41 @@ spec:
               atProvider:
                 properties:
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Defaults to '0'. Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   id:
                     type: string
                   local:
-                    description: Local mount flag that can be explicitly set to true
-                      to enforce local mount in HA environment
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
                     type: boolean
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Defaults to '0'. Maximum possible lease
+                      duration for secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path to mount the backend at.
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to gcp. Path to mount
+                      the backend at.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/gcp.vault.upbound.io_secretimpersonatedaccounts.yaml b/package/crds/gcp.vault.upbound.io_secretimpersonatedaccounts.yaml
index 95c23cc8..b1f0f095 100644
--- a/package/crds/gcp.vault.upbound.io_secretimpersonatedaccounts.yaml
+++ b/package/crds/gcp.vault.upbound.io_secretimpersonatedaccounts.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretimpersonatedaccounts.gcp.vault.upbound.io
 spec:
   group: gcp.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretImpersonatedAccount is the Schema for the SecretImpersonatedAccounts
-          API. <no value>
+          API. Creates a Impersonated Account for the GCP Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,40 +69,92 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Path where the GCP secrets engine is mounted.
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
                     type: string
                   impersonatedAccount:
-                    description: Name of the Impersonated Account to create
+                    description: Name of the Impersonated Account to create Name of
+                      the Impersonated Account to create
                     type: string
                   namespace:
                     description: Target namespace. (requires Enterprise)
                     type: string
                   serviceAccountEmail:
-                    description: Email of the GCP service account.
+                    description: Email of the GCP service account to impersonate.
+                      Email of the GCP service account.
                     type: string
                   tokenScopes:
-                    description: List of OAuth scopes to assign to `access_token`
-                      secrets generated under this impersonated account (`access_token`
-                      impersonated accounts only)
+                    description: List of OAuth scopes to assign to access tokens generated
+                      under this impersonated account. List of OAuth scopes to assign
+                      to `access_token` secrets generated under this impersonated
+                      account (`access_token` impersonated accounts only)
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
+                    type: string
+                  impersonatedAccount:
+                    description: Name of the Impersonated Account to create Name of
+                      the Impersonated Account to create
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  serviceAccountEmail:
+                    description: Email of the GCP service account to impersonate.
+                      Email of the GCP service account.
+                    type: string
+                  tokenScopes:
+                    description: List of OAuth scopes to assign to access tokens generated
+                      under this impersonated account. List of OAuth scopes to assign
+                      to `access_token` secrets generated under this impersonated
+                      account (`access_token` impersonated accounts only)
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -277,11 +328,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: impersonatedAccount is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.impersonatedAccount)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.impersonatedAccount)
+                || has(self.initProvider.impersonatedAccount)'
             - message: serviceAccountEmail is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceAccountEmail)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail)
+                || has(self.initProvider.serviceAccountEmail)'
           status:
             description: SecretImpersonatedAccountStatus defines the observed state
               of SecretImpersonatedAccount.
@@ -289,27 +346,31 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: Path where the GCP secrets engine is mounted.
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
                     type: string
                   id:
                     type: string
                   impersonatedAccount:
-                    description: Name of the Impersonated Account to create
+                    description: Name of the Impersonated Account to create Name of
+                      the Impersonated Account to create
                     type: string
                   namespace:
                     description: Target namespace. (requires Enterprise)
                     type: string
                   serviceAccountEmail:
-                    description: Email of the GCP service account.
+                    description: Email of the GCP service account to impersonate.
+                      Email of the GCP service account.
                     type: string
                   serviceAccountProject:
-                    description: Project of the GCP Service Account managed by this
-                      impersonated account
+                    description: Project the service account belongs to. Project of
+                      the GCP Service Account managed by this impersonated account
                     type: string
                   tokenScopes:
-                    description: List of OAuth scopes to assign to `access_token`
-                      secrets generated under this impersonated account (`access_token`
-                      impersonated accounts only)
+                    description: List of OAuth scopes to assign to access tokens generated
+                      under this impersonated account. List of OAuth scopes to assign
+                      to `access_token` secrets generated under this impersonated
+                      account (`access_token` impersonated accounts only)
                     items:
                       type: string
                     type: array
diff --git a/package/crds/gcp.vault.upbound.io_secretrolesets.yaml b/package/crds/gcp.vault.upbound.io_secretrolesets.yaml
index a7f95279..24ed4f5b 100644
--- a/package/crds/gcp.vault.upbound.io_secretrolesets.yaml
+++ b/package/crds/gcp.vault.upbound.io_secretrolesets.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretrolesets.gcp.vault.upbound.io
 spec:
   group: gcp.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretRoleset is the Schema for the SecretRolesets API. <no value>
+        description: SecretRoleset is the Schema for the SecretRolesets API. Creates
+          a Roleset for the GCP Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,61 +68,152 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Path where the GCP secrets engine is mounted.
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
                     type: string
                   binding:
+                    description: Bindings to create for this roleset. This can be
+                      specified multiple times for multiple bindings. Structure is
+                      documented below.
                     items:
                       properties:
                         resource:
-                          description: Resource name
+                          description: Resource or resource path for which IAM policy
+                            information will be bound. The resource path may be specified
+                            in a few different formats. Resource name
                           type: string
                         roles:
-                          description: List of roles to apply to the resource
+                          description: List of GCP IAM roles for the resource. List
+                            of roles to apply to the resource
                           items:
                             type: string
                           type: array
-                      required:
-                      - resource
-                      - roles
                       type: object
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   project:
                     description: Name of the GCP project that this roleset's service
-                      account will belong to.
+                      account will belong to. Name of the GCP project that this roleset's
+                      service account will belong to.
                     type: string
                   roleset:
-                    description: Name of the RoleSet to create
+                    description: Name of the Roleset to create Name of the RoleSet
+                      to create
                     type: string
                   secretType:
-                    description: 'Type of secret generated for this role set. Defaults
-                      to `access_token`. Accepted values: `access_token`, `service_account_key`'
+                    description: 'Type of secret generated for this role set. Accepted
+                      values: access_token, service_account_key. Defaults to access_token.
+                      Type of secret generated for this role set. Defaults to `access_token`.
+                      Accepted values: `access_token`, `service_account_key`'
                     type: string
                   tokenScopes:
-                    description: List of OAuth scopes to assign to `access_token`
-                      secrets generated under this role set (`access_token` role sets
-                      only)
+                    description: List of OAuth scopes to assign to access_token secrets
+                      generated under this role set (access_token role sets only).
+                      List of OAuth scopes to assign to `access_token` secrets generated
+                      under this role set (`access_token` role sets only)
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
+                    type: string
+                  binding:
+                    description: Bindings to create for this roleset. This can be
+                      specified multiple times for multiple bindings. Structure is
+                      documented below.
+                    items:
+                      properties:
+                        resource:
+                          description: Resource or resource path for which IAM policy
+                            information will be bound. The resource path may be specified
+                            in a few different formats. Resource name
+                          type: string
+                        roles:
+                          description: List of GCP IAM roles for the resource. List
+                            of roles to apply to the resource
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  project:
+                    description: Name of the GCP project that this roleset's service
+                      account will belong to. Name of the GCP project that this roleset's
+                      service account will belong to.
+                    type: string
+                  roleset:
+                    description: Name of the Roleset to create Name of the RoleSet
+                      to create
+                    type: string
+                  secretType:
+                    description: 'Type of secret generated for this role set. Accepted
+                      values: access_token, service_account_key. Defaults to access_token.
+                      Type of secret generated for this role set. Defaults to `access_token`.
+                      Accepted values: `access_token`, `service_account_key`'
+                    type: string
+                  tokenScopes:
+                    description: List of OAuth scopes to assign to access_token secrets
+                      generated under this role set (access_token role sets only).
+                      List of OAuth scopes to assign to `access_token` secrets generated
+                      under this role set (`access_token` role sets only)
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -296,29 +387,44 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: binding is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.binding)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.binding)
+                || has(self.initProvider.binding)'
             - message: project is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.project)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.project)
+                || has(self.initProvider.project)'
             - message: roleset is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleset)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.roleset)
+                || has(self.initProvider.roleset)'
           status:
             description: SecretRolesetStatus defines the observed state of SecretRoleset.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: Path where the GCP secrets engine is mounted.
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
                     type: string
                   binding:
+                    description: Bindings to create for this roleset. This can be
+                      specified multiple times for multiple bindings. Structure is
+                      documented below.
                     items:
                       properties:
                         resource:
-                          description: Resource name
+                          description: Resource or resource path for which IAM policy
+                            information will be bound. The resource path may be specified
+                            in a few different formats. Resource name
                           type: string
                         roles:
-                          description: List of roles to apply to the resource
+                          description: List of GCP IAM roles for the resource. List
+                            of roles to apply to the resource
                           items:
                             type: string
                           type: array
@@ -327,27 +433,37 @@ spec:
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   project:
                     description: Name of the GCP project that this roleset's service
-                      account will belong to.
+                      account will belong to. Name of the GCP project that this roleset's
+                      service account will belong to.
                     type: string
                   roleset:
-                    description: Name of the RoleSet to create
+                    description: Name of the Roleset to create Name of the RoleSet
+                      to create
                     type: string
                   secretType:
-                    description: 'Type of secret generated for this role set. Defaults
-                      to `access_token`. Accepted values: `access_token`, `service_account_key`'
+                    description: 'Type of secret generated for this role set. Accepted
+                      values: access_token, service_account_key. Defaults to access_token.
+                      Type of secret generated for this role set. Defaults to `access_token`.
+                      Accepted values: `access_token`, `service_account_key`'
                     type: string
                   serviceAccountEmail:
                     description: Email of the service account created by Vault for
-                      this Roleset
+                      this Roleset. Email of the service account created by Vault
+                      for this Roleset
                     type: string
                   tokenScopes:
-                    description: List of OAuth scopes to assign to `access_token`
-                      secrets generated under this role set (`access_token` role sets
-                      only)
+                    description: List of OAuth scopes to assign to access_token secrets
+                      generated under this role set (access_token role sets only).
+                      List of OAuth scopes to assign to `access_token` secrets generated
+                      under this role set (`access_token` role sets only)
                     items:
                       type: string
                     type: array
diff --git a/package/crds/gcp.vault.upbound.io_secretstaticaccounts.yaml b/package/crds/gcp.vault.upbound.io_secretstaticaccounts.yaml
index 65408a90..7f3f5923 100644
--- a/package/crds/gcp.vault.upbound.io_secretstaticaccounts.yaml
+++ b/package/crds/gcp.vault.upbound.io_secretstaticaccounts.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretstaticaccounts.gcp.vault.upbound.io
 spec:
   group: gcp.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretStaticAccount is the Schema for the SecretStaticAccounts
-          API. <no value>
+          API. Creates a Static Account for the GCP Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,61 +68,154 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Path where the GCP secrets engine is mounted.
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
                     type: string
                   binding:
+                    description: Bindings to create for this static account. This
+                      can be specified multiple times for multiple bindings. Structure
+                      is documented below.
                     items:
                       properties:
                         resource:
-                          description: Resource name
+                          description: Resource or resource path for which IAM policy
+                            information will be bound. The resource path may be specified
+                            in a few different formats. Resource name
                           type: string
                         roles:
-                          description: List of roles to apply to the resource
+                          description: List of GCP IAM roles for the resource. List
+                            of roles to apply to the resource
                           items:
                             type: string
                           type: array
-                      required:
-                      - resource
-                      - roles
                       type: object
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   secretType:
                     description: 'Type of secret generated for this static account.
+                      Accepted values: access_token, service_account_key. Defaults
+                      to access_token. Type of secret generated for this static account.
                       Defaults to `access_token`. Accepted values: `access_token`,
                       `service_account_key`'
                     type: string
                   serviceAccountEmail:
-                    description: Email of the GCP service account.
+                    description: Email of the GCP service account to manage. Email
+                      of the GCP service account.
                     type: string
                   staticAccount:
-                    description: Name of the Static Account to create
+                    description: Name of the Static Account to create Name of the
+                      Static Account to create
                     type: string
                   tokenScopes:
-                    description: List of OAuth scopes to assign to `access_token`
-                      secrets generated under this static account (`access_token`
-                      static accounts only)
+                    description: List of OAuth scopes to assign to access_token secrets
+                      generated under this static account (access_token static accounts
+                      only). List of OAuth scopes to assign to `access_token` secrets
+                      generated under this static account (`access_token` static accounts
+                      only)
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
+                    type: string
+                  binding:
+                    description: Bindings to create for this static account. This
+                      can be specified multiple times for multiple bindings. Structure
+                      is documented below.
+                    items:
+                      properties:
+                        resource:
+                          description: Resource or resource path for which IAM policy
+                            information will be bound. The resource path may be specified
+                            in a few different formats. Resource name
+                          type: string
+                        roles:
+                          description: List of GCP IAM roles for the resource. List
+                            of roles to apply to the resource
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  secretType:
+                    description: 'Type of secret generated for this static account.
+                      Accepted values: access_token, service_account_key. Defaults
+                      to access_token. Type of secret generated for this static account.
+                      Defaults to `access_token`. Accepted values: `access_token`,
+                      `service_account_key`'
+                    type: string
+                  serviceAccountEmail:
+                    description: Email of the GCP service account to manage. Email
+                      of the GCP service account.
+                    type: string
+                  staticAccount:
+                    description: Name of the Static Account to create Name of the
+                      Static Account to create
+                    type: string
+                  tokenScopes:
+                    description: List of OAuth scopes to assign to access_token secrets
+                      generated under this static account (access_token static accounts
+                      only). List of OAuth scopes to assign to `access_token` secrets
+                      generated under this static account (`access_token` static accounts
+                      only)
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -297,27 +389,40 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: serviceAccountEmail is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceAccountEmail)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail)
+                || has(self.initProvider.serviceAccountEmail)'
             - message: staticAccount is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.staticAccount)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.staticAccount)
+                || has(self.initProvider.staticAccount)'
           status:
             description: SecretStaticAccountStatus defines the observed state of SecretStaticAccount.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: Path where the GCP secrets engine is mounted.
+                    description: Path where the GCP Secrets Engine is mounted Path
+                      where the GCP secrets engine is mounted.
                     type: string
                   binding:
+                    description: Bindings to create for this static account. This
+                      can be specified multiple times for multiple bindings. Structure
+                      is documented below.
                     items:
                       properties:
                         resource:
-                          description: Resource name
+                          description: Resource or resource path for which IAM policy
+                            information will be bound. The resource path may be specified
+                            in a few different formats. Resource name
                           type: string
                         roles:
-                          description: List of roles to apply to the resource
+                          description: List of GCP IAM roles for the resource. List
+                            of roles to apply to the resource
                           items:
                             type: string
                           type: array
@@ -326,27 +431,37 @@ spec:
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   secretType:
                     description: 'Type of secret generated for this static account.
+                      Accepted values: access_token, service_account_key. Defaults
+                      to access_token. Type of secret generated for this static account.
                       Defaults to `access_token`. Accepted values: `access_token`,
                       `service_account_key`'
                     type: string
                   serviceAccountEmail:
-                    description: Email of the GCP service account.
+                    description: Email of the GCP service account to manage. Email
+                      of the GCP service account.
                     type: string
                   serviceAccountProject:
-                    description: Project of the GCP Service Account managed by this
-                      static account
+                    description: Project the service account belongs to. Project of
+                      the GCP Service Account managed by this static account
                     type: string
                   staticAccount:
-                    description: Name of the Static Account to create
+                    description: Name of the Static Account to create Name of the
+                      Static Account to create
                     type: string
                   tokenScopes:
-                    description: List of OAuth scopes to assign to `access_token`
-                      secrets generated under this static account (`access_token`
-                      static accounts only)
+                    description: List of OAuth scopes to assign to access_token secrets
+                      generated under this static account (access_token static accounts
+                      only). List of OAuth scopes to assign to `access_token` secrets
+                      generated under this static account (`access_token` static accounts
+                      only)
                     items:
                       type: string
                     type: array
diff --git a/package/crds/generic.vault.upbound.io_endpoints.yaml b/package/crds/generic.vault.upbound.io_endpoints.yaml
index 673559c8..dc52fd3d 100644
--- a/package/crds/generic.vault.upbound.io_endpoints.yaml
+++ b/package/crds/generic.vault.upbound.io_endpoints.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: endpoints.generic.vault.upbound.io
 spec:
   group: generic.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Endpoint is the Schema for the Endpoints API. <no value>
+        description: Endpoint is the Schema for the Endpoints API. Writes arbitrary
+          data to a given path in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,7 +68,9 @@ spec:
               forProvider:
                 properties:
                   dataJsonSecretRef:
-                    description: JSON-encoded data to write.
+                    description: String containing a JSON-encoded object that will
+                      be written to the given path as the secret data. JSON-encoded
+                      data to write.
                     properties:
                       key:
                         description: The key to select.
@@ -85,43 +87,146 @@ spec:
                     - namespace
                     type: object
                   disableDelete:
-                    description: Don't attempt to delete the path from Vault if true
+                    description: True/false. Set this to true if your vault authentication
+                      is not able to delete the data or if the endpoint does not support
+                      the DELETE method. Defaults to false. Don't attempt to delete
+                      the path from Vault if true
                     type: boolean
                   disableRead:
-                    description: Don't attempt to read the path from Vault if true;
-                      drift won't be detected
+                    description: True/false. Set this to true if your vault authentication
+                      is not able to read the data or if the endpoint does not support
+                      the GET method. Setting this to true will break drift detection.
+                      You should set this to true for endpoints that are write-only.
+                      Defaults to false. Don't attempt to read the path from Vault
+                      if true; drift won't be detected
                     type: boolean
                   ignoreAbsentFields:
-                    description: When reading, disregard fields not present in data_json
+                    description: True/false. If set to true, ignore any fields present
+                      when the endpoint is read but that were not in data_json. Also,
+                      if a field that was written is not returned when the endpoint
+                      is read, treat that field as being up to date. You should set
+                      this to true when writing to endpoint that, when read, returns
+                      a different set of fields from the ones you wrote, as is common
+                      with many configuration endpoints. Defaults to false. When reading,
+                      disregard fields not present in data_json
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Full path where to the endpoint that will be written
+                    description: The full logical path at which to write the given
+                      data. Consult each backend's documentation to see which endpoints
+                      support the PUT methods and to determine whether they also support
+                      DELETE and GET. Full path where to the endpoint that will be
+                      written
                     type: string
                   writeFields:
-                    description: Top-level fields returned by write to persist in
-                      state
+                    description: . A list of fields that should be returned in write_data_json
+                      and write_data. If omitted, data returned by the write operation
+                      is not available to the resource or included in state. This
+                      helps to avoid accidental storage of sensitive values in state.
+                      Some endpoints, such as many dynamic secrets endpoints, return
+                      data from writing to an endpoint rather than reading it. You
+                      should use write_fields if you need information returned in
+                      this way. Top-level fields returned by write to persist in state
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  disableDelete:
+                    description: True/false. Set this to true if your vault authentication
+                      is not able to delete the data or if the endpoint does not support
+                      the DELETE method. Defaults to false. Don't attempt to delete
+                      the path from Vault if true
+                    type: boolean
+                  disableRead:
+                    description: True/false. Set this to true if your vault authentication
+                      is not able to read the data or if the endpoint does not support
+                      the GET method. Setting this to true will break drift detection.
+                      You should set this to true for endpoints that are write-only.
+                      Defaults to false. Don't attempt to read the path from Vault
+                      if true; drift won't be detected
+                    type: boolean
+                  ignoreAbsentFields:
+                    description: True/false. If set to true, ignore any fields present
+                      when the endpoint is read but that were not in data_json. Also,
+                      if a field that was written is not returned when the endpoint
+                      is read, treat that field as being up to date. You should set
+                      this to true when writing to endpoint that, when read, returns
+                      a different set of fields from the ones you wrote, as is common
+                      with many configuration endpoints. Defaults to false. When reading,
+                      disregard fields not present in data_json
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The full logical path at which to write the given
+                      data. Consult each backend's documentation to see which endpoints
+                      support the PUT methods and to determine whether they also support
+                      DELETE and GET. Full path where to the endpoint that will be
+                      written
+                    type: string
+                  writeFields:
+                    description: . A list of fields that should be returned in write_data_json
+                      and write_data. If omitted, data returned by the write operation
+                      is not available to the resource or included in state. This
+                      helps to avoid accidental storage of sensitive values in state.
+                      Some endpoints, such as many dynamic secrets endpoints, return
+                      data from writing to an endpoint rather than reading it. You
+                      should use write_fields if you need information returned in
+                      this way. Top-level fields returned by write to persist in state
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -295,43 +400,81 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: dataJsonSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataJsonSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)'
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: EndpointStatus defines the observed state of Endpoint.
             properties:
               atProvider:
                 properties:
                   disableDelete:
-                    description: Don't attempt to delete the path from Vault if true
+                    description: True/false. Set this to true if your vault authentication
+                      is not able to delete the data or if the endpoint does not support
+                      the DELETE method. Defaults to false. Don't attempt to delete
+                      the path from Vault if true
                     type: boolean
                   disableRead:
-                    description: Don't attempt to read the path from Vault if true;
-                      drift won't be detected
+                    description: True/false. Set this to true if your vault authentication
+                      is not able to read the data or if the endpoint does not support
+                      the GET method. Setting this to true will break drift detection.
+                      You should set this to true for endpoints that are write-only.
+                      Defaults to false. Don't attempt to read the path from Vault
+                      if true; drift won't be detected
                     type: boolean
                   id:
                     type: string
                   ignoreAbsentFields:
-                    description: When reading, disregard fields not present in data_json
+                    description: True/false. If set to true, ignore any fields present
+                      when the endpoint is read but that were not in data_json. Also,
+                      if a field that was written is not returned when the endpoint
+                      is read, treat that field as being up to date. You should set
+                      this to true when writing to endpoint that, when read, returns
+                      a different set of fields from the ones you wrote, as is common
+                      with many configuration endpoints. Defaults to false. When reading,
+                      disregard fields not present in data_json
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Full path where to the endpoint that will be written
+                    description: The full logical path at which to write the given
+                      data. Consult each backend's documentation to see which endpoints
+                      support the PUT methods and to determine whether they also support
+                      DELETE and GET. Full path where to the endpoint that will be
+                      written
                     type: string
                   writeData:
                     additionalProperties:
                       type: string
-                    description: Map of strings returned by write operation
+                    description: A map whose keys are the top-level data keys returned
+                      from Vault by the write operation and whose values are the corresponding
+                      values. This map can only represent string data, so any non-string
+                      values returned from Vault are serialized as JSON. Only fields
+                      set in write_fields are present in the JSON data. Map of strings
+                      returned by write operation
                     type: object
                   writeDataJson:
-                    description: JSON data returned by write operation
+                    description: The JSON data returned by the write operation. Only
+                      fields set in write_fields are present in the JSON data. JSON
+                      data returned by write operation
                     type: string
                   writeFields:
-                    description: Top-level fields returned by write to persist in
-                      state
+                    description: . A list of fields that should be returned in write_data_json
+                      and write_data. If omitted, data returned by the write operation
+                      is not available to the resource or included in state. This
+                      helps to avoid accidental storage of sensitive values in state.
+                      Some endpoints, such as many dynamic secrets endpoints, return
+                      data from writing to an endpoint rather than reading it. You
+                      should use write_fields if you need information returned in
+                      this way. Top-level fields returned by write to persist in state
                     items:
                       type: string
                     type: array
diff --git a/package/crds/generic.vault.upbound.io_secrets.yaml b/package/crds/generic.vault.upbound.io_secrets.yaml
index 33c6429e..facc6f46 100644
--- a/package/crds/generic.vault.upbound.io_secrets.yaml
+++ b/package/crds/generic.vault.upbound.io_secrets.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secrets.generic.vault.upbound.io
 spec:
   group: generic.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Secret is the Schema for the Secrets API. <no value>
+        description: Secret is the Schema for the Secrets API. Writes arbitrary data
+          to a given path in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,7 +68,9 @@ spec:
               forProvider:
                 properties:
                   dataJsonSecretRef:
-                    description: JSON-encoded secret data to write.
+                    description: String containing a JSON-encoded object that will
+                      be written as the secret data at the given path. JSON-encoded
+                      secret data to write.
                     properties:
                       key:
                         description: The key to select.
@@ -85,35 +87,104 @@ spec:
                     - namespace
                     type: object
                   deleteAllVersions:
-                    description: Only applicable for kv-v2 stores. If set, permanently
+                    description: true/false.  Only applicable for kv-v2 stores. If
+                      set to true, permanently deletes all versions for the specified
+                      key. The default behavior is to only delete the latest version
+                      of the secret. Only applicable for kv-v2 stores. If set, permanently
                       deletes all versions for the specified key.
                     type: boolean
                   disableRead:
-                    description: Don't attempt to read the token from Vault if true;
-                      drift won't be detected.
+                    description: true/false. Set this to true if your vault authentication
+                      is not able to read the data. Setting this to true will break
+                      drift detection. Defaults to false. Don't attempt to read the
+                      token from Vault if true; drift won't be detected.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Full path where the generic secret will be written.
+                    description: The full logical path at which to write the given
+                      data. To write data into the "generic" secret backend mounted
+                      in Vault by default, this should be prefixed with secret/. Writing
+                      to other backends with this resource is possible; consult each
+                      backend's documentation to see which endpoints support the PUT
+                      and DELETE methods. Full path where the generic secret will
+                      be written.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  deleteAllVersions:
+                    description: true/false.  Only applicable for kv-v2 stores. If
+                      set to true, permanently deletes all versions for the specified
+                      key. The default behavior is to only delete the latest version
+                      of the secret. Only applicable for kv-v2 stores. If set, permanently
+                      deletes all versions for the specified key.
+                    type: boolean
+                  disableRead:
+                    description: true/false. Set this to true if your vault authentication
+                      is not able to read the data. Setting this to true will break
+                      drift detection. Defaults to false. Don't attempt to read the
+                      token from Vault if true; drift won't be detected.
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The full logical path at which to write the given
+                      data. To write data into the "generic" secret backend mounted
+                      in Vault by default, this should be prefixed with secret/. Writing
+                      to other backends with this resource is possible; consult each
+                      backend's documentation to see which endpoints support the PUT
+                      and DELETE methods. Full path where the generic secret will
+                      be written.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -287,29 +358,47 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: dataJsonSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataJsonSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)'
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: SecretStatus defines the observed state of Secret.
             properties:
               atProvider:
                 properties:
                   deleteAllVersions:
-                    description: Only applicable for kv-v2 stores. If set, permanently
+                    description: true/false.  Only applicable for kv-v2 stores. If
+                      set to true, permanently deletes all versions for the specified
+                      key. The default behavior is to only delete the latest version
+                      of the secret. Only applicable for kv-v2 stores. If set, permanently
                       deletes all versions for the specified key.
                     type: boolean
                   disableRead:
-                    description: Don't attempt to read the token from Vault if true;
-                      drift won't be detected.
+                    description: true/false. Set this to true if your vault authentication
+                      is not able to read the data. Setting this to true will break
+                      drift detection. Defaults to false. Don't attempt to read the
+                      token from Vault if true; drift won't be detected.
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Full path where the generic secret will be written.
+                    description: The full logical path at which to write the given
+                      data. To write data into the "generic" secret backend mounted
+                      in Vault by default, this should be prefixed with secret/. Writing
+                      to other backends with this resource is possible; consult each
+                      backend's documentation to see which endpoints support the PUT
+                      and DELETE methods. Full path where the generic secret will
+                      be written.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/github.vault.upbound.io_authbackends.yaml b/package/crds/github.vault.upbound.io_authbackends.yaml
index 249a2fad..40a856b0 100644
--- a/package/crds/github.vault.upbound.io_authbackends.yaml
+++ b/package/crds/github.vault.upbound.io_authbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackends.github.vault.upbound.io
 spec:
   group: github.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackend is the Schema for the AuthBackends API. <no value>
+        description: AuthBackend is the Schema for the AuthBackends API. Manages GitHub
+          Auth mounts in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,107 +70,340 @@ spec:
                   baseUrl:
                     description: The API endpoint to use. Useful if you are running
                       GitHub Enterprise or an API-compatible authentication server.
+                      The API endpoint to use. Useful if you are running GitHub Enterprise
+                      or an API-compatible authentication server.
                     type: string
                   description:
                     description: Specifies the description of the mount. This overrides
-                      the current stored value, if any.
+                      the current stored value, if any. Specifies the description
+                      of the mount. This overrides the current stored value, if any.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: The organization users must be part of.
+                    description: The organization configured users must be part of.
+                      The organization users must be part of.
                     type: string
                   organizationId:
                     description: The ID of the organization users must be part of.
                       Vault will attempt to fetch and set this value if it is not
-                      provided (vault-1.10+)
+                      provided. (Vault 1.10+) The ID of the organization users must
+                      be part of. Vault will attempt to fetch and set this value if
+                      it is not provided (vault-1.10+)
                     type: number
                   path:
-                    description: Path where the auth backend is mounted
+                    description: Path where the auth backend is mounted. Defaults
+                      to auth/github if not specified. Path where the auth backend
+                      is mounted
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                   tune:
+                    description: Extra configuration block. Structure is documented
+                      below.
                     items:
                       properties:
                         allowedResponseHeaders:
+                          description: List of headers to whitelist and allowing a
+                            plugin to include them in the response.
                           items:
                             type: string
                           type: array
                         auditNonHmacRequestKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the request data object.
                           items:
                             type: string
                           type: array
                         auditNonHmacResponseKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the response data object.
                           items:
                             type: string
                           type: array
                         defaultLeaseTtl:
+                          description: Specifies the default time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
                           type: string
                         listingVisibility:
+                          description: Specifies whether to show this mount in the
+                            UI-specific listing endpoint. Valid values are "unauth"
+                            or "hidden".
                           type: string
                         maxLeaseTtl:
+                          description: Specifies the maximum time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
                           type: string
                         passthroughRequestHeaders:
+                          description: List of headers to whitelist and pass from
+                            the request to the backend.
                           items:
                             type: string
                           type: array
                         tokenType:
+                          description: Specifies the type of tokens that should be
+                            returned by the mount. Valid values are "default-service",
+                            "default-batch", "service", "batch".
                           type: string
                       type: object
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  baseUrl:
+                    description: The API endpoint to use. Useful if you are running
+                      GitHub Enterprise or an API-compatible authentication server.
+                      The API endpoint to use. Useful if you are running GitHub Enterprise
+                      or an API-compatible authentication server.
+                    type: string
+                  description:
+                    description: Specifies the description of the mount. This overrides
+                      the current stored value, if any. Specifies the description
+                      of the mount. This overrides the current stored value, if any.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  organization:
+                    description: The organization configured users must be part of.
+                      The organization users must be part of.
+                    type: string
+                  organizationId:
+                    description: The ID of the organization users must be part of.
+                      Vault will attempt to fetch and set this value if it is not
+                      provided. (Vault 1.10+) The ID of the organization users must
+                      be part of. Vault will attempt to fetch and set this value if
+                      it is not provided (vault-1.10+)
+                    type: number
+                  path:
+                    description: Path where the auth backend is mounted. Defaults
+                      to auth/github if not specified. Path where the auth backend
+                      is mounted
+                    type: string
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                  tune:
+                    description: Extra configuration block. Structure is documented
+                      below.
+                    items:
+                      properties:
+                        allowedResponseHeaders:
+                          description: List of headers to whitelist and allowing a
+                            plugin to include them in the response.
+                          items:
+                            type: string
+                          type: array
+                        auditNonHmacRequestKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the request data object.
+                          items:
+                            type: string
+                          type: array
+                        auditNonHmacResponseKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the response data object.
+                          items:
+                            type: string
+                          type: array
+                        defaultLeaseTtl:
+                          description: Specifies the default time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
+                          type: string
+                        listingVisibility:
+                          description: Specifies whether to show this mount in the
+                            UI-specific listing endpoint. Valid values are "unauth"
+                            or "hidden".
+                          type: string
+                        maxLeaseTtl:
+                          description: Specifies the maximum time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
+                          type: string
+                        passthroughRequestHeaders:
+                          description: List of headers to whitelist and pass from
+                            the request to the backend.
+                          items:
+                            type: string
+                          type: array
+                        tokenType:
+                          description: Specifies the type of tokens that should be
+                            returned by the mount. Valid values are "default-service",
+                            "default-batch", "service", "batch".
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -344,102 +577,166 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: organization is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.organization)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.organization)
+                || has(self.initProvider.organization)'
           status:
             description: AuthBackendStatus defines the observed state of AuthBackend.
             properties:
               atProvider:
                 properties:
                   accessor:
-                    description: The mount accessor related to the auth mount.
+                    description: The mount accessor related to the auth mount. It
+                      is useful for integration with Identity Secrets Engine. The
+                      mount accessor related to the auth mount.
                     type: string
                   baseUrl:
                     description: The API endpoint to use. Useful if you are running
                       GitHub Enterprise or an API-compatible authentication server.
+                      The API endpoint to use. Useful if you are running GitHub Enterprise
+                      or an API-compatible authentication server.
                     type: string
                   description:
                     description: Specifies the description of the mount. This overrides
-                      the current stored value, if any.
+                      the current stored value, if any. Specifies the description
+                      of the mount. This overrides the current stored value, if any.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: The organization users must be part of.
+                    description: The organization configured users must be part of.
+                      The organization users must be part of.
                     type: string
                   organizationId:
                     description: The ID of the organization users must be part of.
                       Vault will attempt to fetch and set this value if it is not
-                      provided (vault-1.10+)
+                      provided. (Vault 1.10+) The ID of the organization users must
+                      be part of. Vault will attempt to fetch and set this value if
+                      it is not provided (vault-1.10+)
                     type: number
                   path:
-                    description: Path where the auth backend is mounted
+                    description: Path where the auth backend is mounted. Defaults
+                      to auth/github if not specified. Path where the auth backend
+                      is mounted
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                   tune:
+                    description: Extra configuration block. Structure is documented
+                      below.
                     items:
                       properties:
                         allowedResponseHeaders:
+                          description: List of headers to whitelist and allowing a
+                            plugin to include them in the response.
                           items:
                             type: string
                           type: array
                         auditNonHmacRequestKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the request data object.
                           items:
                             type: string
                           type: array
                         auditNonHmacResponseKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the response data object.
                           items:
                             type: string
                           type: array
                         defaultLeaseTtl:
+                          description: Specifies the default time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
                           type: string
                         listingVisibility:
+                          description: Specifies whether to show this mount in the
+                            UI-specific listing endpoint. Valid values are "unauth"
+                            or "hidden".
                           type: string
                         maxLeaseTtl:
+                          description: Specifies the maximum time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
                           type: string
                         passthroughRequestHeaders:
+                          description: List of headers to whitelist and pass from
+                            the request to the backend.
                           items:
                             type: string
                           type: array
                         tokenType:
+                          description: Specifies the type of tokens that should be
+                            returned by the mount. Valid values are "default-service",
+                            "default-batch", "service", "batch".
                           type: string
                       type: object
                     type: array
diff --git a/package/crds/github.vault.upbound.io_teams.yaml b/package/crds/github.vault.upbound.io_teams.yaml
index 4ffe7aae..f4d80ae6 100644
--- a/package/crds/github.vault.upbound.io_teams.yaml
+++ b/package/crds/github.vault.upbound.io_teams.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: teams.github.vault.upbound.io
 spec:
   group: github.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Team is the Schema for the Teams API. <no value>
+        description: Team is the Schema for the Teams API. Manages Team mappings for
+          Github Auth backend mounts in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,13 +68,21 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Auth backend to which team mapping will be congigured.
+                    description: Path where the github auth backend is mounted. Defaults
+                      to github if not specified. Auth backend to which team mapping
+                      will be congigured.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be assigned to this team.
+                    description: An array of strings specifying the policies to be
+                      set on tokens issued using this role. Policies to be assigned
+                      to this team.
                     items:
                       type: string
                     type: array
@@ -82,21 +90,68 @@ spec:
                     description: GitHub team name in "slugified" format.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Path where the github auth backend is mounted. Defaults
+                      to github if not specified. Auth backend to which team mapping
+                      will be congigured.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policies:
+                    description: An array of strings specifying the policies to be
+                      set on tokens issued using this role. Policies to be assigned
+                      to this team.
+                    items:
+                      type: string
+                    type: array
+                  team:
+                    description: GitHub team name in "slugified" format.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -270,22 +325,32 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: team is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.team)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.team)
+                || has(self.initProvider.team)'
           status:
             description: TeamStatus defines the observed state of Team.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: Auth backend to which team mapping will be congigured.
+                    description: Path where the github auth backend is mounted. Defaults
+                      to github if not specified. Auth backend to which team mapping
+                      will be congigured.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be assigned to this team.
+                    description: An array of strings specifying the policies to be
+                      set on tokens issued using this role. Policies to be assigned
+                      to this team.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/github.vault.upbound.io_users.yaml b/package/crds/github.vault.upbound.io_users.yaml
index 23f50a3d..4a23ae95 100644
--- a/package/crds/github.vault.upbound.io_users.yaml
+++ b/package/crds/github.vault.upbound.io_users.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: users.github.vault.upbound.io
 spec:
   group: github.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: User is the Schema for the Users API. <no value>
+        description: User is the Schema for the Users API. Manages User mappings for
+          Github Auth backend mounts in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,35 +68,90 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Auth backend to which user mapping will be congigured.
+                    description: Path where the github auth backend is mounted. Defaults
+                      to github if not specified. Auth backend to which user mapping
+                      will be congigured.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be assigned to this user.
+                    description: An array of strings specifying the policies to be
+                      set on tokens issued using this role. Policies to be assigned
+                      to this user.
                     items:
                       type: string
                     type: array
                   user:
-                    description: GitHub user name.
+                    description: GitHub user name. GitHub user name.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Path where the github auth backend is mounted. Defaults
+                      to github if not specified. Auth backend to which user mapping
+                      will be congigured.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policies:
+                    description: An array of strings specifying the policies to be
+                      set on tokens issued using this role. Policies to be assigned
+                      to this user.
+                    items:
+                      type: string
+                    type: array
+                  user:
+                    description: GitHub user name. GitHub user name.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -270,27 +325,37 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: user is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.user)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.user)
+                || has(self.initProvider.user)'
           status:
             description: UserStatus defines the observed state of User.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: Auth backend to which user mapping will be congigured.
+                    description: Path where the github auth backend is mounted. Defaults
+                      to github if not specified. Auth backend to which user mapping
+                      will be congigured.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be assigned to this user.
+                    description: An array of strings specifying the policies to be
+                      set on tokens issued using this role. Policies to be assigned
+                      to this user.
                     items:
                       type: string
                     type: array
                   user:
-                    description: GitHub user name.
+                    description: GitHub user name. GitHub user name.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_entities.yaml b/package/crds/identity.vault.upbound.io_entities.yaml
index 4430f11f..24107a80 100644
--- a/package/crds/identity.vault.upbound.io_entities.yaml
+++ b/package/crds/identity.vault.upbound.io_entities.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: entities.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Entity is the Schema for the Entitys API. <no value>
+        description: Entity is the Schema for the Entitys API. Creates an Identity
+          Entity for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,44 +68,116 @@ spec:
               forProvider:
                 properties:
                   disabled:
-                    description: Whether the entity is disabled. Disabled entities'
+                    description: True/false Is this entity currently disabled. Defaults
+                      to false Whether the entity is disabled. Disabled entities'
                       associated tokens cannot be used, but are not revoked.
                     type: boolean
                   externalPolicies:
-                    description: Manage policies externally through `vault_identity_entity_policies`.
+                    description: false by default. If set to true, this resource will
+                      ignore any policies return from Vault or specified in the resource.
+                      You can use vault_identity_entity_policies to manage policies
+                      for this entity in a decoupled manner. Manage policies externally
+                      through `vault_identity_entity_policies`.
                     type: boolean
                   metadata:
                     additionalProperties:
                       type: string
-                    description: Metadata to be associated with the entity.
+                    description: A Map of additional metadata to associate with the
+                      user. Metadata to be associated with the entity.
                     type: object
                   name:
-                    description: Name of the entity.
+                    description: Name of the identity entity to create. Name of the
+                      entity.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be tied to the entity.
+                    description: A list of policies to apply to the entity. Policies
+                      to be tied to the entity.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  disabled:
+                    description: True/false Is this entity currently disabled. Defaults
+                      to false Whether the entity is disabled. Disabled entities'
+                      associated tokens cannot be used, but are not revoked.
+                    type: boolean
+                  externalPolicies:
+                    description: false by default. If set to true, this resource will
+                      ignore any policies return from Vault or specified in the resource.
+                      You can use vault_identity_entity_policies to manage policies
+                      for this entity in a decoupled manner. Manage policies externally
+                      through `vault_identity_entity_policies`.
+                    type: boolean
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: A Map of additional metadata to associate with the
+                      user. Metadata to be associated with the entity.
+                    type: object
+                  name:
+                    description: Name of the identity entity to create. Name of the
+                      entity.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policies:
+                    description: A list of policies to apply to the entity. Policies
+                      to be tied to the entity.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -283,27 +355,40 @@ spec:
               atProvider:
                 properties:
                   disabled:
-                    description: Whether the entity is disabled. Disabled entities'
+                    description: True/false Is this entity currently disabled. Defaults
+                      to false Whether the entity is disabled. Disabled entities'
                       associated tokens cannot be used, but are not revoked.
                     type: boolean
                   externalPolicies:
-                    description: Manage policies externally through `vault_identity_entity_policies`.
+                    description: false by default. If set to true, this resource will
+                      ignore any policies return from Vault or specified in the resource.
+                      You can use vault_identity_entity_policies to manage policies
+                      for this entity in a decoupled manner. Manage policies externally
+                      through `vault_identity_entity_policies`.
                     type: boolean
                   id:
+                    description: The id of the created entity.
                     type: string
                   metadata:
                     additionalProperties:
                       type: string
-                    description: Metadata to be associated with the entity.
+                    description: A Map of additional metadata to associate with the
+                      user. Metadata to be associated with the entity.
                     type: object
                   name:
-                    description: Name of the entity.
+                    description: Name of the identity entity to create. Name of the
+                      entity.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be tied to the entity.
+                    description: A list of policies to apply to the entity. Policies
+                      to be tied to the entity.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/identity.vault.upbound.io_entityaliases.yaml b/package/crds/identity.vault.upbound.io_entityaliases.yaml
index 26ce9a60..480a4683 100644
--- a/package/crds/identity.vault.upbound.io_entityaliases.yaml
+++ b/package/crds/identity.vault.upbound.io_entityaliases.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: entityaliases.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: EntityAlias is the Schema for the EntityAliass API. <no value>
+        description: EntityAlias is the Schema for the EntityAliass API. Creates an
+          Identity Entity Alias for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,7 +68,8 @@ spec:
               forProvider:
                 properties:
                   canonicalId:
-                    description: ID of the entity to which this is an alias.
+                    description: Entity ID to which this alias belongs to. ID of the
+                      entity to which this is an alias.
                     type: string
                   customMetadata:
                     additionalProperties:
@@ -76,31 +77,95 @@ spec:
                     description: Custom metadata to be associated with this alias.
                     type: object
                   mountAccessor:
-                    description: Mount accessor to which this alias belongs toMount
-                      accessor to which this alias belongs to.
+                    description: Accessor of the mount to which the alias should belong
+                      to. Mount accessor to which this alias belongs toMount accessor
+                      to which this alias belongs to.
                     type: string
                   name:
-                    description: Name of the entity alias.
+                    description: Name of the alias. Name should be the identifier
+                      of the client in the authentication source. For example, if
+                      the alias belongs to userpass backend, the name should be a
+                      valid username within userpass backend. If alias belongs to
+                      GitHub, it should be the GitHub username. Name of the entity
+                      alias.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  canonicalId:
+                    description: Entity ID to which this alias belongs to. ID of the
+                      entity to which this is an alias.
+                    type: string
+                  customMetadata:
+                    additionalProperties:
+                      type: string
+                    description: Custom metadata to be associated with this alias.
+                    type: object
+                  mountAccessor:
+                    description: Accessor of the mount to which the alias should belong
+                      to. Mount accessor to which this alias belongs toMount accessor
+                      to which this alias belongs to.
+                    type: string
+                  name:
+                    description: Name of the alias. Name should be the identifier
+                      of the client in the authentication source. For example, if
+                      the alias belongs to userpass backend, the name should be a
+                      valid username within userpass backend. If alias belongs to
+                      GitHub, it should be the GitHub username. Name of the entity
+                      alias.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -274,18 +339,25 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: canonicalId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.canonicalId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.canonicalId)
+                || has(self.initProvider.canonicalId)'
             - message: mountAccessor is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor)
+                || has(self.initProvider.mountAccessor)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: EntityAliasStatus defines the observed state of EntityAlias.
             properties:
               atProvider:
                 properties:
                   canonicalId:
-                    description: ID of the entity to which this is an alias.
+                    description: Entity ID to which this alias belongs to. ID of the
+                      entity to which this is an alias.
                     type: string
                   customMetadata:
                     additionalProperties:
@@ -293,16 +365,27 @@ spec:
                     description: Custom metadata to be associated with this alias.
                     type: object
                   id:
+                    description: ID of the entity alias.
                     type: string
                   mountAccessor:
-                    description: Mount accessor to which this alias belongs toMount
-                      accessor to which this alias belongs to.
+                    description: Accessor of the mount to which the alias should belong
+                      to. Mount accessor to which this alias belongs toMount accessor
+                      to which this alias belongs to.
                     type: string
                   name:
-                    description: Name of the entity alias.
+                    description: Name of the alias. Name should be the identifier
+                      of the client in the authentication source. For example, if
+                      the alias belongs to userpass backend, the name should be a
+                      valid username within userpass backend. If alias belongs to
+                      GitHub, it should be the GitHub username. Name of the entity
+                      alias.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_entitypolicies.yaml b/package/crds/identity.vault.upbound.io_entitypolicies.yaml
index ea964eb8..d13ba640 100644
--- a/package/crds/identity.vault.upbound.io_entitypolicies.yaml
+++ b/package/crds/identity.vault.upbound.io_entitypolicies.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: entitypolicies.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: EntityPolicies is the Schema for the EntityPoliciess API. <no
-          value>
+        description: EntityPolicies is the Schema for the EntityPoliciess API. Manages
+          policies for an Identity Entity for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,35 +68,86 @@ spec:
               forProvider:
                 properties:
                   entityId:
-                    description: ID of the entity.
+                    description: Entity ID to assign policies to. ID of the entity.
                     type: string
                   exclusive:
-                    description: Should the resource manage policies exclusively
+                    description: Defaults to true. Should the resource manage policies
+                      exclusively
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be tied to the entity.
+                    description: List of policies to assign to the entity Policies
+                      to be tied to the entity.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  entityId:
+                    description: Entity ID to assign policies to. ID of the entity.
+                    type: string
+                  exclusive:
+                    description: Defaults to true. Should the resource manage policies
+                      exclusively
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policies:
+                    description: List of policies to assign to the entity Policies
+                      to be tied to the entity.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -271,30 +321,41 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: entityId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.entityId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.entityId)
+                || has(self.initProvider.entityId)'
             - message: policies is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policies)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.policies)
+                || has(self.initProvider.policies)'
           status:
             description: EntityPoliciesStatus defines the observed state of EntityPolicies.
             properties:
               atProvider:
                 properties:
                   entityId:
-                    description: ID of the entity.
+                    description: Entity ID to assign policies to. ID of the entity.
                     type: string
                   entityName:
-                    description: Name of the entity.
+                    description: The name of the entity that are assigned the policies.
+                      Name of the entity.
                     type: string
                   exclusive:
-                    description: Should the resource manage policies exclusively
+                    description: Defaults to true. Should the resource manage policies
+                      exclusively
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be tied to the entity.
+                    description: List of policies to assign to the entity Policies
+                      to be tied to the entity.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/identity.vault.upbound.io_groupaliases.yaml b/package/crds/identity.vault.upbound.io_groupaliases.yaml
index f92b0a7b..30b9c83e 100644
--- a/package/crds/identity.vault.upbound.io_groupaliases.yaml
+++ b/package/crds/identity.vault.upbound.io_groupaliases.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: groupaliases.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: GroupAlias is the Schema for the GroupAliass API. <no value>
+        description: GroupAlias is the Schema for the GroupAliass API. Creates an
+          Identity Group Alias for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,33 +68,86 @@ spec:
               forProvider:
                 properties:
                   canonicalId:
-                    description: ID of the group to which this is an alias.
+                    description: ID of the group to which this is an alias. ID of
+                      the group to which this is an alias.
                     type: string
                   mountAccessor:
-                    description: Mount accessor to which this alias belongs to.
+                    description: Mount accessor of the authentication backend to which
+                      this alias belongs to. Mount accessor to which this alias belongs
+                      to.
                     type: string
                   name:
-                    description: Name of the group alias.
+                    description: Name of the group alias to create. Name of the group
+                      alias.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  canonicalId:
+                    description: ID of the group to which this is an alias. ID of
+                      the group to which this is an alias.
+                    type: string
+                  mountAccessor:
+                    description: Mount accessor of the authentication backend to which
+                      this alias belongs to. Mount accessor to which this alias belongs
+                      to.
+                    type: string
+                  name:
+                    description: Name of the group alias to create. Name of the group
+                      alias.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -268,29 +321,44 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: canonicalId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.canonicalId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.canonicalId)
+                || has(self.initProvider.canonicalId)'
             - message: mountAccessor is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor)
+                || has(self.initProvider.mountAccessor)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: GroupAliasStatus defines the observed state of GroupAlias.
             properties:
               atProvider:
                 properties:
                   canonicalId:
-                    description: ID of the group to which this is an alias.
+                    description: ID of the group to which this is an alias. ID of
+                      the group to which this is an alias.
                     type: string
                   id:
+                    description: The id of the created group alias.
                     type: string
                   mountAccessor:
-                    description: Mount accessor to which this alias belongs to.
+                    description: Mount accessor of the authentication backend to which
+                      this alias belongs to. Mount accessor to which this alias belongs
+                      to.
                     type: string
                   name:
-                    description: Name of the group alias.
+                    description: Name of the group alias to create. Name of the group
+                      alias.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_groupmemberentityids.yaml b/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml
similarity index 70%
rename from package/crds/identity.vault.upbound.io_groupmemberentityids.yaml
rename to package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml
index e06dd574..7803181e 100644
--- a/package/crds/identity.vault.upbound.io_groupmemberentityids.yaml
+++ b/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml
@@ -3,9 +3,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
-  name: groupmemberentityids.identity.vault.upbound.io
+    controller-gen.kubebuilder.io/version: v0.12.1
+  name: groupmemberentityidsidses.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
   names:
@@ -15,7 +14,7 @@ spec:
     - vault
     kind: GroupMemberEntityIds
     listKind: GroupMemberEntityIdsList
-    plural: groupmemberentityids
+    plural: groupmemberentityidsidses
     singular: groupmemberentityids
   scope: Cluster
   versions:
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: GroupMemberEntityIds is the Schema for the GroupMemberEntityIdss
-          API. <no value>
+          API. Manages member entities for an Identity Group for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,37 +68,90 @@ spec:
               forProvider:
                 properties:
                   exclusive:
-                    description: If set to true, allows the resource to manage member
-                      entity ids exclusively. Beware of race conditions when disabling
-                      exclusive management
+                    description: Defaults to true. If set to true, allows the resource
+                      to manage member entity ids exclusively. Beware of race conditions
+                      when disabling exclusive management
                     type: boolean
                   groupId:
-                    description: ID of the group.
+                    description: Group ID to assign member entities to. ID of the
+                      group.
                     type: string
                   memberEntityIds:
-                    description: Entity IDs to be assigned as group members.
+                    description: List of member entities that belong to the group
+                      Entity IDs to be assigned as group members.
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  exclusive:
+                    description: Defaults to true. If set to true, allows the resource
+                      to manage member entity ids exclusively. Beware of race conditions
+                      when disabling exclusive management
+                    type: boolean
+                  groupId:
+                    description: Group ID to assign member entities to. ID of the
+                      group.
+                    type: string
+                  memberEntityIds:
+                    description: List of member entities that belong to the group
+                      Entity IDs to be assigned as group members.
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -273,7 +325,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: groupId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.groupId)
+                || has(self.initProvider.groupId)'
           status:
             description: GroupMemberEntityIdsStatus defines the observed state of
               GroupMemberEntityIds.
@@ -281,25 +335,34 @@ spec:
               atProvider:
                 properties:
                   exclusive:
-                    description: If set to true, allows the resource to manage member
-                      entity ids exclusively. Beware of race conditions when disabling
-                      exclusive management
+                    description: Defaults to true. If set to true, allows the resource
+                      to manage member entity ids exclusively. Beware of race conditions
+                      when disabling exclusive management
                     type: boolean
                   groupId:
-                    description: ID of the group.
+                    description: Group ID to assign member entities to. ID of the
+                      group.
                     type: string
                   groupName:
-                    description: Name of the group.
+                    description: 'The name of the group that are assigned the member
+                      entities. Deprecated: The value for group_name may not always
+                      be accurate use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name
+                      instead. Name of the group.'
                     type: string
                   id:
                     type: string
                   memberEntityIds:
-                    description: Entity IDs to be assigned as group members.
+                    description: List of member entities that belong to the group
+                      Entity IDs to be assigned as group members.
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_groupmembergroupids.yaml b/package/crds/identity.vault.upbound.io_groupmembergroupidsidses.yaml
similarity index 71%
rename from package/crds/identity.vault.upbound.io_groupmembergroupids.yaml
rename to package/crds/identity.vault.upbound.io_groupmembergroupidsidses.yaml
index 3cb436eb..2569d0c9 100644
--- a/package/crds/identity.vault.upbound.io_groupmembergroupids.yaml
+++ b/package/crds/identity.vault.upbound.io_groupmembergroupidsidses.yaml
@@ -3,9 +3,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
-  name: groupmembergroupids.identity.vault.upbound.io
+    controller-gen.kubebuilder.io/version: v0.12.1
+  name: groupmembergroupidsidses.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
   names:
@@ -15,7 +14,7 @@ spec:
     - vault
     kind: GroupMemberGroupIds
     listKind: GroupMemberGroupIdsList
-    plural: groupmembergroupids
+    plural: groupmembergroupidsidses
     singular: groupmembergroupids
   scope: Cluster
   versions:
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: GroupMemberGroupIds is the Schema for the GroupMemberGroupIdss
-          API. <no value>
+          API. Manages member groups for an Identity Group for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,37 +68,90 @@ spec:
               forProvider:
                 properties:
                   exclusive:
-                    description: If set to true, allows the resource to manage member
-                      group ids exclusively. Beware of race conditions when disabling
-                      exclusive management
+                    description: Defaults to true. If set to true, allows the resource
+                      to manage member group ids exclusively. Beware of race conditions
+                      when disabling exclusive management
                     type: boolean
                   groupId:
-                    description: ID of the group.
+                    description: Group ID to assign member entities to. ID of the
+                      group.
                     type: string
                   memberGroupIds:
-                    description: Group IDs to be assigned as group members.
+                    description: List of member groups that belong to the group Group
+                      IDs to be assigned as group members.
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  exclusive:
+                    description: Defaults to true. If set to true, allows the resource
+                      to manage member group ids exclusively. Beware of race conditions
+                      when disabling exclusive management
+                    type: boolean
+                  groupId:
+                    description: Group ID to assign member entities to. ID of the
+                      group.
+                    type: string
+                  memberGroupIds:
+                    description: List of member groups that belong to the group Group
+                      IDs to be assigned as group members.
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -273,29 +325,37 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: groupId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.groupId)
+                || has(self.initProvider.groupId)'
           status:
             description: GroupMemberGroupIdsStatus defines the observed state of GroupMemberGroupIds.
             properties:
               atProvider:
                 properties:
                   exclusive:
-                    description: If set to true, allows the resource to manage member
-                      group ids exclusively. Beware of race conditions when disabling
-                      exclusive management
+                    description: Defaults to true. If set to true, allows the resource
+                      to manage member group ids exclusively. Beware of race conditions
+                      when disabling exclusive management
                     type: boolean
                   groupId:
-                    description: ID of the group.
+                    description: Group ID to assign member entities to. ID of the
+                      group.
                     type: string
                   id:
                     type: string
                   memberGroupIds:
-                    description: Group IDs to be assigned as group members.
+                    description: List of member groups that belong to the group Group
+                      IDs to be assigned as group members.
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_grouppolicies.yaml b/package/crds/identity.vault.upbound.io_grouppolicies.yaml
index 275b4853..2acd148d 100644
--- a/package/crds/identity.vault.upbound.io_grouppolicies.yaml
+++ b/package/crds/identity.vault.upbound.io_grouppolicies.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: grouppolicies.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: GroupPolicies is the Schema for the GroupPoliciess API. <no value>
+        description: GroupPolicies is the Schema for the GroupPoliciess API. Manages
+          policies for an Identity Group for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,36 +68,88 @@ spec:
               forProvider:
                 properties:
                   exclusive:
-                    description: Should the resource manage policies exclusively?
-                      Beware of race conditions when disabling exclusive management
+                    description: Defaults to true. Should the resource manage policies
+                      exclusively? Beware of race conditions when disabling exclusive
+                      management
                     type: boolean
                   groupId:
-                    description: ID of the group.
+                    description: Group ID to assign policies to. ID of the group.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be tied to the group.
+                    description: List of policies to assign to the group Policies
+                      to be tied to the group.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  exclusive:
+                    description: Defaults to true. Should the resource manage policies
+                      exclusively? Beware of race conditions when disabling exclusive
+                      management
+                    type: boolean
+                  groupId:
+                    description: Group ID to assign policies to. ID of the group.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policies:
+                    description: List of policies to assign to the group Policies
+                      to be tied to the group.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -271,31 +323,42 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: groupId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.groupId)
+                || has(self.initProvider.groupId)'
             - message: policies is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policies)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.policies)
+                || has(self.initProvider.policies)'
           status:
             description: GroupPoliciesStatus defines the observed state of GroupPolicies.
             properties:
               atProvider:
                 properties:
                   exclusive:
-                    description: Should the resource manage policies exclusively?
-                      Beware of race conditions when disabling exclusive management
+                    description: Defaults to true. Should the resource manage policies
+                      exclusively? Beware of race conditions when disabling exclusive
+                      management
                     type: boolean
                   groupId:
-                    description: ID of the group.
+                    description: Group ID to assign policies to. ID of the group.
                     type: string
                   groupName:
-                    description: Name of the group.
+                    description: The name of the group that are assigned the policies.
+                      Name of the group.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be tied to the group.
+                    description: List of policies to assign to the group Policies
+                      to be tied to the group.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/identity.vault.upbound.io_groups.yaml b/package/crds/identity.vault.upbound.io_groups.yaml
index 40c90250..f5a1aec7 100644
--- a/package/crds/identity.vault.upbound.io_groups.yaml
+++ b/package/crds/identity.vault.upbound.io_groups.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: groups.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Group is the Schema for the Groups API. <no value>
+        description: Group is the Schema for the Groups API. Creates an Identity Group
+          for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,61 +68,174 @@ spec:
               forProvider:
                 properties:
                   externalMemberEntityIds:
-                    description: Manage member entities externally through `vault_identity_group_member_entity_ids`
+                    description: false by default. If set to true, this resource will
+                      ignore any Entity IDs returned from Vault or specified in the
+                      resource. You can use vault_identity_group_member_entity_ids
+                      to manage Entity IDs for this group in a decoupled manner. Manage
+                      member entities externally through `vault_identity_group_member_entity_ids`
                     type: boolean
                   externalMemberGroupIds:
-                    description: Manage member groups externally through `vault_identity_group_member_group_ids`
+                    description: false by default. If set to true, this resource will
+                      ignore any Group IDs returned from Vault or specified in the
+                      resource. You can use vault_identity_group_member_group_ids
+                      to manage Group IDs for this group in a decoupled manner. Manage
+                      member groups externally through `vault_identity_group_member_group_ids`
                     type: boolean
                   externalPolicies:
-                    description: Manage policies externally through `vault_identity_group_policies`,
-                      allows using group ID in assigned policies.
+                    description: false by default. If set to true, this resource will
+                      ignore any policies returned from Vault or specified in the
+                      resource. You can use vault_identity_group_policies to manage
+                      policies for this group in a decoupled manner. Manage policies
+                      externally through `vault_identity_group_policies`, allows using
+                      group ID in assigned policies.
                     type: boolean
                   memberEntityIds:
-                    description: Entity IDs to be assigned as group members.
+                    description: A list of Entity IDs to be assigned as group members.
+                      Not allowed on external groups. Entity IDs to be assigned as
+                      group members.
                     items:
                       type: string
                     type: array
                   memberGroupIds:
-                    description: Group IDs to be assigned as group members.
+                    description: A list of Group IDs to be assigned as group members.
+                      Not allowed on external groups. Group IDs to be assigned as
+                      group members.
                     items:
                       type: string
                     type: array
                   metadata:
                     additionalProperties:
                       type: string
-                    description: Metadata to be associated with the group.
+                    description: A Map of additional metadata to associate with the
+                      group. Metadata to be associated with the group.
                     type: object
                   name:
-                    description: Name of the group.
+                    description: Name of the identity group to create. Name of the
+                      group.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be tied to the group.
+                    description: A list of policies to apply to the group. Policies
+                      to be tied to the group.
                     items:
                       type: string
                     type: array
                   type:
                     description: Type of the group, internal or external. Defaults
+                      to internal. Type of the group, internal or external. Defaults
                       to internal.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  externalMemberEntityIds:
+                    description: false by default. If set to true, this resource will
+                      ignore any Entity IDs returned from Vault or specified in the
+                      resource. You can use vault_identity_group_member_entity_ids
+                      to manage Entity IDs for this group in a decoupled manner. Manage
+                      member entities externally through `vault_identity_group_member_entity_ids`
+                    type: boolean
+                  externalMemberGroupIds:
+                    description: false by default. If set to true, this resource will
+                      ignore any Group IDs returned from Vault or specified in the
+                      resource. You can use vault_identity_group_member_group_ids
+                      to manage Group IDs for this group in a decoupled manner. Manage
+                      member groups externally through `vault_identity_group_member_group_ids`
+                    type: boolean
+                  externalPolicies:
+                    description: false by default. If set to true, this resource will
+                      ignore any policies returned from Vault or specified in the
+                      resource. You can use vault_identity_group_policies to manage
+                      policies for this group in a decoupled manner. Manage policies
+                      externally through `vault_identity_group_policies`, allows using
+                      group ID in assigned policies.
+                    type: boolean
+                  memberEntityIds:
+                    description: A list of Entity IDs to be assigned as group members.
+                      Not allowed on external groups. Entity IDs to be assigned as
+                      group members.
+                    items:
+                      type: string
+                    type: array
+                  memberGroupIds:
+                    description: A list of Group IDs to be assigned as group members.
+                      Not allowed on external groups. Group IDs to be assigned as
+                      group members.
+                    items:
+                      type: string
+                    type: array
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: A Map of additional metadata to associate with the
+                      group. Metadata to be associated with the group.
+                    type: object
+                  name:
+                    description: Name of the identity group to create. Name of the
+                      group.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policies:
+                    description: A list of policies to apply to the group. Policies
+                      to be tied to the group.
+                    items:
+                      type: string
+                    type: array
+                  type:
+                    description: Type of the group, internal or external. Defaults
+                      to internal. Type of the group, internal or external. Defaults
+                      to internal.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -300,45 +413,70 @@ spec:
               atProvider:
                 properties:
                   externalMemberEntityIds:
-                    description: Manage member entities externally through `vault_identity_group_member_entity_ids`
+                    description: false by default. If set to true, this resource will
+                      ignore any Entity IDs returned from Vault or specified in the
+                      resource. You can use vault_identity_group_member_entity_ids
+                      to manage Entity IDs for this group in a decoupled manner. Manage
+                      member entities externally through `vault_identity_group_member_entity_ids`
                     type: boolean
                   externalMemberGroupIds:
-                    description: Manage member groups externally through `vault_identity_group_member_group_ids`
+                    description: false by default. If set to true, this resource will
+                      ignore any Group IDs returned from Vault or specified in the
+                      resource. You can use vault_identity_group_member_group_ids
+                      to manage Group IDs for this group in a decoupled manner. Manage
+                      member groups externally through `vault_identity_group_member_group_ids`
                     type: boolean
                   externalPolicies:
-                    description: Manage policies externally through `vault_identity_group_policies`,
-                      allows using group ID in assigned policies.
+                    description: false by default. If set to true, this resource will
+                      ignore any policies returned from Vault or specified in the
+                      resource. You can use vault_identity_group_policies to manage
+                      policies for this group in a decoupled manner. Manage policies
+                      externally through `vault_identity_group_policies`, allows using
+                      group ID in assigned policies.
                     type: boolean
                   id:
+                    description: The id of the created group.
                     type: string
                   memberEntityIds:
-                    description: Entity IDs to be assigned as group members.
+                    description: A list of Entity IDs to be assigned as group members.
+                      Not allowed on external groups. Entity IDs to be assigned as
+                      group members.
                     items:
                       type: string
                     type: array
                   memberGroupIds:
-                    description: Group IDs to be assigned as group members.
+                    description: A list of Group IDs to be assigned as group members.
+                      Not allowed on external groups. Group IDs to be assigned as
+                      group members.
                     items:
                       type: string
                     type: array
                   metadata:
                     additionalProperties:
                       type: string
-                    description: Metadata to be associated with the group.
+                    description: A Map of additional metadata to associate with the
+                      group. Metadata to be associated with the group.
                     type: object
                   name:
-                    description: Name of the group.
+                    description: Name of the identity group to create. Name of the
+                      group.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Policies to be tied to the group.
+                    description: A list of policies to apply to the group. Policies
+                      to be tied to the group.
                     items:
                       type: string
                     type: array
                   type:
                     description: Type of the group, internal or external. Defaults
+                      to internal. Type of the group, internal or external. Defaults
                       to internal.
                     type: string
                 type: object
diff --git a/package/crds/identity.vault.upbound.io_mfaduoes.yaml b/package/crds/identity.vault.upbound.io_mfaduoes.yaml
index 64348cec..c5cad0ea 100644
--- a/package/crds/identity.vault.upbound.io_mfaduoes.yaml
+++ b/package/crds/identity.vault.upbound.io_mfaduoes.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: mfaduoes.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: MfaDuo is the Schema for the MfaDuos API. <no value>
+        description: MfaDuo is the Schema for the MfaDuos API. Resource for configuring
+          the duo MFA method.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,10 +68,10 @@ spec:
               forProvider:
                 properties:
                   apiHostname:
-                    description: API hostname for Duo
+                    description: API hostname for Duo API hostname for Duo
                     type: string
                   integrationKeySecretRef:
-                    description: Integration key for Duo
+                    description: Integration key for Duo Integration key for Duo
                     properties:
                       key:
                         description: The key to select.
@@ -88,13 +88,14 @@ spec:
                     - namespace
                     type: object
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
                     type: string
                   pushInfo:
-                    description: Push information for Duo.
+                    description: Push information for Duo. Push information for Duo.
                     type: string
                   secretKeySecretRef:
-                    description: Secret key for Duo
+                    description: Secret key for Duo Secret key for Duo
                     properties:
                       key:
                         description: The key to select.
@@ -111,28 +112,74 @@ spec:
                     - namespace
                     type: object
                   usePasscode:
-                    description: Require passcode upon MFA validation.
+                    description: Require passcode upon MFA validation. Require passcode
+                      upon MFA validation.
                     type: boolean
                   usernameFormat:
                     description: A template string for mapping Identity names to MFA
+                      methods. A template string for mapping Identity names to MFA
                       methods.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  apiHostname:
+                    description: API hostname for Duo API hostname for Duo
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
+                    type: string
+                  pushInfo:
+                    description: Push information for Duo. Push information for Duo.
+                    type: string
+                  usePasscode:
+                    description: Require passcode upon MFA validation. Require passcode
+                      upon MFA validation.
+                    type: boolean
+                  usernameFormat:
+                    description: A template string for mapping Identity names to MFA
+                      methods. A template string for mapping Identity names to MFA
+                      methods.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -306,54 +353,61 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: apiHostname is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiHostname)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.apiHostname)
+                || has(self.initProvider.apiHostname)'
             - message: integrationKeySecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.integrationKeySecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)'
             - message: secretKeySecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.secretKeySecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)'
           status:
             description: MfaDuoStatus defines the observed state of MfaDuo.
             properties:
               atProvider:
                 properties:
                   apiHostname:
-                    description: API hostname for Duo
+                    description: API hostname for Duo API hostname for Duo
                     type: string
                   id:
                     type: string
                   methodId:
-                    description: Method ID.
+                    description: Method ID. Method ID.
                     type: string
                   mountAccessor:
-                    description: Mount accessor.
+                    description: Mount accessor. Mount accessor.
                     type: string
                   name:
                     description: Method name.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
                     type: string
                   namespaceId:
-                    description: Method's namespace ID.
+                    description: Method's namespace ID. Method's namespace ID.
                     type: string
                   namespacePath:
-                    description: Method's namespace path.
+                    description: Method's namespace path. Method's namespace path.
                     type: string
                   pushInfo:
-                    description: Push information for Duo.
+                    description: Push information for Duo. Push information for Duo.
                     type: string
                   type:
-                    description: MFA type.
+                    description: MFA type. MFA type.
                     type: string
                   usePasscode:
-                    description: Require passcode upon MFA validation.
+                    description: Require passcode upon MFA validation. Require passcode
+                      upon MFA validation.
                     type: boolean
                   usernameFormat:
                     description: A template string for mapping Identity names to MFA
+                      methods. A template string for mapping Identity names to MFA
                       methods.
                     type: string
                   uuid:
-                    description: Resource UUID.
+                    description: Resource UUID. Resource UUID.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_mfaloginenforcements.yaml b/package/crds/identity.vault.upbound.io_mfaloginenforcements.yaml
index cc44055c..a1e956d5 100644
--- a/package/crds/identity.vault.upbound.io_mfaloginenforcements.yaml
+++ b/package/crds/identity.vault.upbound.io_mfaloginenforcements.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: mfaloginenforcements.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: MfaLoginEnforcement is the Schema for the MfaLoginEnforcements
-          API. <no value>
+          API. Resource for configuring MFA login-enforcement
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,52 +68,116 @@ spec:
               forProvider:
                 properties:
                   authMethodAccessors:
-                    description: Set of auth method accessor IDs.
+                    description: Set of auth method accessor IDs. Set of auth method
+                      accessor IDs.
                     items:
                       type: string
                     type: array
                   authMethodTypes:
-                    description: Set of auth method types.
+                    description: Set of auth method types. Set of auth method types.
                     items:
                       type: string
                     type: array
                   identityEntityIds:
-                    description: Set of identity entity IDs.
+                    description: Set of identity entity IDs. Set of identity entity
+                      IDs.
                     items:
                       type: string
                     type: array
                   identityGroupIds:
-                    description: Set of identity group IDs.
+                    description: Set of identity group IDs. Set of identity group
+                      IDs.
                     items:
                       type: string
                     type: array
                   mfaMethodIds:
-                    description: Set of MFA method UUIDs.
+                    description: Set of MFA method UUIDs. Set of MFA method UUIDs.
                     items:
                       type: string
                     type: array
                   name:
-                    description: Login enforcement name.
+                    description: Login enforcement name. Login enforcement name.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  authMethodAccessors:
+                    description: Set of auth method accessor IDs. Set of auth method
+                      accessor IDs.
+                    items:
+                      type: string
+                    type: array
+                  authMethodTypes:
+                    description: Set of auth method types. Set of auth method types.
+                    items:
+                      type: string
+                    type: array
+                  identityEntityIds:
+                    description: Set of identity entity IDs. Set of identity entity
+                      IDs.
+                    items:
+                      type: string
+                    type: array
+                  identityGroupIds:
+                    description: Set of identity group IDs. Set of identity group
+                      IDs.
+                    items:
+                      type: string
+                    type: array
+                  mfaMethodIds:
+                    description: Set of MFA method UUIDs. Set of MFA method UUIDs.
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: Login enforcement name. Login enforcement name.
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -288,55 +351,63 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: mfaMethodIds is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mfaMethodIds)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mfaMethodIds)
+                || has(self.initProvider.mfaMethodIds)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: MfaLoginEnforcementStatus defines the observed state of MfaLoginEnforcement.
             properties:
               atProvider:
                 properties:
                   authMethodAccessors:
-                    description: Set of auth method accessor IDs.
+                    description: Set of auth method accessor IDs. Set of auth method
+                      accessor IDs.
                     items:
                       type: string
                     type: array
                   authMethodTypes:
-                    description: Set of auth method types.
+                    description: Set of auth method types. Set of auth method types.
                     items:
                       type: string
                     type: array
                   id:
                     type: string
                   identityEntityIds:
-                    description: Set of identity entity IDs.
+                    description: Set of identity entity IDs. Set of identity entity
+                      IDs.
                     items:
                       type: string
                     type: array
                   identityGroupIds:
-                    description: Set of identity group IDs.
+                    description: Set of identity group IDs. Set of identity group
+                      IDs.
                     items:
                       type: string
                     type: array
                   mfaMethodIds:
-                    description: Set of MFA method UUIDs.
+                    description: Set of MFA method UUIDs. Set of MFA method UUIDs.
                     items:
                       type: string
                     type: array
                   name:
-                    description: Login enforcement name.
+                    description: Login enforcement name. Login enforcement name.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
                     type: string
                   namespaceId:
-                    description: Method's namespace ID.
+                    description: Method's namespace ID. Method's namespace ID.
                     type: string
                   namespacePath:
-                    description: Method's namespace path.
+                    description: Method's namespace path. Method's namespace path.
                     type: string
                   uuid:
-                    description: Resource UUID.
+                    description: Resource UUID. Resource UUID.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_mfaokta.yaml b/package/crds/identity.vault.upbound.io_mfaoktas.yaml
similarity index 75%
rename from package/crds/identity.vault.upbound.io_mfaokta.yaml
rename to package/crds/identity.vault.upbound.io_mfaoktas.yaml
index dab6ddd8..05483f6a 100644
--- a/package/crds/identity.vault.upbound.io_mfaokta.yaml
+++ b/package/crds/identity.vault.upbound.io_mfaoktas.yaml
@@ -3,9 +3,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
-  name: mfaokta.identity.vault.upbound.io
+    controller-gen.kubebuilder.io/version: v0.12.1
+  name: mfaoktas.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
   names:
@@ -15,7 +14,7 @@ spec:
     - vault
     kind: MfaOkta
     listKind: MfaOktaList
-    plural: mfaokta
+    plural: mfaoktas
     singular: mfaokta
   scope: Cluster
   versions:
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: MfaOkta is the Schema for the MfaOktas API. <no value>
+        description: MfaOkta is the Schema for the MfaOktas API. Resource for configuring
+          the okta MFA method.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,7 +68,7 @@ spec:
               forProvider:
                 properties:
                   apiTokenSecretRef:
-                    description: Okta API token.
+                    description: Okta API token. Okta API token.
                     properties:
                       key:
                         description: The key to select.
@@ -85,37 +85,88 @@ spec:
                     - namespace
                     type: object
                   baseUrl:
-                    description: The base domain to use for API requests.
+                    description: The base domain to use for API requests. The base
+                      domain to use for API requests.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
                     type: string
                   orgName:
                     description: Name of the organization to be used in the Okta API.
+                      Name of the organization to be used in the Okta API.
                     type: string
                   primaryEmail:
-                    description: Only match the primary email for the account.
+                    description: Only match the primary email for the account. Only
+                      match the primary email for the account.
                     type: boolean
                   usernameFormat:
                     description: A template string for mapping Identity names to MFA
+                      methods. A template string for mapping Identity names to MFA
                       methods.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  baseUrl:
+                    description: The base domain to use for API requests. The base
+                      domain to use for API requests.
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
+                    type: string
+                  orgName:
+                    description: Name of the organization to be used in the Okta API.
+                      Name of the organization to be used in the Okta API.
+                    type: string
+                  primaryEmail:
+                    description: Only match the primary email for the account. Only
+                      match the primary email for the account.
+                    type: boolean
+                  usernameFormat:
+                    description: A template string for mapping Identity names to MFA
+                      methods. A template string for mapping Identity names to MFA
+                      methods.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -289,52 +340,60 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: apiTokenSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiTokenSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)'
             - message: orgName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.orgName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.orgName)
+                || has(self.initProvider.orgName)'
           status:
             description: MfaOktaStatus defines the observed state of MfaOkta.
             properties:
               atProvider:
                 properties:
                   baseUrl:
-                    description: The base domain to use for API requests.
+                    description: The base domain to use for API requests. The base
+                      domain to use for API requests.
                     type: string
                   id:
                     type: string
                   methodId:
-                    description: Method ID.
+                    description: Method ID. Method ID.
                     type: string
                   mountAccessor:
-                    description: Mount accessor.
+                    description: Mount accessor. Mount accessor.
                     type: string
                   name:
                     description: Method name.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
                     type: string
                   namespaceId:
-                    description: Method's namespace ID.
+                    description: Method's namespace ID. Method's namespace ID.
                     type: string
                   namespacePath:
-                    description: Method's namespace path.
+                    description: Method's namespace path. Method's namespace path.
                     type: string
                   orgName:
                     description: Name of the organization to be used in the Okta API.
+                      Name of the organization to be used in the Okta API.
                     type: string
                   primaryEmail:
-                    description: Only match the primary email for the account.
+                    description: Only match the primary email for the account. Only
+                      match the primary email for the account.
                     type: boolean
                   type:
-                    description: MFA type.
+                    description: MFA type. MFA type.
                     type: string
                   usernameFormat:
                     description: A template string for mapping Identity names to MFA
+                      methods. A template string for mapping Identity names to MFA
                       methods.
                     type: string
                   uuid:
-                    description: Resource UUID.
+                    description: Resource UUID. Resource UUID.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_mfapingids.yaml b/package/crds/identity.vault.upbound.io_mfapingids.yaml
index 7b0474a3..fb622938 100644
--- a/package/crds/identity.vault.upbound.io_mfapingids.yaml
+++ b/package/crds/identity.vault.upbound.io_mfapingids.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: mfapingids.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -57,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -79,21 +78,57 @@ spec:
                       methods.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  settingsFileBase64:
+                    description: A base64-encoded third-party settings contents as
+                      retrieved from PingID's configuration page.
+                    type: string
+                  usernameFormat:
+                    description: A template string for mapping Identity names to MFA
+                      methods.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -267,7 +302,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: settingsFileBase64 is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settingsFileBase64)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.settingsFileBase64)
+                || has(self.initProvider.settingsFileBase64)'
           status:
             description: MfaPingidStatus defines the observed state of MfaPingid.
             properties:
diff --git a/package/crds/identity.vault.upbound.io_mfatotps.yaml b/package/crds/identity.vault.upbound.io_mfatotps.yaml
index 2e171804..27a90434 100644
--- a/package/crds/identity.vault.upbound.io_mfatotps.yaml
+++ b/package/crds/identity.vault.upbound.io_mfatotps.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: mfatotps.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: MfaTotp is the Schema for the MfaTotps API. <no value>
+        description: MfaTotp is the Schema for the MfaTotps API. Resource for configuring
+          the totp MFA method.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,52 +69,131 @@ spec:
                 properties:
                   algorithm:
                     description: Specifies the hashing algorithm used to generate
-                      the TOTP code. Options include SHA1, SHA256, SHA512.
+                      the TOTP code. Options include SHA1, SHA256, SHA512. Specifies
+                      the hashing algorithm used to generate the TOTP code. Options
+                      include SHA1, SHA256, SHA512.
                     type: string
                   digits:
                     description: The number of digits in the generated TOTP token.
-                      This value can either be 6 or 8
+                      This value can either be 6 or 8 The number of digits in the
+                      generated TOTP token. This value can either be 6 or 8
                     type: number
                   issuer:
-                    description: The name of the key's issuing organization.
+                    description: The name of the key's issuing organization. The name
+                      of the key's issuing organization.
                     type: string
                   keySize:
                     description: Specifies the size in bytes of the generated key.
+                      Specifies the size in bytes of the generated key.
                     type: number
                   maxValidationAttempts:
                     description: The maximum number of consecutive failed validation
+                      attempts allowed. The maximum number of consecutive failed validation
                       attempts allowed.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
                     type: string
                   period:
                     description: The length of time in seconds used to generate a
-                      counter for the TOTP token calculation.
+                      counter for the TOTP token calculation. The length of time in
+                      seconds used to generate a counter for the TOTP token calculation.
                     type: number
                   qrSize:
-                    description: The pixel size of the generated square QR code.
+                    description: The pixel size of the generated square QR code. The
+                      pixel size of the generated square QR code.
                     type: number
                   skew:
                     description: The number of delay periods that are allowed when
-                      validating a TOTP token. This value can either be 0 or 1.
+                      validating a TOTP token. This value can either be 0 or 1. The
+                      number of delay periods that are allowed when validating a TOTP
+                      token. This value can either be 0 or 1.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  algorithm:
+                    description: Specifies the hashing algorithm used to generate
+                      the TOTP code. Options include SHA1, SHA256, SHA512. Specifies
+                      the hashing algorithm used to generate the TOTP code. Options
+                      include SHA1, SHA256, SHA512.
+                    type: string
+                  digits:
+                    description: The number of digits in the generated TOTP token.
+                      This value can either be 6 or 8 The number of digits in the
+                      generated TOTP token. This value can either be 6 or 8
+                    type: number
+                  issuer:
+                    description: The name of the key's issuing organization. The name
+                      of the key's issuing organization.
+                    type: string
+                  keySize:
+                    description: Specifies the size in bytes of the generated key.
+                      Specifies the size in bytes of the generated key.
+                    type: number
+                  maxValidationAttempts:
+                    description: The maximum number of consecutive failed validation
+                      attempts allowed. The maximum number of consecutive failed validation
+                      attempts allowed.
+                    type: number
+                  namespace:
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
+                    type: string
+                  period:
+                    description: The length of time in seconds used to generate a
+                      counter for the TOTP token calculation. The length of time in
+                      seconds used to generate a counter for the TOTP token calculation.
+                    type: number
+                  qrSize:
+                    description: The pixel size of the generated square QR code. The
+                      pixel size of the generated square QR code.
+                    type: number
+                  skew:
+                    description: The number of delay periods that are allowed when
+                      validating a TOTP token. This value can either be 0 or 1. The
+                      number of delay periods that are allowed when validating a TOTP
+                      token. This value can either be 0 or 1.
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -288,7 +367,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: issuer is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.issuer)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.issuer)
+                || has(self.initProvider.issuer)'
           status:
             description: MfaTotpStatus defines the observed state of MfaTotp.
             properties:
@@ -296,58 +377,69 @@ spec:
                 properties:
                   algorithm:
                     description: Specifies the hashing algorithm used to generate
-                      the TOTP code. Options include SHA1, SHA256, SHA512.
+                      the TOTP code. Options include SHA1, SHA256, SHA512. Specifies
+                      the hashing algorithm used to generate the TOTP code. Options
+                      include SHA1, SHA256, SHA512.
                     type: string
                   digits:
                     description: The number of digits in the generated TOTP token.
-                      This value can either be 6 or 8
+                      This value can either be 6 or 8 The number of digits in the
+                      generated TOTP token. This value can either be 6 or 8
                     type: number
                   id:
                     type: string
                   issuer:
-                    description: The name of the key's issuing organization.
+                    description: The name of the key's issuing organization. The name
+                      of the key's issuing organization.
                     type: string
                   keySize:
                     description: Specifies the size in bytes of the generated key.
+                      Specifies the size in bytes of the generated key.
                     type: number
                   maxValidationAttempts:
                     description: The maximum number of consecutive failed validation
+                      attempts allowed. The maximum number of consecutive failed validation
                       attempts allowed.
                     type: number
                   methodId:
-                    description: Method ID.
+                    description: Method ID. Method ID.
                     type: string
                   mountAccessor:
-                    description: Mount accessor.
+                    description: Mount accessor. Mount accessor.
                     type: string
                   name:
                     description: Method name.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: Target namespace. (requires Enterprise) Target namespace.
+                      (requires Enterprise)
                     type: string
                   namespaceId:
-                    description: Method's namespace ID.
+                    description: Method's namespace ID. Method's namespace ID.
                     type: string
                   namespacePath:
-                    description: Method's namespace path.
+                    description: Method's namespace path. Method's namespace path.
                     type: string
                   period:
                     description: The length of time in seconds used to generate a
-                      counter for the TOTP token calculation.
+                      counter for the TOTP token calculation. The length of time in
+                      seconds used to generate a counter for the TOTP token calculation.
                     type: number
                   qrSize:
-                    description: The pixel size of the generated square QR code.
+                    description: The pixel size of the generated square QR code. The
+                      pixel size of the generated square QR code.
                     type: number
                   skew:
                     description: The number of delay periods that are allowed when
-                      validating a TOTP token. This value can either be 0 or 1.
+                      validating a TOTP token. This value can either be 0 or 1. The
+                      number of delay periods that are allowed when validating a TOTP
+                      token. This value can either be 0 or 1.
                     type: number
                   type:
-                    description: MFA type.
+                    description: MFA type. MFA type.
                     type: string
                   uuid:
-                    description: Resource UUID.
+                    description: Resource UUID. Resource UUID.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_oidcassignments.yaml b/package/crds/identity.vault.upbound.io_oidcassignments.yaml
index 1dc5bba2..924cd048 100644
--- a/package/crds/identity.vault.upbound.io_oidcassignments.yaml
+++ b/package/crds/identity.vault.upbound.io_oidcassignments.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: oidcassignments.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: OidcAssignment is the Schema for the OidcAssignments API. <no
-          value>
+        description: OidcAssignment is the Schema for the OidcAssignments API. Provision
+          OIDC Assignments in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,37 +68,88 @@ spec:
               forProvider:
                 properties:
                   entityIds:
-                    description: A list of Vault entity IDs.
+                    description: A set of Vault entity IDs. A list of Vault entity
+                      IDs.
                     items:
                       type: string
                     type: array
                   groupIds:
-                    description: A list of Vault group IDs.
+                    description: A set of Vault group IDs. A list of Vault group IDs.
                     items:
                       type: string
                     type: array
                   name:
-                    description: The name of the assignment.
+                    description: The name of the assignment. The name of the assignment.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  entityIds:
+                    description: A set of Vault entity IDs. A list of Vault entity
+                      IDs.
+                    items:
+                      type: string
+                    type: array
+                  groupIds:
+                    description: A set of Vault group IDs. A list of Vault group IDs.
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: The name of the assignment. The name of the assignment.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -273,29 +323,36 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: OidcAssignmentStatus defines the observed state of OidcAssignment.
             properties:
               atProvider:
                 properties:
                   entityIds:
-                    description: A list of Vault entity IDs.
+                    description: A set of Vault entity IDs. A list of Vault entity
+                      IDs.
                     items:
                       type: string
                     type: array
                   groupIds:
-                    description: A list of Vault group IDs.
+                    description: A set of Vault group IDs. A list of Vault group IDs.
                     items:
                       type: string
                     type: array
                   id:
                     type: string
                   name:
-                    description: The name of the assignment.
+                    description: The name of the assignment. The name of the assignment.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_oidcclients.yaml b/package/crds/identity.vault.upbound.io_oidcclients.yaml
index 24ac2a3c..c51d1003 100644
--- a/package/crds/identity.vault.upbound.io_oidcclients.yaml
+++ b/package/crds/identity.vault.upbound.io_oidcclients.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: oidcclients.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: OidcClient is the Schema for the OidcClients API. <no value>
+        description: OidcClient is the Schema for the OidcClients API. Provision OIDC
+          Clients in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,55 +69,141 @@ spec:
                 properties:
                   accessTokenTtl:
                     description: The time-to-live for access tokens obtained by the
-                      client.
+                      client. The time-to-live for access tokens obtained by the client.
                     type: number
                   assignments:
                     description: A list of assignment resources associated with the
-                      client.
+                      client. A list of assignment resources associated with the client.
                     items:
                       type: string
                     type: array
                   clientType:
-                    description: The client type based on its ability to maintain
-                      confidentiality of credentials.Defaults to 'confidential'.
+                    description: 'The client type based on its ability to maintain
+                      confidentiality of credentials. The following client types are
+                      supported: confidential, public. Defaults to confidential. The
+                      client type based on its ability to maintain confidentiality
+                      of credentials.Defaults to ''confidential''.'
                     type: string
                   idTokenTtl:
                     description: The time-to-live for ID tokens obtained by the client.
                       The value should be less than the verification_ttl on the key.
+                      The time-to-live for ID tokens obtained by the client. The value
+                      should be less than the verification_ttl on the key.
                     type: number
                   key:
                     description: A reference to a named key resource in Vault. This
+                      cannot be modified after creation. If not provided, the default
+                      key is used. A reference to a named key resource in Vault. This
                       cannot be modified after creation.
                     type: string
                   name:
-                    description: The name of the client.
+                    description: The name of the client. The name of the client.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   redirectUris:
                     description: Redirection URI values used by the client. One of
                       these values must exactly match the redirect_uri parameter value
-                      used in each authentication request.
+                      used in each authentication request. Redirection URI values
+                      used by the client. One of these values must exactly match the
+                      redirect_uri parameter value used in each authentication request.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  accessTokenTtl:
+                    description: The time-to-live for access tokens obtained by the
+                      client. The time-to-live for access tokens obtained by the client.
+                    type: number
+                  assignments:
+                    description: A list of assignment resources associated with the
+                      client. A list of assignment resources associated with the client.
+                    items:
+                      type: string
+                    type: array
+                  clientType:
+                    description: 'The client type based on its ability to maintain
+                      confidentiality of credentials. The following client types are
+                      supported: confidential, public. Defaults to confidential. The
+                      client type based on its ability to maintain confidentiality
+                      of credentials.Defaults to ''confidential''.'
+                    type: string
+                  idTokenTtl:
+                    description: The time-to-live for ID tokens obtained by the client.
+                      The value should be less than the verification_ttl on the key.
+                      The time-to-live for ID tokens obtained by the client. The value
+                      should be less than the verification_ttl on the key.
+                    type: number
+                  key:
+                    description: A reference to a named key resource in Vault. This
+                      cannot be modified after creation. If not provided, the default
+                      key is used. A reference to a named key resource in Vault. This
+                      cannot be modified after creation.
+                    type: string
+                  name:
+                    description: The name of the client. The name of the client.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  redirectUris:
+                    description: Redirection URI values used by the client. One of
+                      these values must exactly match the redirect_uri parameter value
+                      used in each authentication request. Redirection URI values
+                      used by the client. One of these values must exactly match the
+                      redirect_uri parameter value used in each authentication request.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -291,7 +377,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: OidcClientStatus defines the observed state of OidcClient.
             properties:
@@ -299,11 +387,11 @@ spec:
                 properties:
                   accessTokenTtl:
                     description: The time-to-live for access tokens obtained by the
-                      client.
+                      client. The time-to-live for access tokens obtained by the client.
                     type: number
                   assignments:
                     description: A list of assignment resources associated with the
-                      client.
+                      client. A list of assignment resources associated with the client.
                     items:
                       type: string
                     type: array
@@ -311,29 +399,42 @@ spec:
                     description: The Client ID from Vault.
                     type: string
                   clientType:
-                    description: The client type based on its ability to maintain
-                      confidentiality of credentials.Defaults to 'confidential'.
+                    description: 'The client type based on its ability to maintain
+                      confidentiality of credentials. The following client types are
+                      supported: confidential, public. Defaults to confidential. The
+                      client type based on its ability to maintain confidentiality
+                      of credentials.Defaults to ''confidential''.'
                     type: string
                   id:
                     type: string
                   idTokenTtl:
                     description: The time-to-live for ID tokens obtained by the client.
                       The value should be less than the verification_ttl on the key.
+                      The time-to-live for ID tokens obtained by the client. The value
+                      should be less than the verification_ttl on the key.
                     type: number
                   key:
                     description: A reference to a named key resource in Vault. This
+                      cannot be modified after creation. If not provided, the default
+                      key is used. A reference to a named key resource in Vault. This
                       cannot be modified after creation.
                     type: string
                   name:
-                    description: The name of the client.
+                    description: The name of the client. The name of the client.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   redirectUris:
                     description: Redirection URI values used by the client. One of
                       these values must exactly match the redirect_uri parameter value
-                      used in each authentication request.
+                      used in each authentication request. Redirection URI values
+                      used by the client. One of these values must exactly match the
+                      redirect_uri parameter value used in each authentication request.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/identity.vault.upbound.io_oidckeyallowedclientids.yaml b/package/crds/identity.vault.upbound.io_oidckeyallowedclientids.yaml
index b950d567..12ba82e4 100644
--- a/package/crds/identity.vault.upbound.io_oidckeyallowedclientids.yaml
+++ b/package/crds/identity.vault.upbound.io_oidckeyallowedclientids.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: oidckeyallowedclientids.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: OidcKeyAllowedClientID is the Schema for the OidcKeyAllowedClientIDs
-          API. <no value>
+          API. Allows an Identity OIDC Role to use an OIDC Named key.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,30 +68,76 @@ spec:
               forProvider:
                 properties:
                   allowedClientId:
-                    description: Role Client ID allowed to use the key for signing.
+                    description: Client ID to allow usage with the OIDC named key
+                      Role Client ID allowed to use the key for signing.
                     type: string
                   keyName:
-                    description: Name of the key.
+                    description: Name of the OIDC Key allow the Client ID. Name of
+                      the key.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedClientId:
+                    description: Client ID to allow usage with the OIDC named key
+                      Role Client ID allowed to use the key for signing.
+                    type: string
+                  keyName:
+                    description: Name of the OIDC Key allow the Client ID. Name of
+                      the key.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -266,9 +311,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: allowedClientId is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.allowedClientId)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.allowedClientId)
+                || has(self.initProvider.allowedClientId)'
             - message: keyName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.keyName)
+                || has(self.initProvider.keyName)'
           status:
             description: OidcKeyAllowedClientIDStatus defines the observed state of
               OidcKeyAllowedClientID.
@@ -276,15 +325,21 @@ spec:
               atProvider:
                 properties:
                   allowedClientId:
-                    description: Role Client ID allowed to use the key for signing.
+                    description: Client ID to allow usage with the OIDC named key
+                      Role Client ID allowed to use the key for signing.
                     type: string
                   id:
                     type: string
                   keyName:
-                    description: Name of the key.
+                    description: Name of the OIDC Key allow the Client ID. Name of
+                      the key.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_oidckeys.yaml b/package/crds/identity.vault.upbound.io_oidckeys.yaml
index c0029900..d425439f 100644
--- a/package/crds/identity.vault.upbound.io_oidckeys.yaml
+++ b/package/crds/identity.vault.upbound.io_oidckeys.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: oidckeys.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: OidcKey is the Schema for the OidcKeys API. <no value>
+        description: OidcKey is the Schema for the OidcKeys API. Creates an Identity
+          OIDC Named Key for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,46 +70,118 @@ spec:
                   algorithm:
                     description: 'Signing algorithm to use. Signing algorithm to use.
                       Allowed values are: RS256 (default), RS384, RS512, ES256, ES384,
-                      ES512, EdDSA.'
+                      ES512, EdDSA. Signing algorithm to use. Signing algorithm to
+                      use. Allowed values are: RS256 (default), RS384, RS512, ES256,
+                      ES384, ES512, EdDSA.'
                     type: string
                   allowedClientIds:
-                    description: Array of role client ids allowed to use this key
+                    description: ': Array of role client ID allowed to use this key
+                      for signing. If empty, no roles are allowed. If ["*"], all roles
+                      are allowed. Array of role client ids allowed to use this key
                       for signing. If empty, no roles are allowed. If "*", all roles
-                      are allowed.
+                      are allowed.'
                     items:
                       type: string
                     type: array
                   name:
-                    description: Name of the key.
+                    description: Name of the OIDC Key to create. Name of the key.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   rotationPeriod:
                     description: How often to generate a new signing key in number
+                      of seconds How often to generate a new signing key in number
                       of seconds
                     type: number
                   verificationTtl:
-                    description: Controls how long the public portion of a signing
+                    description: '"Controls how long the public portion of a signing
                       key will be available for verification after being rotated in
-                      seconds.
+                      seconds. Controls how long the public portion of a signing key
+                      will be available for verification after being rotated in seconds.'
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  algorithm:
+                    description: 'Signing algorithm to use. Signing algorithm to use.
+                      Allowed values are: RS256 (default), RS384, RS512, ES256, ES384,
+                      ES512, EdDSA. Signing algorithm to use. Signing algorithm to
+                      use. Allowed values are: RS256 (default), RS384, RS512, ES256,
+                      ES384, ES512, EdDSA.'
+                    type: string
+                  allowedClientIds:
+                    description: ': Array of role client ID allowed to use this key
+                      for signing. If empty, no roles are allowed. If ["*"], all roles
+                      are allowed. Array of role client ids allowed to use this key
+                      for signing. If empty, no roles are allowed. If "*", all roles
+                      are allowed.'
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: Name of the OIDC Key to create. Name of the key.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  rotationPeriod:
+                    description: How often to generate a new signing key in number
+                      of seconds How often to generate a new signing key in number
+                      of seconds
+                    type: number
+                  verificationTtl:
+                    description: '"Controls how long the public portion of a signing
+                      key will be available for verification after being rotated in
+                      seconds. Controls how long the public portion of a signing key
+                      will be available for verification after being rotated in seconds.'
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -283,7 +355,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: OidcKeyStatus defines the observed state of OidcKey.
             properties:
@@ -292,31 +366,42 @@ spec:
                   algorithm:
                     description: 'Signing algorithm to use. Signing algorithm to use.
                       Allowed values are: RS256 (default), RS384, RS512, ES256, ES384,
-                      ES512, EdDSA.'
+                      ES512, EdDSA. Signing algorithm to use. Signing algorithm to
+                      use. Allowed values are: RS256 (default), RS384, RS512, ES256,
+                      ES384, ES512, EdDSA.'
                     type: string
                   allowedClientIds:
-                    description: Array of role client ids allowed to use this key
+                    description: ': Array of role client ID allowed to use this key
+                      for signing. If empty, no roles are allowed. If ["*"], all roles
+                      are allowed. Array of role client ids allowed to use this key
                       for signing. If empty, no roles are allowed. If "*", all roles
-                      are allowed.
+                      are allowed.'
                     items:
                       type: string
                     type: array
                   id:
+                    description: The name of the created key.
                     type: string
                   name:
-                    description: Name of the key.
+                    description: Name of the OIDC Key to create. Name of the key.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   rotationPeriod:
                     description: How often to generate a new signing key in number
+                      of seconds How often to generate a new signing key in number
                       of seconds
                     type: number
                   verificationTtl:
-                    description: Controls how long the public portion of a signing
+                    description: '"Controls how long the public portion of a signing
                       key will be available for verification after being rotated in
-                      seconds.
+                      seconds. Controls how long the public portion of a signing key
+                      will be available for verification after being rotated in seconds.'
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_oidcproviders.yaml b/package/crds/identity.vault.upbound.io_oidcproviders.yaml
index f47df80e..7f6d2a00 100644
--- a/package/crds/identity.vault.upbound.io_oidcproviders.yaml
+++ b/package/crds/identity.vault.upbound.io_oidcproviders.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: oidcproviders.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: OidcProvider is the Schema for the OidcProviders API. <no value>
+        description: OidcProvider is the Schema for the OidcProviders API. Provision
+          OIDC Providers in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,43 +69,109 @@ spec:
                 properties:
                   allowedClientIds:
                     description: The client IDs that are permitted to use the provider.
-                      If empty, no clients are allowed. If "*", all clients are allowed.
+                      If empty, no clients are allowed. If *, all clients are allowed.
+                      The client IDs that are permitted to use the provider. If empty,
+                      no clients are allowed. If "*", all clients are allowed.
                     items:
                       type: string
                     type: array
                   httpsEnabled:
-                    description: Set to true if the issuer endpoint uses HTTPS.
+                    description: Set to true if the issuer endpoint uses HTTPS. Set
+                      to true if the issuer endpoint uses HTTPS.
                     type: boolean
                   issuerHost:
                     description: The host for the issuer. Can be either host or host:port.
+                      The host for the issuer. Can be either host or host:port.
                     type: string
                   name:
-                    description: The name of the provider.
+                    description: The name of the provider. The name of the provider.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   scopesSupported:
                     description: The scopes available for requesting on the provider.
+                      The scopes available for requesting on the provider.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedClientIds:
+                    description: The client IDs that are permitted to use the provider.
+                      If empty, no clients are allowed. If *, all clients are allowed.
+                      The client IDs that are permitted to use the provider. If empty,
+                      no clients are allowed. If "*", all clients are allowed.
+                    items:
+                      type: string
+                    type: array
+                  httpsEnabled:
+                    description: Set to true if the issuer endpoint uses HTTPS. Set
+                      to true if the issuer endpoint uses HTTPS.
+                    type: boolean
+                  issuerHost:
+                    description: The host for the issuer. Can be either host or host:port.
+                      The host for the issuer. Can be either host or host:port.
+                    type: string
+                  name:
+                    description: The name of the provider. The name of the provider.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  scopesSupported:
+                    description: The scopes available for requesting on the provider.
+                      The scopes available for requesting on the provider.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -279,7 +345,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: OidcProviderStatus defines the observed state of OidcProvider.
             properties:
@@ -287,31 +355,43 @@ spec:
                 properties:
                   allowedClientIds:
                     description: The client IDs that are permitted to use the provider.
-                      If empty, no clients are allowed. If "*", all clients are allowed.
+                      If empty, no clients are allowed. If *, all clients are allowed.
+                      The client IDs that are permitted to use the provider. If empty,
+                      no clients are allowed. If "*", all clients are allowed.
                     items:
                       type: string
                     type: array
                   httpsEnabled:
-                    description: Set to true if the issuer endpoint uses HTTPS.
+                    description: Set to true if the issuer endpoint uses HTTPS. Set
+                      to true if the issuer endpoint uses HTTPS.
                     type: boolean
                   id:
                     type: string
                   issuer:
-                    description: Specifies what will be used as the 'scheme://host:port'
-                      component for the 'iss' claim of ID tokens.This value is computed
-                      using the issuer_host and https_enabled fields.
+                    description: Specifies what will be used as the scheme://host:port
+                      component for the iss claim of ID tokens. This value is computed
+                      using the issuer_host and https_enabled fields. Specifies what
+                      will be used as the 'scheme://host:port' component for the 'iss'
+                      claim of ID tokens.This value is computed using the issuer_host
+                      and https_enabled fields.
                     type: string
                   issuerHost:
                     description: The host for the issuer. Can be either host or host:port.
+                      The host for the issuer. Can be either host or host:port.
                     type: string
                   name:
-                    description: The name of the provider.
+                    description: The name of the provider. The name of the provider.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   scopesSupported:
                     description: The scopes available for requesting on the provider.
+                      The scopes available for requesting on the provider.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/identity.vault.upbound.io_oidcroles.yaml b/package/crds/identity.vault.upbound.io_oidcroles.yaml
index 221c4eae..ba643f34 100644
--- a/package/crds/identity.vault.upbound.io_oidcroles.yaml
+++ b/package/crds/identity.vault.upbound.io_oidcroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: oidcroles.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: OidcRole is the Schema for the OidcRoles API. <no value>
+        description: OidcRole is the Schema for the OidcRoles API. Creates an Identity
+          OIDC Role for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,42 +68,110 @@ spec:
               forProvider:
                 properties:
                   clientId:
-                    description: The value that will be included in the `aud` field
-                      of all the OIDC identity tokens issued by this role
+                    description: The value that will be included in the aud field
+                      of all the OIDC identity tokens issued by this role The value
+                      that will be included in the `aud` field of all the OIDC identity
+                      tokens issued by this role
                     type: string
                   key:
-                    description: A configured named key, the key must already exist.
+                    description: A configured named key, the key must already exist
+                      before tokens can be issued. A configured named key, the key
+                      must already exist.
                     type: string
                   name:
-                    description: Name of the role.
+                    description: Name of the OIDC Role to create. Name of the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   template:
                     description: The template string to use for generating tokens.
-                      This may be in string-ified JSON or base64 format.
+                      This may be in string-ified JSON or base64 format. See the documentation
+                      for the template format. The template string to use for generating
+                      tokens. This may be in string-ified JSON or base64 format.
                     type: string
                   ttl:
                     description: TTL of the tokens generated against the role in number
-                      of seconds.
+                      of seconds. TTL of the tokens generated against the role in
+                      number of seconds.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  clientId:
+                    description: The value that will be included in the aud field
+                      of all the OIDC identity tokens issued by this role The value
+                      that will be included in the `aud` field of all the OIDC identity
+                      tokens issued by this role
+                    type: string
+                  key:
+                    description: A configured named key, the key must already exist
+                      before tokens can be issued. A configured named key, the key
+                      must already exist.
+                    type: string
+                  name:
+                    description: Name of the OIDC Role to create. Name of the role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  template:
+                    description: The template string to use for generating tokens.
+                      This may be in string-ified JSON or base64 format. See the documentation
+                      for the template format. The template string to use for generating
+                      tokens. This may be in string-ified JSON or base64 format.
+                    type: string
+                  ttl:
+                    description: TTL of the tokens generated against the role in number
+                      of seconds. TTL of the tokens generated against the role in
+                      number of seconds.
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -277,36 +345,52 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: key is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.key)
+                || has(self.initProvider.key)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: OidcRoleStatus defines the observed state of OidcRole.
             properties:
               atProvider:
                 properties:
                   clientId:
-                    description: The value that will be included in the `aud` field
-                      of all the OIDC identity tokens issued by this role
+                    description: The value that will be included in the aud field
+                      of all the OIDC identity tokens issued by this role The value
+                      that will be included in the `aud` field of all the OIDC identity
+                      tokens issued by this role
                     type: string
                   id:
+                    description: The name of the created role.
                     type: string
                   key:
-                    description: A configured named key, the key must already exist.
+                    description: A configured named key, the key must already exist
+                      before tokens can be issued. A configured named key, the key
+                      must already exist.
                     type: string
                   name:
-                    description: Name of the role.
+                    description: Name of the OIDC Role to create. Name of the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   template:
                     description: The template string to use for generating tokens.
-                      This may be in string-ified JSON or base64 format.
+                      This may be in string-ified JSON or base64 format. See the documentation
+                      for the template format. The template string to use for generating
+                      tokens. This may be in string-ified JSON or base64 format.
                     type: string
                   ttl:
                     description: TTL of the tokens generated against the role in number
-                      of seconds.
+                      of seconds. TTL of the tokens generated against the role in
+                      number of seconds.
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_oidcs.yaml b/package/crds/identity.vault.upbound.io_oidcs.yaml
index 2a76bc0c..5f04d9b3 100644
--- a/package/crds/identity.vault.upbound.io_oidcs.yaml
+++ b/package/crds/identity.vault.upbound.io_oidcs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: oidcs.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Oidc is the Schema for the Oidcs API. <no value>
+        description: Oidc is the Schema for the Oidcs API. Configure the Identity
+          Tokens Backend for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -72,27 +72,78 @@ spec:
                       If not set, Vault's api_addr will be used. The issuer is a case
                       sensitive URL using the https scheme that contains scheme, host,
                       and optionally, port number and path components, but no query
-                      or fragment components.
+                      or fragment components. Issuer URL to be used in the iss claim
+                      of the token. If not set, Vault's api_addr will be used. The
+                      issuer is a case sensitive URL using the https scheme that contains
+                      scheme, host, and optionally, port number and path components,
+                      but no query or fragment components.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  issuer:
+                    description: Issuer URL to be used in the iss claim of the token.
+                      If not set, Vault's api_addr will be used. The issuer is a case
+                      sensitive URL using the https scheme that contains scheme, host,
+                      and optionally, port number and path components, but no query
+                      or fragment components. Issuer URL to be used in the iss claim
+                      of the token. If not set, Vault's api_addr will be used. The
+                      issuer is a case sensitive URL using the https scheme that contains
+                      scheme, host, and optionally, port number and path components,
+                      but no query or fragment components.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -276,10 +327,18 @@ spec:
                       If not set, Vault's api_addr will be used. The issuer is a case
                       sensitive URL using the https scheme that contains scheme, host,
                       and optionally, port number and path components, but no query
-                      or fragment components.
+                      or fragment components. Issuer URL to be used in the iss claim
+                      of the token. If not set, Vault's api_addr will be used. The
+                      issuer is a case sensitive URL using the https scheme that contains
+                      scheme, host, and optionally, port number and path components,
+                      but no query or fragment components.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/identity.vault.upbound.io_oidcscopes.yaml b/package/crds/identity.vault.upbound.io_oidcscopes.yaml
index e72ba076..9e4e9b57 100644
--- a/package/crds/identity.vault.upbound.io_oidcscopes.yaml
+++ b/package/crds/identity.vault.upbound.io_oidcscopes.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: oidcscopes.identity.vault.upbound.io
 spec:
   group: identity.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: OidcScope is the Schema for the OidcScopes API. <no value>
+        description: OidcScope is the Schema for the OidcScopes API. Provision OIDC
+          Scopes in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,34 +68,86 @@ spec:
               forProvider:
                 properties:
                   description:
-                    description: The scope's description.
+                    description: A description of the scope. The scope's description.
                     type: string
                   name:
                     description: The name of the scope. The openid scope name is reserved.
+                      The name of the scope. The openid scope name is reserved.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   template:
                     description: The template string for the scope. This may be provided
-                      as escaped JSON or base64 encoded JSON.
+                      as escaped JSON or base64 encoded JSON. The template string
+                      for the scope. This may be provided as escaped JSON or base64
+                      encoded JSON.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  description:
+                    description: A description of the scope. The scope's description.
+                    type: string
+                  name:
+                    description: The name of the scope. The openid scope name is reserved.
+                      The name of the scope. The openid scope name is reserved.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  template:
+                    description: The template string for the scope. This may be provided
+                      as escaped JSON or base64 encoded JSON. The template string
+                      for the scope. This may be provided as escaped JSON or base64
+                      encoded JSON.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -269,26 +321,35 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: OidcScopeStatus defines the observed state of OidcScope.
             properties:
               atProvider:
                 properties:
                   description:
-                    description: The scope's description.
+                    description: A description of the scope. The scope's description.
                     type: string
                   id:
                     type: string
                   name:
                     description: The name of the scope. The openid scope name is reserved.
+                      The name of the scope. The openid scope name is reserved.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   template:
                     description: The template string for the scope. This may be provided
-                      as escaped JSON or base64 encoded JSON.
+                      as escaped JSON or base64 encoded JSON. The template string
+                      for the scope. This may be provided as escaped JSON or base64
+                      encoded JSON.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/jwt.vault.upbound.io_authbackendroles.yaml b/package/crds/jwt.vault.upbound.io_authbackendroles.yaml
index 7540ce0f..9b74d214 100644
--- a/package/crds/jwt.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/jwt.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.jwt.vault.upbound.io
 spec:
   group: jwt.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendRole is the Schema for the AuthBackendRoles API. <no
-          value>
+        description: AuthBackendRole is the Schema for the AuthBackendRoles API. Manages
+          JWT/OIDC auth backend roles in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,41 +69,267 @@ spec:
                 properties:
                   allowedRedirectUris:
                     description: The list of allowed values for redirect_uri during
-                      OIDC logins.
+                      OIDC logins. Required for OIDC roles The list of allowed values
+                      for redirect_uri during OIDC logins.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The unique name of the auth backend to configure.
+                      Defaults to jwt. Unique name of the auth backend to configure.
                     type: string
                   boundAudiences:
-                    description: List of aud claims to match against. Any match is
-                      sufficient.
+                    description: (For "jwt" roles, at least one of bound_audiences,
+                      bound_subject, bound_claims or token_bound_cidrs is required.
+                      Optional for "oidc" roles.) List of aud claims to match against.
+                      Any match is sufficient. List of aud claims to match against.
+                      Any match is sufficient.
                     items:
                       type: string
                     type: array
                   boundClaims:
                     additionalProperties:
                       type: string
-                    description: Map of claims/values to match against. The expected
-                      value may be a single string or a comma-separated string list.
+                    description: If set, a map of claims to values to match against.
+                      A claim's value must be a string, which may contain one value
+                      or multiple comma-separated values, e.g. "red" or "red,green,blue".
+                      Map of claims/values to match against. The expected value may
+                      be a single string or a comma-separated string list.
                     type: object
                   boundClaimsType:
-                    description: 'How to interpret values in the claims/values map:
-                      can be either "string" (exact match) or "glob" (wildcard match).'
+                    description: 'How to interpret values in the claims/values map
+                      (bound_claims): can be either string (exact match) or glob (wildcard
+                      match). Requires Vault 1.4.0 or above. How to interpret values
+                      in the claims/values map: can be either "string" (exact match)
+                      or "glob" (wildcard match).'
                     type: string
                   boundSubject:
                     description: If set, requires that the sub claim matches this
-                      value.
+                      value. If set, requires that the sub claim matches this value.
                     type: string
                   claimMappings:
                     additionalProperties:
                       type: string
-                    description: Map of claims (keys) to be copied to specified metadata
-                      fields (values).
+                    description: If set, a map of claims (keys) to be copied to specified
+                      metadata fields (values). Map of claims (keys) to be copied
+                      to specified metadata fields (values).
                     type: object
                   clockSkewLeeway:
                     description: The amount of leeway to add to all claims to account
+                      for clock skew, in seconds. Defaults to 60 seconds if set to
+                      0 and can be disabled if set to -1. Only applicable with "jwt"
+                      roles. The amount of leeway to add to all claims to account
+                      for clock skew, in seconds. Defaults to 60 seconds if set to
+                      0 and can be disabled if set to -1. Only applicable with 'jwt'
+                      roles.
+                    type: number
+                  disableBoundClaimsParsing:
+                    description: Disable bound claim value parsing. Useful when values
+                      contain commas.
+                    type: boolean
+                  expirationLeeway:
+                    description: The amount of leeway to add to expiration (exp) claims
+                      to account for clock skew, in seconds. Defaults to 60 seconds
+                      if set to 0 and can be disabled if set to -1. Only applicable
+                      with "jwt" roles. The amount of leeway to add to expiration
+                      (exp) claims to account for clock skew, in seconds. Defaults
+                      to 60 seconds if set to 0 and can be disabled if set to -1.
+                      Only applicable with 'jwt' roles.
+                    type: number
+                  groupsClaim:
+                    description: The claim to use to uniquely identify the set of
+                      groups to which the user belongs; this will be used as the names
+                      for the Identity group aliases created due to a successful login.
+                      The claim value must be a list of strings. The claim to use
+                      to uniquely identify the set of groups to which the user belongs;
+                      this will be used as the names for the Identity group aliases
+                      created due to a successful login. The claim value must be a
+                      list of strings.
+                    type: string
+                  maxAge:
+                    description: Specifies the allowable elapsed time in seconds since
+                      the last time the user was actively authenticated with the OIDC
+                      provider. Specifies the allowable elapsed time in seconds since
+                      the last time the user was actively authenticated.
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  notBeforeLeeway:
+                    description: The amount of leeway to add to not before (nbf) claims
+                      to account for clock skew, in seconds. Defaults to 60 seconds
+                      if set to 0 and can be disabled if set to -1. Only applicable
+                      with "jwt" roles. The amount of leeway to add to not before
+                      (nbf) claims to account for clock skew, in seconds. Defaults
+                      to 150 seconds if set to 0 and can be disabled if set to -1.
+                      Only applicable with 'jwt' roles.
+                    type: number
+                  oidcScopes:
+                    description: If set, a list of OIDC scopes to be used with an
+                      OIDC role. The standard scope "openid" is automatically included
+                      and need not be specified. List of OIDC scopes to be used with
+                      an OIDC role. The standard scope "openid" is automatically included
+                      and need not be specified.
+                    items:
+                      type: string
+                    type: array
+                  roleName:
+                    description: The name of the role. Name of the role.
+                    type: string
+                  roleType:
+                    description: Type of role, either "oidc" (default) or "jwt". Type
+                      of role, either "oidc" (default) or "jwt"
+                    type: string
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                  userClaim:
+                    description: The claim to use to uniquely identify the user; this
+                      will be used as the name for the Identity entity alias created
+                      due to a successful login. The claim to use to uniquely identify
+                      the user; this will be used as the name for the Identity entity
+                      alias created due to a successful login.
+                    type: string
+                  userClaimJsonPointer:
+                    description: Specifies if the user_claim value uses JSON pointer
+                      syntax for referencing claims. By default, the user_claim value
+                      will not use JSON pointer. Requires Vault 1.11+. Specifies if
+                      the user_claim value uses JSON pointer syntax for referencing
+                      claims. By default, the user_claim value will not use JSON pointer.
+                    type: boolean
+                  verboseOidcLogging:
+                    description: Log received OIDC tokens and claims when debug-level
+                      logging is active. Not recommended in production since sensitive
+                      information may be present in OIDC responses. Log received OIDC
+                      tokens and claims when debug-level logging is active. Not recommended
+                      in production since sensitive information may be present in
+                      OIDC responses.
+                    type: boolean
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedRedirectUris:
+                    description: The list of allowed values for redirect_uri during
+                      OIDC logins. Required for OIDC roles The list of allowed values
+                      for redirect_uri during OIDC logins.
+                    items:
+                      type: string
+                    type: array
+                  backend:
+                    description: The unique name of the auth backend to configure.
+                      Defaults to jwt. Unique name of the auth backend to configure.
+                    type: string
+                  boundAudiences:
+                    description: (For "jwt" roles, at least one of bound_audiences,
+                      bound_subject, bound_claims or token_bound_cidrs is required.
+                      Optional for "oidc" roles.) List of aud claims to match against.
+                      Any match is sufficient. List of aud claims to match against.
+                      Any match is sufficient.
+                    items:
+                      type: string
+                    type: array
+                  boundClaims:
+                    additionalProperties:
+                      type: string
+                    description: If set, a map of claims to values to match against.
+                      A claim's value must be a string, which may contain one value
+                      or multiple comma-separated values, e.g. "red" or "red,green,blue".
+                      Map of claims/values to match against. The expected value may
+                      be a single string or a comma-separated string list.
+                    type: object
+                  boundClaimsType:
+                    description: 'How to interpret values in the claims/values map
+                      (bound_claims): can be either string (exact match) or glob (wildcard
+                      match). Requires Vault 1.4.0 or above. How to interpret values
+                      in the claims/values map: can be either "string" (exact match)
+                      or "glob" (wildcard match).'
+                    type: string
+                  boundSubject:
+                    description: If set, requires that the sub claim matches this
+                      value. If set, requires that the sub claim matches this value.
+                    type: string
+                  claimMappings:
+                    additionalProperties:
+                      type: string
+                    description: If set, a map of claims (keys) to be copied to specified
+                      metadata fields (values). Map of claims (keys) to be copied
+                      to specified metadata fields (values).
+                    type: object
+                  clockSkewLeeway:
+                    description: The amount of leeway to add to all claims to account
+                      for clock skew, in seconds. Defaults to 60 seconds if set to
+                      0 and can be disabled if set to -1. Only applicable with "jwt"
+                      roles. The amount of leeway to add to all claims to account
                       for clock skew, in seconds. Defaults to 60 seconds if set to
                       0 and can be disabled if set to -1. Only applicable with 'jwt'
                       roles.
@@ -117,105 +342,166 @@ spec:
                     description: The amount of leeway to add to expiration (exp) claims
                       to account for clock skew, in seconds. Defaults to 60 seconds
                       if set to 0 and can be disabled if set to -1. Only applicable
-                      with 'jwt' roles.
+                      with "jwt" roles. The amount of leeway to add to expiration
+                      (exp) claims to account for clock skew, in seconds. Defaults
+                      to 60 seconds if set to 0 and can be disabled if set to -1.
+                      Only applicable with 'jwt' roles.
                     type: number
                   groupsClaim:
                     description: The claim to use to uniquely identify the set of
                       groups to which the user belongs; this will be used as the names
                       for the Identity group aliases created due to a successful login.
-                      The claim value must be a list of strings.
+                      The claim value must be a list of strings. The claim to use
+                      to uniquely identify the set of groups to which the user belongs;
+                      this will be used as the names for the Identity group aliases
+                      created due to a successful login. The claim value must be a
+                      list of strings.
                     type: string
                   maxAge:
                     description: Specifies the allowable elapsed time in seconds since
+                      the last time the user was actively authenticated with the OIDC
+                      provider. Specifies the allowable elapsed time in seconds since
                       the last time the user was actively authenticated.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   notBeforeLeeway:
                     description: The amount of leeway to add to not before (nbf) claims
-                      to account for clock skew, in seconds. Defaults to 150 seconds
+                      to account for clock skew, in seconds. Defaults to 60 seconds
                       if set to 0 and can be disabled if set to -1. Only applicable
-                      with 'jwt' roles.
+                      with "jwt" roles. The amount of leeway to add to not before
+                      (nbf) claims to account for clock skew, in seconds. Defaults
+                      to 150 seconds if set to 0 and can be disabled if set to -1.
+                      Only applicable with 'jwt' roles.
                     type: number
                   oidcScopes:
-                    description: List of OIDC scopes to be used with an OIDC role.
-                      The standard scope "openid" is automatically included and need
-                      not be specified.
+                    description: If set, a list of OIDC scopes to be used with an
+                      OIDC role. The standard scope "openid" is automatically included
+                      and need not be specified. List of OIDC scopes to be used with
+                      an OIDC role. The standard scope "openid" is automatically included
+                      and need not be specified.
                     items:
                       type: string
                     type: array
                   roleName:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   roleType:
-                    description: Type of role, either "oidc" (default) or "jwt"
+                    description: Type of role, either "oidc" (default) or "jwt". Type
+                      of role, either "oidc" (default) or "jwt"
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                   userClaim:
                     description: The claim to use to uniquely identify the user; this
                       will be used as the name for the Identity entity alias created
-                      due to a successful login.
+                      due to a successful login. The claim to use to uniquely identify
+                      the user; this will be used as the name for the Identity entity
+                      alias created due to a successful login.
                     type: string
                   userClaimJsonPointer:
                     description: Specifies if the user_claim value uses JSON pointer
                       syntax for referencing claims. By default, the user_claim value
-                      will not use JSON pointer.
+                      will not use JSON pointer. Requires Vault 1.11+. Specifies if
+                      the user_claim value uses JSON pointer syntax for referencing
+                      claims. By default, the user_claim value will not use JSON pointer.
                     type: boolean
                   verboseOidcLogging:
                     description: Log received OIDC tokens and claims when debug-level
                       logging is active. Not recommended in production since sensitive
-                      information may be present in OIDC responses.
+                      information may be present in OIDC responses. Log received OIDC
+                      tokens and claims when debug-level logging is active. Not recommended
+                      in production since sensitive information may be present in
+                      OIDC responses.
                     type: boolean
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -389,9 +675,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: roleName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName)
+                || has(self.initProvider.roleName)'
             - message: userClaim is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userClaim)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.userClaim)
+                || has(self.initProvider.userClaim)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
@@ -399,41 +689,56 @@ spec:
                 properties:
                   allowedRedirectUris:
                     description: The list of allowed values for redirect_uri during
-                      OIDC logins.
+                      OIDC logins. Required for OIDC roles The list of allowed values
+                      for redirect_uri during OIDC logins.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: Unique name of the auth backend to configure.
+                    description: The unique name of the auth backend to configure.
+                      Defaults to jwt. Unique name of the auth backend to configure.
                     type: string
                   boundAudiences:
-                    description: List of aud claims to match against. Any match is
-                      sufficient.
+                    description: (For "jwt" roles, at least one of bound_audiences,
+                      bound_subject, bound_claims or token_bound_cidrs is required.
+                      Optional for "oidc" roles.) List of aud claims to match against.
+                      Any match is sufficient. List of aud claims to match against.
+                      Any match is sufficient.
                     items:
                       type: string
                     type: array
                   boundClaims:
                     additionalProperties:
                       type: string
-                    description: Map of claims/values to match against. The expected
-                      value may be a single string or a comma-separated string list.
+                    description: If set, a map of claims to values to match against.
+                      A claim's value must be a string, which may contain one value
+                      or multiple comma-separated values, e.g. "red" or "red,green,blue".
+                      Map of claims/values to match against. The expected value may
+                      be a single string or a comma-separated string list.
                     type: object
                   boundClaimsType:
-                    description: 'How to interpret values in the claims/values map:
-                      can be either "string" (exact match) or "glob" (wildcard match).'
+                    description: 'How to interpret values in the claims/values map
+                      (bound_claims): can be either string (exact match) or glob (wildcard
+                      match). Requires Vault 1.4.0 or above. How to interpret values
+                      in the claims/values map: can be either "string" (exact match)
+                      or "glob" (wildcard match).'
                     type: string
                   boundSubject:
                     description: If set, requires that the sub claim matches this
-                      value.
+                      value. If set, requires that the sub claim matches this value.
                     type: string
                   claimMappings:
                     additionalProperties:
                       type: string
-                    description: Map of claims (keys) to be copied to specified metadata
-                      fields (values).
+                    description: If set, a map of claims (keys) to be copied to specified
+                      metadata fields (values). Map of claims (keys) to be copied
+                      to specified metadata fields (values).
                     type: object
                   clockSkewLeeway:
                     description: The amount of leeway to add to all claims to account
+                      for clock skew, in seconds. Defaults to 60 seconds if set to
+                      0 and can be disabled if set to -1. Only applicable with "jwt"
+                      roles. The amount of leeway to add to all claims to account
                       for clock skew, in seconds. Defaults to 60 seconds if set to
                       0 and can be disabled if set to -1. Only applicable with 'jwt'
                       roles.
@@ -446,90 +751,140 @@ spec:
                     description: The amount of leeway to add to expiration (exp) claims
                       to account for clock skew, in seconds. Defaults to 60 seconds
                       if set to 0 and can be disabled if set to -1. Only applicable
-                      with 'jwt' roles.
+                      with "jwt" roles. The amount of leeway to add to expiration
+                      (exp) claims to account for clock skew, in seconds. Defaults
+                      to 60 seconds if set to 0 and can be disabled if set to -1.
+                      Only applicable with 'jwt' roles.
                     type: number
                   groupsClaim:
                     description: The claim to use to uniquely identify the set of
                       groups to which the user belongs; this will be used as the names
                       for the Identity group aliases created due to a successful login.
-                      The claim value must be a list of strings.
+                      The claim value must be a list of strings. The claim to use
+                      to uniquely identify the set of groups to which the user belongs;
+                      this will be used as the names for the Identity group aliases
+                      created due to a successful login. The claim value must be a
+                      list of strings.
                     type: string
                   id:
                     type: string
                   maxAge:
                     description: Specifies the allowable elapsed time in seconds since
+                      the last time the user was actively authenticated with the OIDC
+                      provider. Specifies the allowable elapsed time in seconds since
                       the last time the user was actively authenticated.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   notBeforeLeeway:
                     description: The amount of leeway to add to not before (nbf) claims
-                      to account for clock skew, in seconds. Defaults to 150 seconds
+                      to account for clock skew, in seconds. Defaults to 60 seconds
                       if set to 0 and can be disabled if set to -1. Only applicable
-                      with 'jwt' roles.
+                      with "jwt" roles. The amount of leeway to add to not before
+                      (nbf) claims to account for clock skew, in seconds. Defaults
+                      to 150 seconds if set to 0 and can be disabled if set to -1.
+                      Only applicable with 'jwt' roles.
                     type: number
                   oidcScopes:
-                    description: List of OIDC scopes to be used with an OIDC role.
-                      The standard scope "openid" is automatically included and need
-                      not be specified.
+                    description: If set, a list of OIDC scopes to be used with an
+                      OIDC role. The standard scope "openid" is automatically included
+                      and need not be specified. List of OIDC scopes to be used with
+                      an OIDC role. The standard scope "openid" is automatically included
+                      and need not be specified.
                     items:
                       type: string
                     type: array
                   roleName:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   roleType:
-                    description: Type of role, either "oidc" (default) or "jwt"
+                    description: Type of role, either "oidc" (default) or "jwt". Type
+                      of role, either "oidc" (default) or "jwt"
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                   userClaim:
                     description: The claim to use to uniquely identify the user; this
                       will be used as the name for the Identity entity alias created
-                      due to a successful login.
+                      due to a successful login. The claim to use to uniquely identify
+                      the user; this will be used as the name for the Identity entity
+                      alias created due to a successful login.
                     type: string
                   userClaimJsonPointer:
                     description: Specifies if the user_claim value uses JSON pointer
                       syntax for referencing claims. By default, the user_claim value
-                      will not use JSON pointer.
+                      will not use JSON pointer. Requires Vault 1.11+. Specifies if
+                      the user_claim value uses JSON pointer syntax for referencing
+                      claims. By default, the user_claim value will not use JSON pointer.
                     type: boolean
                   verboseOidcLogging:
                     description: Log received OIDC tokens and claims when debug-level
                       logging is active. Not recommended in production since sensitive
-                      information may be present in OIDC responses.
+                      information may be present in OIDC responses. Log received OIDC
+                      tokens and claims when debug-level logging is active. Not recommended
+                      in production since sensitive information may be present in
+                      OIDC responses.
                     type: boolean
                 type: object
               conditions:
diff --git a/package/crds/jwt.vault.upbound.io_authbackends.yaml b/package/crds/jwt.vault.upbound.io_authbackends.yaml
index 55ddf92e..79e0be53 100644
--- a/package/crds/jwt.vault.upbound.io_authbackends.yaml
+++ b/package/crds/jwt.vault.upbound.io_authbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackends.jwt.vault.upbound.io
 spec:
   group: jwt.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackend is the Schema for the AuthBackends API. <no value>
+        description: AuthBackend is the Schema for the AuthBackends API. Managing
+          JWT/OIDC auth backends in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,44 +69,59 @@ spec:
                 properties:
                   boundIssuer:
                     description: The value against which to match the iss claim in
-                      a JWT
+                      a JWT The value against which to match the iss claim in a JWT
                     type: string
                   defaultRole:
                     description: The default role to use if none is provided during
-                      login
+                      login The default role to use if none is provided during login
                     type: string
                   description:
-                    description: The description of the auth backend
+                    description: The description of the auth backend The description
+                      of the auth backend
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   jwksCaPem:
                     description: The CA certificate or chain of certificates, in PEM
                       format, to use to validate connections to the JWKS URL. If not
-                      set, system certificates are used.
+                      set, system certificates are used. The CA certificate or chain
+                      of certificates, in PEM format, to use to validate connections
+                      to the JWKS URL. If not set, system certificates are used.
                     type: string
                   jwksUrl:
                     description: JWKS URL to use to authenticate signatures. Cannot
-                      be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.
+                      be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+                      JWKS URL to use to authenticate signatures. Cannot be used with
+                      'oidc_discovery_url' or 'jwt_validation_pubkeys'.
                     type: string
                   jwtSupportedAlgs:
-                    description: A list of supported signing algorithms. Defaults
-                      to [RS256]
+                    description: A list of supported signing algorithms. Vault 1.1.0
+                      defaults to [RS256] but future or past versions of Vault may
+                      differ A list of supported signing algorithms. Defaults to [RS256]
                     items:
                       type: string
                     type: array
                   jwtValidationPubkeys:
                     description: A list of PEM-encoded public keys to use to authenticate
-                      signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
+                      signatures locally. Cannot be used in combination with oidc_discovery_url
+                      A list of PEM-encoded public keys to use to authenticate signatures
+                      locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
                     items:
                       type: string
                     type: array
                   local:
-                    description: Specifies if the auth method is local only
+                    description: Specifies if the auth method is local only. Specifies
+                      if the auth method is local only
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   namespaceInState:
                     description: Pass namespace in the OIDC state parameter instead
@@ -115,13 +130,21 @@ spec:
                       contain a namespace query parameter. This means only one redirect
                       URL entry needs to be maintained on the OIDC provider side for
                       all vault namespaces that will be authenticating against it.
-                      Defaults to true for new configs.
+                      Defaults to true for new configs Pass namespace in the OIDC
+                      state parameter instead of as a separate query parameter. With
+                      this setting, the allowed redirect URL(s) in Vault and on the
+                      provider side should not contain a namespace query parameter.
+                      This means only one redirect URL entry needs to be maintained
+                      on the OIDC provider side for all vault namespaces that will
+                      be authenticating against it. Defaults to true for new configs.
                     type: boolean
                   oidcClientId:
-                    description: Client ID used for OIDC
+                    description: Client ID used for OIDC backends Client ID used for
+                      OIDC
                     type: string
                   oidcClientSecretSecretRef:
-                    description: Client Secret used for OIDC
+                    description: Client Secret used for OIDC backends Client Secret
+                      used for OIDC
                     properties:
                       key:
                         description: The key to select.
@@ -140,81 +163,315 @@ spec:
                   oidcDiscoveryCaPem:
                     description: The CA certificate or chain of certificates, in PEM
                       format, to use to validate connections to the OIDC Discovery
-                      URL. If not set, system certificates are used
+                      URL. If not set, system certificates are used The CA certificate
+                      or chain of certificates, in PEM format, to use to validate
+                      connections to the OIDC Discovery URL. If not set, system certificates
+                      are used
                     type: string
                   oidcDiscoveryUrl:
                     description: The OIDC Discovery URL, without any .well-known component
-                      (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
+                      (base path). Cannot be used in combination with jwt_validation_pubkeys
+                      The OIDC Discovery URL, without any .well-known component (base
+                      path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
                     type: string
                   oidcResponseMode:
                     description: The response mode to be used in the OAuth2 request.
-                      Allowed values are 'query' and 'form_post'. Defaults to 'query'.
-                      If using Vault namespaces, and oidc_response_mode is 'form_post',
-                      then 'namespace_in_state' should be set to false.
+                      Allowed values are query and form_post. Defaults to query. If
+                      using Vault namespaces, and oidc_response_mode is form_post,
+                      then namespace_in_state should be set to false. The response
+                      mode to be used in the OAuth2 request. Allowed values are 'query'
+                      and 'form_post'. Defaults to 'query'. If using Vault namespaces,
+                      and oidc_response_mode is 'form_post', then 'namespace_in_state'
+                      should be set to false.
                     type: string
                   oidcResponseTypes:
-                    description: 'The response types to request. Allowed values are
-                      ''code'' and ''id_token''. Defaults to ''code''. Note: ''id_token''
-                      may only be used if ''oidc_response_mode'' is set to ''form_post''.'
+                    description: 'List of response types to request. Allowed values
+                      are ''code'' and ''id_token''. Defaults to ["code"]. Note: id_token
+                      may only be used if oidc_response_mode is set to form_post.
+                      The response types to request. Allowed values are ''code'' and
+                      ''id_token''. Defaults to ''code''. Note: ''id_token'' may only
+                      be used if ''oidc_response_mode'' is set to ''form_post''.'
                     items:
                       type: string
                     type: array
                   path:
-                    description: path to mount the backend
+                    description: Path to mount the JWT/OIDC auth backend path to mount
+                      the backend
                     type: string
                   providerConfig:
                     additionalProperties:
                       type: string
-                    description: Provider specific handling configuration
+                    description: Provider specific handling configuration. All values
+                      may be strings, and the provider will convert to the appropriate
+                      type when configuring Vault. Provider specific handling configuration
                     type: object
                   tune:
                     items:
                       properties:
                         allowedResponseHeaders:
+                          description: List of headers to whitelist and allowing a
+                            plugin to include them in the response.
                           items:
                             type: string
                           type: array
                         auditNonHmacRequestKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the request data object.
                           items:
                             type: string
                           type: array
                         auditNonHmacResponseKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the response data object.
                           items:
                             type: string
                           type: array
                         defaultLeaseTtl:
+                          description: Specifies the default time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
                           type: string
                         listingVisibility:
+                          description: Specifies whether to show this mount in the
+                            UI-specific listing endpoint. Valid values are "unauth"
+                            or "hidden".
                           type: string
                         maxLeaseTtl:
+                          description: Specifies the maximum time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
                           type: string
                         passthroughRequestHeaders:
+                          description: List of headers to whitelist and pass from
+                            the request to the backend.
                           items:
                             type: string
                           type: array
                         tokenType:
+                          description: Specifies the type of tokens that should be
+                            returned by the mount. Valid values are "default-service",
+                            "default-batch", "service", "batch".
                           type: string
                       type: object
                     type: array
                   type:
-                    description: Type of backend. Can be either 'jwt' or 'oidc'
+                    description: Type of auth backend. Should be one of jwt or oidc.
+                      Default - jwt Type of backend. Can be either 'jwt' or 'oidc'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  boundIssuer:
+                    description: The value against which to match the iss claim in
+                      a JWT The value against which to match the iss claim in a JWT
+                    type: string
+                  defaultRole:
+                    description: The default role to use if none is provided during
+                      login The default role to use if none is provided during login
+                    type: string
+                  description:
+                    description: The description of the auth backend The description
+                      of the auth backend
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  jwksCaPem:
+                    description: The CA certificate or chain of certificates, in PEM
+                      format, to use to validate connections to the JWKS URL. If not
+                      set, system certificates are used. The CA certificate or chain
+                      of certificates, in PEM format, to use to validate connections
+                      to the JWKS URL. If not set, system certificates are used.
+                    type: string
+                  jwksUrl:
+                    description: JWKS URL to use to authenticate signatures. Cannot
+                      be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+                      JWKS URL to use to authenticate signatures. Cannot be used with
+                      'oidc_discovery_url' or 'jwt_validation_pubkeys'.
+                    type: string
+                  jwtSupportedAlgs:
+                    description: A list of supported signing algorithms. Vault 1.1.0
+                      defaults to [RS256] but future or past versions of Vault may
+                      differ A list of supported signing algorithms. Defaults to [RS256]
+                    items:
+                      type: string
+                    type: array
+                  jwtValidationPubkeys:
+                    description: A list of PEM-encoded public keys to use to authenticate
+                      signatures locally. Cannot be used in combination with oidc_discovery_url
+                      A list of PEM-encoded public keys to use to authenticate signatures
+                      locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
+                    items:
+                      type: string
+                    type: array
+                  local:
+                    description: Specifies if the auth method is local only. Specifies
+                      if the auth method is local only
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  namespaceInState:
+                    description: Pass namespace in the OIDC state parameter instead
+                      of as a separate query parameter. With this setting, the allowed
+                      redirect URL(s) in Vault and on the provider side should not
+                      contain a namespace query parameter. This means only one redirect
+                      URL entry needs to be maintained on the OIDC provider side for
+                      all vault namespaces that will be authenticating against it.
+                      Defaults to true for new configs Pass namespace in the OIDC
+                      state parameter instead of as a separate query parameter. With
+                      this setting, the allowed redirect URL(s) in Vault and on the
+                      provider side should not contain a namespace query parameter.
+                      This means only one redirect URL entry needs to be maintained
+                      on the OIDC provider side for all vault namespaces that will
+                      be authenticating against it. Defaults to true for new configs.
+                    type: boolean
+                  oidcClientId:
+                    description: Client ID used for OIDC backends Client ID used for
+                      OIDC
+                    type: string
+                  oidcDiscoveryCaPem:
+                    description: The CA certificate or chain of certificates, in PEM
+                      format, to use to validate connections to the OIDC Discovery
+                      URL. If not set, system certificates are used The CA certificate
+                      or chain of certificates, in PEM format, to use to validate
+                      connections to the OIDC Discovery URL. If not set, system certificates
+                      are used
+                    type: string
+                  oidcDiscoveryUrl:
+                    description: The OIDC Discovery URL, without any .well-known component
+                      (base path). Cannot be used in combination with jwt_validation_pubkeys
+                      The OIDC Discovery URL, without any .well-known component (base
+                      path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
+                    type: string
+                  oidcResponseMode:
+                    description: The response mode to be used in the OAuth2 request.
+                      Allowed values are query and form_post. Defaults to query. If
+                      using Vault namespaces, and oidc_response_mode is form_post,
+                      then namespace_in_state should be set to false. The response
+                      mode to be used in the OAuth2 request. Allowed values are 'query'
+                      and 'form_post'. Defaults to 'query'. If using Vault namespaces,
+                      and oidc_response_mode is 'form_post', then 'namespace_in_state'
+                      should be set to false.
+                    type: string
+                  oidcResponseTypes:
+                    description: 'List of response types to request. Allowed values
+                      are ''code'' and ''id_token''. Defaults to ["code"]. Note: id_token
+                      may only be used if oidc_response_mode is set to form_post.
+                      The response types to request. Allowed values are ''code'' and
+                      ''id_token''. Defaults to ''code''. Note: ''id_token'' may only
+                      be used if ''oidc_response_mode'' is set to ''form_post''.'
+                    items:
+                      type: string
+                    type: array
+                  path:
+                    description: Path to mount the JWT/OIDC auth backend path to mount
+                      the backend
+                    type: string
+                  providerConfig:
+                    additionalProperties:
+                      type: string
+                    description: Provider specific handling configuration. All values
+                      may be strings, and the provider will convert to the appropriate
+                      type when configuring Vault. Provider specific handling configuration
+                    type: object
+                  tune:
+                    items:
+                      properties:
+                        allowedResponseHeaders:
+                          description: List of headers to whitelist and allowing a
+                            plugin to include them in the response.
+                          items:
+                            type: string
+                          type: array
+                        auditNonHmacRequestKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the request data object.
+                          items:
+                            type: string
+                          type: array
+                        auditNonHmacResponseKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the response data object.
+                          items:
+                            type: string
+                          type: array
+                        defaultLeaseTtl:
+                          description: Specifies the default time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
+                          type: string
+                        listingVisibility:
+                          description: Specifies whether to show this mount in the
+                            UI-specific listing endpoint. Valid values are "unauth"
+                            or "hidden".
+                          type: string
+                        maxLeaseTtl:
+                          description: Specifies the maximum time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
+                          type: string
+                        passthroughRequestHeaders:
+                          description: List of headers to whitelist and pass from
+                            the request to the backend.
+                          items:
+                            type: string
+                          type: array
+                        tokenType:
+                          description: Specifies the type of tokens that should be
+                            returned by the mount. Valid values are "default-service",
+                            "default-batch", "service", "batch".
+                          type: string
+                      type: object
+                    type: array
+                  type:
+                    description: Type of auth backend. Should be one of jwt or oidc.
+                      Default - jwt Type of backend. Can be either 'jwt' or 'oidc'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -392,50 +649,66 @@ spec:
               atProvider:
                 properties:
                   accessor:
-                    description: The accessor of the JWT auth backend
+                    description: The accessor for this auth method The accessor of
+                      the JWT auth backend
                     type: string
                   boundIssuer:
                     description: The value against which to match the iss claim in
-                      a JWT
+                      a JWT The value against which to match the iss claim in a JWT
                     type: string
                   defaultRole:
                     description: The default role to use if none is provided during
-                      login
+                      login The default role to use if none is provided during login
                     type: string
                   description:
-                    description: The description of the auth backend
+                    description: The description of the auth backend The description
+                      of the auth backend
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   id:
                     type: string
                   jwksCaPem:
                     description: The CA certificate or chain of certificates, in PEM
                       format, to use to validate connections to the JWKS URL. If not
-                      set, system certificates are used.
+                      set, system certificates are used. The CA certificate or chain
+                      of certificates, in PEM format, to use to validate connections
+                      to the JWKS URL. If not set, system certificates are used.
                     type: string
                   jwksUrl:
                     description: JWKS URL to use to authenticate signatures. Cannot
-                      be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.
+                      be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+                      JWKS URL to use to authenticate signatures. Cannot be used with
+                      'oidc_discovery_url' or 'jwt_validation_pubkeys'.
                     type: string
                   jwtSupportedAlgs:
-                    description: A list of supported signing algorithms. Defaults
-                      to [RS256]
+                    description: A list of supported signing algorithms. Vault 1.1.0
+                      defaults to [RS256] but future or past versions of Vault may
+                      differ A list of supported signing algorithms. Defaults to [RS256]
                     items:
                       type: string
                     type: array
                   jwtValidationPubkeys:
                     description: A list of PEM-encoded public keys to use to authenticate
-                      signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
+                      signatures locally. Cannot be used in combination with oidc_discovery_url
+                      A list of PEM-encoded public keys to use to authenticate signatures
+                      locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
                     items:
                       type: string
                     type: array
                   local:
-                    description: Specifies if the auth method is local only
+                    description: Specifies if the auth method is local only. Specifies
+                      if the auth method is local only
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   namespaceInState:
                     description: Pass namespace in the OIDC state parameter instead
@@ -444,72 +717,115 @@ spec:
                       contain a namespace query parameter. This means only one redirect
                       URL entry needs to be maintained on the OIDC provider side for
                       all vault namespaces that will be authenticating against it.
-                      Defaults to true for new configs.
+                      Defaults to true for new configs Pass namespace in the OIDC
+                      state parameter instead of as a separate query parameter. With
+                      this setting, the allowed redirect URL(s) in Vault and on the
+                      provider side should not contain a namespace query parameter.
+                      This means only one redirect URL entry needs to be maintained
+                      on the OIDC provider side for all vault namespaces that will
+                      be authenticating against it. Defaults to true for new configs.
                     type: boolean
                   oidcClientId:
-                    description: Client ID used for OIDC
+                    description: Client ID used for OIDC backends Client ID used for
+                      OIDC
                     type: string
                   oidcDiscoveryCaPem:
                     description: The CA certificate or chain of certificates, in PEM
                       format, to use to validate connections to the OIDC Discovery
-                      URL. If not set, system certificates are used
+                      URL. If not set, system certificates are used The CA certificate
+                      or chain of certificates, in PEM format, to use to validate
+                      connections to the OIDC Discovery URL. If not set, system certificates
+                      are used
                     type: string
                   oidcDiscoveryUrl:
                     description: The OIDC Discovery URL, without any .well-known component
-                      (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
+                      (base path). Cannot be used in combination with jwt_validation_pubkeys
+                      The OIDC Discovery URL, without any .well-known component (base
+                      path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
                     type: string
                   oidcResponseMode:
                     description: The response mode to be used in the OAuth2 request.
-                      Allowed values are 'query' and 'form_post'. Defaults to 'query'.
-                      If using Vault namespaces, and oidc_response_mode is 'form_post',
-                      then 'namespace_in_state' should be set to false.
+                      Allowed values are query and form_post. Defaults to query. If
+                      using Vault namespaces, and oidc_response_mode is form_post,
+                      then namespace_in_state should be set to false. The response
+                      mode to be used in the OAuth2 request. Allowed values are 'query'
+                      and 'form_post'. Defaults to 'query'. If using Vault namespaces,
+                      and oidc_response_mode is 'form_post', then 'namespace_in_state'
+                      should be set to false.
                     type: string
                   oidcResponseTypes:
-                    description: 'The response types to request. Allowed values are
-                      ''code'' and ''id_token''. Defaults to ''code''. Note: ''id_token''
-                      may only be used if ''oidc_response_mode'' is set to ''form_post''.'
+                    description: 'List of response types to request. Allowed values
+                      are ''code'' and ''id_token''. Defaults to ["code"]. Note: id_token
+                      may only be used if oidc_response_mode is set to form_post.
+                      The response types to request. Allowed values are ''code'' and
+                      ''id_token''. Defaults to ''code''. Note: ''id_token'' may only
+                      be used if ''oidc_response_mode'' is set to ''form_post''.'
                     items:
                       type: string
                     type: array
                   path:
-                    description: path to mount the backend
+                    description: Path to mount the JWT/OIDC auth backend path to mount
+                      the backend
                     type: string
                   providerConfig:
                     additionalProperties:
                       type: string
-                    description: Provider specific handling configuration
+                    description: Provider specific handling configuration. All values
+                      may be strings, and the provider will convert to the appropriate
+                      type when configuring Vault. Provider specific handling configuration
                     type: object
                   tune:
                     items:
                       properties:
                         allowedResponseHeaders:
+                          description: List of headers to whitelist and allowing a
+                            plugin to include them in the response.
                           items:
                             type: string
                           type: array
                         auditNonHmacRequestKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the request data object.
                           items:
                             type: string
                           type: array
                         auditNonHmacResponseKeys:
+                          description: Specifies the list of keys that will not be
+                            HMAC'd by audit devices in the response data object.
                           items:
                             type: string
                           type: array
                         defaultLeaseTtl:
+                          description: Specifies the default time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
                           type: string
                         listingVisibility:
+                          description: Specifies whether to show this mount in the
+                            UI-specific listing endpoint. Valid values are "unauth"
+                            or "hidden".
                           type: string
                         maxLeaseTtl:
+                          description: Specifies the maximum time-to-live. If set,
+                            this overrides the global default. Must be a valid duration
+                            string
                           type: string
                         passthroughRequestHeaders:
+                          description: List of headers to whitelist and pass from
+                            the request to the backend.
                           items:
                             type: string
                           type: array
                         tokenType:
+                          description: Specifies the type of tokens that should be
+                            returned by the mount. Valid values are "default-service",
+                            "default-batch", "service", "batch".
                           type: string
                       type: object
                     type: array
                   type:
-                    description: Type of backend. Can be either 'jwt' or 'oidc'
+                    description: Type of auth backend. Should be one of jwt or oidc.
+                      Default - jwt Type of backend. Can be either 'jwt' or 'oidc'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/kmip.vault.upbound.io_secretbackends.yaml b/package/crds/kmip.vault.upbound.io_secretbackends.yaml
index 344fab6e..70019e7b 100644
--- a/package/crds/kmip.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/kmip.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.kmip.vault.upbound.io
 spec:
   group: kmip.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Provision
+          KMIP Secret backends in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,69 +69,175 @@ spec:
                 properties:
                   defaultTlsClientKeyBits:
                     description: Client certificate key bits, valid values depend
+                      on key type. Client certificate key bits, valid values depend
                       on key type
                     type: number
                   defaultTlsClientKeyType:
-                    description: Client certificate key type, rsa or ec
+                    description: Client certificate key type, rsa or ec. Client certificate
+                      key type, rsa or ec
                     type: string
                   defaultTlsClientTtl:
                     description: Client certificate TTL in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   listenAddrs:
-                    description: Addresses the KMIP server should listen on (host:port)
+                    description: Addresses the KMIP server should listen on (host:port).
+                      Addresses the KMIP server should listen on (host:port)
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path where KMIP secret backend will be mounted
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP secret backend will be mounted
                     type: string
                   serverHostnames:
                     description: Hostnames to include in the server's TLS certificate
                       as SAN DNS names. The first will be used as the common name
-                      (CN)
+                      (CN). Hostnames to include in the server's TLS certificate as
+                      SAN DNS names. The first will be used as the common name (CN)
                     items:
                       type: string
                     type: array
                   serverIps:
                     description: IPs to include in the server's TLS certificate as
-                      SAN IP addresses
+                      SAN IP addresses. IPs to include in the server's TLS certificate
+                      as SAN IP addresses
                     items:
                       type: string
                     type: array
                   tlsCaKeyBits:
-                    description: CA key bits, valid values depend on key type
+                    description: CA key bits, valid values depend on key type. CA
+                      key bits, valid values depend on key type
                     type: number
                   tlsCaKeyType:
-                    description: CA key type, rsa or ec
+                    description: CA key type, rsa or ec. CA key type, rsa or ec
                     type: string
                   tlsMinVersion:
-                    description: Minimum TLS version to accept
+                    description: Minimum TLS version to accept. Minimum TLS version
+                      to accept
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  defaultTlsClientKeyBits:
+                    description: Client certificate key bits, valid values depend
+                      on key type. Client certificate key bits, valid values depend
+                      on key type
+                    type: number
+                  defaultTlsClientKeyType:
+                    description: Client certificate key type, rsa or ec. Client certificate
+                      key type, rsa or ec
+                    type: string
+                  defaultTlsClientTtl:
+                    description: Client certificate TTL in seconds
+                    type: number
+                  description:
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  listenAddrs:
+                    description: Addresses the KMIP server should listen on (host:port).
+                      Addresses the KMIP server should listen on (host:port)
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP secret backend will be mounted
+                    type: string
+                  serverHostnames:
+                    description: Hostnames to include in the server's TLS certificate
+                      as SAN DNS names. The first will be used as the common name
+                      (CN). Hostnames to include in the server's TLS certificate as
+                      SAN DNS names. The first will be used as the common name (CN)
+                    items:
+                      type: string
+                    type: array
+                  serverIps:
+                    description: IPs to include in the server's TLS certificate as
+                      SAN IP addresses. IPs to include in the server's TLS certificate
+                      as SAN IP addresses
+                    items:
+                      type: string
+                    type: array
+                  tlsCaKeyBits:
+                    description: CA key bits, valid values depend on key type. CA
+                      key bits, valid values depend on key type
+                    type: number
+                  tlsCaKeyType:
+                    description: CA key type, rsa or ec. CA key type, rsa or ec
+                    type: string
+                  tlsMinVersion:
+                    description: Minimum TLS version to accept. Minimum TLS version
+                      to accept
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -305,7 +411,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: SecretBackendStatus defines the observed state of SecretBackend.
             properties:
@@ -313,54 +421,70 @@ spec:
                 properties:
                   defaultTlsClientKeyBits:
                     description: Client certificate key bits, valid values depend
+                      on key type. Client certificate key bits, valid values depend
                       on key type
                     type: number
                   defaultTlsClientKeyType:
-                    description: Client certificate key type, rsa or ec
+                    description: Client certificate key type, rsa or ec. Client certificate
+                      key type, rsa or ec
                     type: string
                   defaultTlsClientTtl:
                     description: Client certificate TTL in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   id:
                     type: string
                   listenAddrs:
-                    description: Addresses the KMIP server should listen on (host:port)
+                    description: Addresses the KMIP server should listen on (host:port).
+                      Addresses the KMIP server should listen on (host:port)
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path where KMIP secret backend will be mounted
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP secret backend will be mounted
                     type: string
                   serverHostnames:
                     description: Hostnames to include in the server's TLS certificate
                       as SAN DNS names. The first will be used as the common name
-                      (CN)
+                      (CN). Hostnames to include in the server's TLS certificate as
+                      SAN DNS names. The first will be used as the common name (CN)
                     items:
                       type: string
                     type: array
                   serverIps:
                     description: IPs to include in the server's TLS certificate as
-                      SAN IP addresses
+                      SAN IP addresses. IPs to include in the server's TLS certificate
+                      as SAN IP addresses
                     items:
                       type: string
                     type: array
                   tlsCaKeyBits:
-                    description: CA key bits, valid values depend on key type
+                    description: CA key bits, valid values depend on key type. CA
+                      key bits, valid values depend on key type
                     type: number
                   tlsCaKeyType:
-                    description: CA key type, rsa or ec
+                    description: CA key type, rsa or ec. CA key type, rsa or ec
                     type: string
                   tlsMinVersion:
-                    description: Minimum TLS version to accept
+                    description: Minimum TLS version to accept. Minimum TLS version
+                      to accept
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/kmip.vault.upbound.io_secretroles.yaml b/package/crds/kmip.vault.upbound.io_secretroles.yaml
index 8bef4c35..ac268e96 100644
--- a/package/crds/kmip.vault.upbound.io_secretroles.yaml
+++ b/package/crds/kmip.vault.upbound.io_secretroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretroles.kmip.vault.upbound.io
 spec:
   group: kmip.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretRole is the Schema for the SecretRoles API. <no value>
+        description: SecretRole is the Schema for the SecretRoles API. Provision KMIP
+          Secret roles in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,89 +68,230 @@ spec:
               forProvider:
                 properties:
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   operationActivate:
-                    description: Grant permission to use the KMIP Activate operation
+                    description: Grant permission to use the KMIP Activate operation.
+                      Grant permission to use the KMIP Activate operation
                     type: boolean
                   operationAddAttribute:
-                    description: Grant permission to use the KMIP Add Attribute operation
+                    description: Grant permission to use the KMIP Add Attribute operation.
+                      Grant permission to use the KMIP Add Attribute operation
                     type: boolean
                   operationAll:
                     description: Grant all permissions to this role. May not be specified
-                      with any other operation_* params
+                      with any other operation_* params. Grant all permissions to
+                      this role. May not be specified with any other operation_* params
                     type: boolean
                   operationCreate:
-                    description: Grant permission to use the KMIP Create operation
+                    description: Grant permission to use the KMIP Create operation.
+                      Grant permission to use the KMIP Create operation
                     type: boolean
                   operationDestroy:
-                    description: Grant permission to use the KMIP Destroy operation
+                    description: Grant permission to use the KMIP Destroy operation.
+                      Grant permission to use the KMIP Destroy operation
                     type: boolean
                   operationDiscoverVersions:
                     description: Grant permission to use the KMIP Discover Version
+                      operation. Grant permission to use the KMIP Discover Version
                       operation
                     type: boolean
                   operationGet:
-                    description: Grant permission to use the KMIP Get operation
+                    description: Grant permission to use the KMIP Get operation. Grant
+                      permission to use the KMIP Get operation
                     type: boolean
                   operationGetAttributeList:
-                    description: Grant permission to use the KMIP Get Attribute List
+                    description: Grant permission to use the KMIP Get Atrribute List
+                      operation. Grant permission to use the KMIP Get Attribute List
                       operation
                     type: boolean
                   operationGetAttributes:
-                    description: Grant permission to use the KMIP Get Attributes operation
+                    description: Grant permission to use the KMIP Get Atrributes operation.
+                      Grant permission to use the KMIP Get Attributes operation
                     type: boolean
                   operationLocate:
-                    description: Grant permission to use the KMIP Locate operation
+                    description: Grant permission to use the KMIP Get Locate operation.
+                      Grant permission to use the KMIP Locate operation
                     type: boolean
                   operationNone:
                     description: Remove all permissions from this role. May not be
-                      specified with any other operation_* params
+                      specified with any other operation_* params. Remove all permissions
+                      from this role. May not be specified with any other operation_*
+                      params
                     type: boolean
                   operationRegister:
-                    description: Grant permission to use the KMIP Register operation
+                    description: Grant permission to use the KMIP Register operation.
+                      Grant permission to use the KMIP Register operation
                     type: boolean
                   operationRekey:
-                    description: Grant permission to use the KMIP Rekey operation
+                    description: Grant permission to use the KMIP Rekey operation.
+                      Grant permission to use the KMIP Rekey operation
                     type: boolean
                   operationRevoke:
-                    description: Grant permission to use the KMIP Revoke operation
+                    description: Grant permission to use the KMIP Revoke operation.
+                      Grant permission to use the KMIP Revoke operation
                     type: boolean
                   path:
-                    description: Path where KMIP backend is mounted
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP backend is mounted
                     type: string
                   role:
-                    description: Name of the role
+                    description: Name of the role. Name of the role
                     type: string
                   scope:
-                    description: Name of the scope
+                    description: Name of the scope. Name of the scope
                     type: string
                   tlsClientKeyBits:
                     description: Client certificate key bits, valid values depend
+                      on key type. Client certificate key bits, valid values depend
                       on key type
                     type: number
                   tlsClientKeyType:
-                    description: Client certificate key type, rsa or ec
+                    description: Client certificate key type, rsa or ec. Client certificate
+                      key type, rsa or ec
                     type: string
                   tlsClientTtl:
-                    description: Client certificate TTL in seconds
+                    description: Client certificate TTL in seconds. Client certificate
+                      TTL in seconds
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  operationActivate:
+                    description: Grant permission to use the KMIP Activate operation.
+                      Grant permission to use the KMIP Activate operation
+                    type: boolean
+                  operationAddAttribute:
+                    description: Grant permission to use the KMIP Add Attribute operation.
+                      Grant permission to use the KMIP Add Attribute operation
+                    type: boolean
+                  operationAll:
+                    description: Grant all permissions to this role. May not be specified
+                      with any other operation_* params. Grant all permissions to
+                      this role. May not be specified with any other operation_* params
+                    type: boolean
+                  operationCreate:
+                    description: Grant permission to use the KMIP Create operation.
+                      Grant permission to use the KMIP Create operation
+                    type: boolean
+                  operationDestroy:
+                    description: Grant permission to use the KMIP Destroy operation.
+                      Grant permission to use the KMIP Destroy operation
+                    type: boolean
+                  operationDiscoverVersions:
+                    description: Grant permission to use the KMIP Discover Version
+                      operation. Grant permission to use the KMIP Discover Version
+                      operation
+                    type: boolean
+                  operationGet:
+                    description: Grant permission to use the KMIP Get operation. Grant
+                      permission to use the KMIP Get operation
+                    type: boolean
+                  operationGetAttributeList:
+                    description: Grant permission to use the KMIP Get Atrribute List
+                      operation. Grant permission to use the KMIP Get Attribute List
+                      operation
+                    type: boolean
+                  operationGetAttributes:
+                    description: Grant permission to use the KMIP Get Atrributes operation.
+                      Grant permission to use the KMIP Get Attributes operation
+                    type: boolean
+                  operationLocate:
+                    description: Grant permission to use the KMIP Get Locate operation.
+                      Grant permission to use the KMIP Locate operation
+                    type: boolean
+                  operationNone:
+                    description: Remove all permissions from this role. May not be
+                      specified with any other operation_* params. Remove all permissions
+                      from this role. May not be specified with any other operation_*
+                      params
+                    type: boolean
+                  operationRegister:
+                    description: Grant permission to use the KMIP Register operation.
+                      Grant permission to use the KMIP Register operation
+                    type: boolean
+                  operationRekey:
+                    description: Grant permission to use the KMIP Rekey operation.
+                      Grant permission to use the KMIP Rekey operation
+                    type: boolean
+                  operationRevoke:
+                    description: Grant permission to use the KMIP Revoke operation.
+                      Grant permission to use the KMIP Revoke operation
+                    type: boolean
+                  path:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP backend is mounted
+                    type: string
+                  role:
+                    description: Name of the role. Name of the role
+                    type: string
+                  scope:
+                    description: Name of the scope. Name of the scope
+                    type: string
+                  tlsClientKeyBits:
+                    description: Client certificate key bits, valid values depend
+                      on key type. Client certificate key bits, valid values depend
+                      on key type
+                    type: number
+                  tlsClientKeyType:
+                    description: Client certificate key type, rsa or ec. Client certificate
+                      key type, rsa or ec
+                    type: string
+                  tlsClientTtl:
+                    description: Client certificate TTL in seconds. Client certificate
+                      TTL in seconds
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -324,11 +465,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
             - message: scope is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scope)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.scope)
+                || has(self.initProvider.scope)'
           status:
             description: SecretRoleStatus defines the observed state of SecretRole.
             properties:
@@ -337,72 +484,96 @@ spec:
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   operationActivate:
-                    description: Grant permission to use the KMIP Activate operation
+                    description: Grant permission to use the KMIP Activate operation.
+                      Grant permission to use the KMIP Activate operation
                     type: boolean
                   operationAddAttribute:
-                    description: Grant permission to use the KMIP Add Attribute operation
+                    description: Grant permission to use the KMIP Add Attribute operation.
+                      Grant permission to use the KMIP Add Attribute operation
                     type: boolean
                   operationAll:
                     description: Grant all permissions to this role. May not be specified
-                      with any other operation_* params
+                      with any other operation_* params. Grant all permissions to
+                      this role. May not be specified with any other operation_* params
                     type: boolean
                   operationCreate:
-                    description: Grant permission to use the KMIP Create operation
+                    description: Grant permission to use the KMIP Create operation.
+                      Grant permission to use the KMIP Create operation
                     type: boolean
                   operationDestroy:
-                    description: Grant permission to use the KMIP Destroy operation
+                    description: Grant permission to use the KMIP Destroy operation.
+                      Grant permission to use the KMIP Destroy operation
                     type: boolean
                   operationDiscoverVersions:
                     description: Grant permission to use the KMIP Discover Version
+                      operation. Grant permission to use the KMIP Discover Version
                       operation
                     type: boolean
                   operationGet:
-                    description: Grant permission to use the KMIP Get operation
+                    description: Grant permission to use the KMIP Get operation. Grant
+                      permission to use the KMIP Get operation
                     type: boolean
                   operationGetAttributeList:
-                    description: Grant permission to use the KMIP Get Attribute List
+                    description: Grant permission to use the KMIP Get Atrribute List
+                      operation. Grant permission to use the KMIP Get Attribute List
                       operation
                     type: boolean
                   operationGetAttributes:
-                    description: Grant permission to use the KMIP Get Attributes operation
+                    description: Grant permission to use the KMIP Get Atrributes operation.
+                      Grant permission to use the KMIP Get Attributes operation
                     type: boolean
                   operationLocate:
-                    description: Grant permission to use the KMIP Locate operation
+                    description: Grant permission to use the KMIP Get Locate operation.
+                      Grant permission to use the KMIP Locate operation
                     type: boolean
                   operationNone:
                     description: Remove all permissions from this role. May not be
-                      specified with any other operation_* params
+                      specified with any other operation_* params. Remove all permissions
+                      from this role. May not be specified with any other operation_*
+                      params
                     type: boolean
                   operationRegister:
-                    description: Grant permission to use the KMIP Register operation
+                    description: Grant permission to use the KMIP Register operation.
+                      Grant permission to use the KMIP Register operation
                     type: boolean
                   operationRekey:
-                    description: Grant permission to use the KMIP Rekey operation
+                    description: Grant permission to use the KMIP Rekey operation.
+                      Grant permission to use the KMIP Rekey operation
                     type: boolean
                   operationRevoke:
-                    description: Grant permission to use the KMIP Revoke operation
+                    description: Grant permission to use the KMIP Revoke operation.
+                      Grant permission to use the KMIP Revoke operation
                     type: boolean
                   path:
-                    description: Path where KMIP backend is mounted
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP backend is mounted
                     type: string
                   role:
-                    description: Name of the role
+                    description: Name of the role. Name of the role
                     type: string
                   scope:
-                    description: Name of the scope
+                    description: Name of the scope. Name of the scope
                     type: string
                   tlsClientKeyBits:
                     description: Client certificate key bits, valid values depend
+                      on key type. Client certificate key bits, valid values depend
                       on key type
                     type: number
                   tlsClientKeyType:
-                    description: Client certificate key type, rsa or ec
+                    description: Client certificate key type, rsa or ec. Client certificate
+                      key type, rsa or ec
                     type: string
                   tlsClientTtl:
-                    description: Client certificate TTL in seconds
+                    description: Client certificate TTL in seconds. Client certificate
+                      TTL in seconds
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/kmip.vault.upbound.io_secretscopes.yaml b/package/crds/kmip.vault.upbound.io_secretscopes.yaml
index 026ca634..b991161c 100644
--- a/package/crds/kmip.vault.upbound.io_secretscopes.yaml
+++ b/package/crds/kmip.vault.upbound.io_secretscopes.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretscopes.kmip.vault.upbound.io
 spec:
   group: kmip.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretScope is the Schema for the SecretScopes API. <no value>
+        description: SecretScope is the Schema for the SecretScopes API. Provision
+          KMIP Secret scopes in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,34 +68,86 @@ spec:
               forProvider:
                 properties:
                   force:
-                    description: Force deletion even if there are managed objects
-                      in the scope
+                    description: Boolean field to force deletion even if there are
+                      managed objects in the scope. Force deletion even if there are
+                      managed objects in the scope
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path where KMIP backend is mounted
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP backend is mounted
                     type: string
                   scope:
-                    description: Name of the scope
+                    description: Name of the scope. Name of the scope
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  force:
+                    description: Boolean field to force deletion even if there are
+                      managed objects in the scope. Force deletion even if there are
+                      managed objects in the scope
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP backend is mounted
+                    type: string
+                  scope:
+                    description: Name of the scope. Name of the scope
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -269,28 +321,39 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
             - message: scope is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scope)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.scope)
+                || has(self.initProvider.scope)'
           status:
             description: SecretScopeStatus defines the observed state of SecretScope.
             properties:
               atProvider:
                 properties:
                   force:
-                    description: Force deletion even if there are managed objects
-                      in the scope
+                    description: Boolean field to force deletion even if there are
+                      managed objects in the scope. Force deletion even if there are
+                      managed objects in the scope
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Path where KMIP backend is mounted
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to kmip. Path where
+                      KMIP backend is mounted
                     type: string
                   scope:
-                    description: Name of the scope
+                    description: Name of the scope. Name of the scope
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml b/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml
index dab421a3..6b4363fe 100644
--- a/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml
+++ b/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendconfigs.kubernetes.vault.upbound.io
 spec:
   group: kubernetes.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: AuthBackendConfig is the Schema for the AuthBackendConfigs API.
-          <no value>
+          Manages Kubernetes auth backend configs in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -72,40 +71,61 @@ spec:
                     description: Unique name of the kubernetes backend to configure.
                     type: string
                   disableIssValidation:
-                    description: Optional disable JWT issuer validation. Allows to
-                      skip ISS validation.
+                    description: Disable JWT issuer validation. Allows to skip ISS
+                      validation. Requires Vault v1.5.4+ or Vault auth kubernetes
+                      plugin v0.7.1+ Optional disable JWT issuer validation. Allows
+                      to skip ISS validation.
                     type: boolean
                   disableLocalCaJwt:
-                    description: Optional disable defaulting to the local CA cert
-                      and service account JWT when running in a Kubernetes pod.
+                    description: Disable defaulting to the local CA cert and service
+                      account JWT when running in a Kubernetes pod. Requires Vault
+                      v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable
+                      defaulting to the local CA cert and service account JWT when
+                      running in a Kubernetes pod.
                     type: boolean
                   issuer:
-                    description: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount
-                      will be used as the default issuer.
+                    description: JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount
+                      will be used as the default issuer. Optional JWT issuer. If
+                      no issuer is specified, kubernetes.io/serviceaccount will be
+                      used as the default issuer.
                     type: string
                   kubernetesCaCert:
                     description: PEM encoded CA cert for use by the TLS client used
-                      to talk with the Kubernetes API.
+                      to talk with the Kubernetes API. PEM encoded CA cert for use
+                      by the TLS client used to talk with the Kubernetes API.
                     type: string
                   kubernetesHost:
                     description: Host must be a host string, a host:port pair, or
-                      a URL to the base of the Kubernetes API server.
+                      a URL to the base of the Kubernetes API server. Host must be
+                      a host string, a host:port pair, or a URL to the base of the
+                      Kubernetes API server.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pemKeys:
-                    description: Optional list of PEM-formatted public keys or certificates
+                    description: List of PEM-formatted public keys or certificates
                       used to verify the signatures of Kubernetes service account
                       JWTs. If a certificate is given, its public key will be extracted.
-                      Not every installation of Kubernetes exposes these keys.
+                      Not every installation of Kubernetes exposes these keys. Optional
+                      list of PEM-formatted public keys or certificates used to verify
+                      the signatures of Kubernetes service account JWTs. If a certificate
+                      is given, its public key will be extracted. Not every installation
+                      of Kubernetes exposes these keys.
                     items:
                       type: string
                     type: array
                   tokenReviewerJwtSecretRef:
                     description: A service account JWT used to access the TokenReview
                       API to validate other JWTs during login. If not set the JWT
-                      used for login will be used to access the API.
+                      used for login will be used to access the API. A service account
+                      JWT used to access the TokenReview API to validate other JWTs
+                      during login. If not set the JWT used for login will be used
+                      to access the API.
                     properties:
                       key:
                         description: The key to select.
@@ -122,21 +142,98 @@ spec:
                     - namespace
                     type: object
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Unique name of the kubernetes backend to configure.
+                    type: string
+                  disableIssValidation:
+                    description: Disable JWT issuer validation. Allows to skip ISS
+                      validation. Requires Vault v1.5.4+ or Vault auth kubernetes
+                      plugin v0.7.1+ Optional disable JWT issuer validation. Allows
+                      to skip ISS validation.
+                    type: boolean
+                  disableLocalCaJwt:
+                    description: Disable defaulting to the local CA cert and service
+                      account JWT when running in a Kubernetes pod. Requires Vault
+                      v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable
+                      defaulting to the local CA cert and service account JWT when
+                      running in a Kubernetes pod.
+                    type: boolean
+                  issuer:
+                    description: JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount
+                      will be used as the default issuer. Optional JWT issuer. If
+                      no issuer is specified, kubernetes.io/serviceaccount will be
+                      used as the default issuer.
+                    type: string
+                  kubernetesCaCert:
+                    description: PEM encoded CA cert for use by the TLS client used
+                      to talk with the Kubernetes API. PEM encoded CA cert for use
+                      by the TLS client used to talk with the Kubernetes API.
+                    type: string
+                  kubernetesHost:
+                    description: Host must be a host string, a host:port pair, or
+                      a URL to the base of the Kubernetes API server. Host must be
+                      a host string, a host:port pair, or a URL to the base of the
+                      Kubernetes API server.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  pemKeys:
+                    description: List of PEM-formatted public keys or certificates
+                      used to verify the signatures of Kubernetes service account
+                      JWTs. If a certificate is given, its public key will be extracted.
+                      Not every installation of Kubernetes exposes these keys. Optional
+                      list of PEM-formatted public keys or certificates used to verify
+                      the signatures of Kubernetes service account JWTs. If a certificate
+                      is given, its public key will be extracted. Not every installation
+                      of Kubernetes exposes these keys.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -310,7 +407,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: kubernetesHost is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.kubernetesHost)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.kubernetesHost)
+                || has(self.initProvider.kubernetesHost)'
           status:
             description: AuthBackendConfigStatus defines the observed state of AuthBackendConfig.
             properties:
@@ -320,35 +419,53 @@ spec:
                     description: Unique name of the kubernetes backend to configure.
                     type: string
                   disableIssValidation:
-                    description: Optional disable JWT issuer validation. Allows to
-                      skip ISS validation.
+                    description: Disable JWT issuer validation. Allows to skip ISS
+                      validation. Requires Vault v1.5.4+ or Vault auth kubernetes
+                      plugin v0.7.1+ Optional disable JWT issuer validation. Allows
+                      to skip ISS validation.
                     type: boolean
                   disableLocalCaJwt:
-                    description: Optional disable defaulting to the local CA cert
-                      and service account JWT when running in a Kubernetes pod.
+                    description: Disable defaulting to the local CA cert and service
+                      account JWT when running in a Kubernetes pod. Requires Vault
+                      v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable
+                      defaulting to the local CA cert and service account JWT when
+                      running in a Kubernetes pod.
                     type: boolean
                   id:
                     type: string
                   issuer:
-                    description: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount
-                      will be used as the default issuer.
+                    description: JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount
+                      will be used as the default issuer. Optional JWT issuer. If
+                      no issuer is specified, kubernetes.io/serviceaccount will be
+                      used as the default issuer.
                     type: string
                   kubernetesCaCert:
                     description: PEM encoded CA cert for use by the TLS client used
-                      to talk with the Kubernetes API.
+                      to talk with the Kubernetes API. PEM encoded CA cert for use
+                      by the TLS client used to talk with the Kubernetes API.
                     type: string
                   kubernetesHost:
                     description: Host must be a host string, a host:port pair, or
-                      a URL to the base of the Kubernetes API server.
+                      a URL to the base of the Kubernetes API server. Host must be
+                      a host string, a host:port pair, or a URL to the base of the
+                      Kubernetes API server.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pemKeys:
-                    description: Optional list of PEM-formatted public keys or certificates
+                    description: List of PEM-formatted public keys or certificates
                       used to verify the signatures of Kubernetes service account
                       JWTs. If a certificate is given, its public key will be extracted.
-                      Not every installation of Kubernetes exposes these keys.
+                      Not every installation of Kubernetes exposes these keys. Optional
+                      list of PEM-formatted public keys or certificates used to verify
+                      the signatures of Kubernetes service account JWTs. If a certificate
+                      is given, its public key will be extracted. Not every installation
+                      of Kubernetes exposes these keys.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/kubernetes.vault.upbound.io_authbackendroles.yaml b/package/crds/kubernetes.vault.upbound.io_authbackendroles.yaml
index 2f22510e..10ef7f29 100644
--- a/package/crds/kubernetes.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/kubernetes.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.kubernetes.vault.upbound.io
 spec:
   group: kubernetes.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendRole is the Schema for the AuthBackendRoles API. <no
-          value>
+        description: AuthBackendRole is the Schema for the AuthBackendRoles API. Manages
+          Kubernetes auth backend roles in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,59 +69,87 @@ spec:
                 properties:
                   aliasNameSource:
                     description: 'Configures how identity aliases are generated. Valid
-                      choices are: serviceaccount_uid, serviceaccount_name'
+                      choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+)
+                      Configures how identity aliases are generated. Valid choices
+                      are: serviceaccount_uid, serviceaccount_name'
                     type: string
                   audience:
-                    description: Optional Audience claim to verify in the JWT.
+                    description: Audience claim to verify in the JWT. Optional Audience
+                      claim to verify in the JWT.
                     type: string
                   backend:
                     description: Unique name of the kubernetes backend to configure.
+                      Unique name of the kubernetes backend to configure.
                     type: string
                   boundServiceAccountNames:
                     description: List of service account names able to access this
-                      role. If set to `["*"]` all names are allowed, both this and
-                      bound_service_account_namespaces can not be "*".
+                      role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces
+                      can not be "*". List of service account names able to access
+                      this role. If set to `["*"]` all names are allowed, both this
+                      and bound_service_account_namespaces can not be "*".
                     items:
                       type: string
                     type: array
                   boundServiceAccountNamespaces:
                     description: List of namespaces allowed to access this role. If
-                      set to `["*"]` all namespaces are allowed, both this and bound_service_account_names
-                      can not be set to "*".
+                      set to ["*"] all namespaces are allowed, both this and bound_service_account_names
+                      can not be set to "*". List of namespaces allowed to access
+                      this role. If set to `["*"]` all namespaces are allowed, both
+                      this and bound_service_account_names can not be set to "*".
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   roleName:
-                    description: Name of the role.
+                    description: Name of the role. Name of the role.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
@@ -130,24 +157,153 @@ spec:
                     description: The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  aliasNameSource:
+                    description: 'Configures how identity aliases are generated. Valid
+                      choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+)
+                      Configures how identity aliases are generated. Valid choices
+                      are: serviceaccount_uid, serviceaccount_name'
+                    type: string
+                  audience:
+                    description: Audience claim to verify in the JWT. Optional Audience
+                      claim to verify in the JWT.
+                    type: string
+                  backend:
+                    description: Unique name of the kubernetes backend to configure.
+                      Unique name of the kubernetes backend to configure.
+                    type: string
+                  boundServiceAccountNames:
+                    description: List of service account names able to access this
+                      role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces
+                      can not be "*". List of service account names able to access
+                      this role. If set to `["*"]` all names are allowed, both this
+                      and bound_service_account_namespaces can not be "*".
+                    items:
+                      type: string
+                    type: array
+                  boundServiceAccountNamespaces:
+                    description: List of namespaces allowed to access this role. If
+                      set to ["*"] all namespaces are allowed, both this and bound_service_account_names
+                      can not be set to "*". List of namespaces allowed to access
+                      this role. If set to `["*"]` all namespaces are allowed, both
+                      this and bound_service_account_names can not be set to "*".
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  roleName:
+                    description: Name of the role. Name of the role.
+                    type: string
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -321,11 +477,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: boundServiceAccountNames is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.boundServiceAccountNames)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNames)
+                || has(self.initProvider.boundServiceAccountNames)'
             - message: boundServiceAccountNamespaces is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.boundServiceAccountNamespaces)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNamespaces)
+                || has(self.initProvider.boundServiceAccountNamespaces)'
             - message: roleName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName)
+                || has(self.initProvider.roleName)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
@@ -333,61 +495,89 @@ spec:
                 properties:
                   aliasNameSource:
                     description: 'Configures how identity aliases are generated. Valid
-                      choices are: serviceaccount_uid, serviceaccount_name'
+                      choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+)
+                      Configures how identity aliases are generated. Valid choices
+                      are: serviceaccount_uid, serviceaccount_name'
                     type: string
                   audience:
-                    description: Optional Audience claim to verify in the JWT.
+                    description: Audience claim to verify in the JWT. Optional Audience
+                      claim to verify in the JWT.
                     type: string
                   backend:
                     description: Unique name of the kubernetes backend to configure.
+                      Unique name of the kubernetes backend to configure.
                     type: string
                   boundServiceAccountNames:
                     description: List of service account names able to access this
-                      role. If set to `["*"]` all names are allowed, both this and
-                      bound_service_account_namespaces can not be "*".
+                      role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces
+                      can not be "*". List of service account names able to access
+                      this role. If set to `["*"]` all names are allowed, both this
+                      and bound_service_account_namespaces can not be "*".
                     items:
                       type: string
                     type: array
                   boundServiceAccountNamespaces:
                     description: List of namespaces allowed to access this role. If
-                      set to `["*"]` all namespaces are allowed, both this and bound_service_account_names
-                      can not be set to "*".
+                      set to ["*"] all namespaces are allowed, both this and bound_service_account_names
+                      can not be set to "*". List of namespaces allowed to access
+                      this role. If set to `["*"]` all namespaces are allowed, both
+                      this and bound_service_account_names can not be set to "*".
                     items:
                       type: string
                     type: array
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   roleName:
-                    description: Name of the role.
+                    description: Name of the role. Name of the role.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
-                    description: Generated Token's Policies
+                    description: List of policies to encode onto generated tokens.
+                      Depending on the auth method, this list may be supplemented
+                      by user/group/other values. Generated Token's Policies
                     items:
                       type: string
                     type: array
@@ -395,7 +585,13 @@ spec:
                     description: The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml b/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml
index 731773ec..51e1605a 100644
--- a/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml
+++ b/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendroles.kubernetes.vault.upbound.io
 spec:
   group: kubernetes.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRole is the Schema for the SecretBackendRoles API.
-          <no value>
+          Creates a role for the Kubernetes Secrets Engine in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,84 +69,223 @@ spec:
                 properties:
                   allowedKubernetesNamespaces:
                     description: The list of Kubernetes namespaces this role can generate
-                      credentials for. If set to '*' all namespaces are allowed.
+                      credentials for. If set to * all namespaces are allowed. The
+                      list of Kubernetes namespaces this role can generate credentials
+                      for. If set to '*' all namespaces are allowed.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: The mount path for the Kubernetes secrets engine.
+                    description: The path of the Kubernetes Secrets Engine backend
+                      mount to create the role in. The mount path for the Kubernetes
+                      secrets engine.
                     type: string
                   extraAnnotations:
                     additionalProperties:
                       type: string
                     description: Additional annotations to apply to all generated
+                      Kubernetes objects. Additional annotations to apply to all generated
                       Kubernetes objects.
                     type: object
                   extraLabels:
                     additionalProperties:
                       type: string
                     description: Additional labels to apply to all generated Kubernetes
+                      objects. Additional labels to apply to all generated Kubernetes
                       objects.
                     type: object
                   generatedRoleRules:
                     description: The Role or ClusterRole rules to use when generating
                       a role. Accepts either JSON or YAML formatted rules. Mutually
-                      exclusive with 'service_account_name' and 'kubernetes_role_name'.
+                      exclusive with service_account_name and kubernetes_role_name.
+                      If set, the entire chain of Kubernetes objects will be generated
+                      when credentials are requested. The Role or ClusterRole rules
+                      to use when generating a role. Accepts either JSON or YAML formatted
+                      rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'.
                       If set, the entire chain of Kubernetes objects will be generated
                       when credentials are requested.
                     type: string
                   kubernetesRoleName:
                     description: The pre-existing Role or ClusterRole to bind a generated
-                      service account to. Mutually exclusive with 'service_account_name'
+                      service account to. Mutually exclusive with service_account_name
+                      and generated_role_rules. If set, Kubernetes token, service
+                      account, and role binding objects will be created when credentials
+                      are requested. The pre-existing Role or ClusterRole to bind
+                      a generated service account to. Mutually exclusive with 'service_account_name'
                       and 'generated_role_rules'. If set, Kubernetes token, service
                       account, and role binding objects will be created when credentials
                       are requested.
                     type: string
                   kubernetesRoleType:
                     description: Specifies whether the Kubernetes role is a Role or
-                      ClusterRole.
+                      ClusterRole. Specifies whether the Kubernetes role is a Role
+                      or ClusterRole.
                     type: string
                   name:
-                    description: The name of the role.
+                    description: The name of the role. The name of the role.
                     type: string
                   nameTemplate:
                     description: The name template to use when generating service
                       accounts, roles and role bindings. If unset, a default template
-                      is used.
+                      is used. The name template to use when generating service accounts,
+                      roles and role bindings. If unset, a default template is used.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   serviceAccountName:
                     description: The pre-existing service account to generate tokens
-                      for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'.
+                      for. Mutually exclusive with kubernetes_role_name and generated_role_rules.
                       If set, only a Kubernetes token will be created when credentials
+                      are requested. The pre-existing service account to generate
+                      tokens for. Mutually exclusive with 'kubernetes_role_name' and
+                      'generated_role_rules'. If set, only a Kubernetes token will
+                      be created when credentials are requested.
+                    type: string
+                  tokenDefaultTtl:
+                    description: The default TTL for generated Kubernetes tokens in
+                      seconds. The default TTL for generated Kubernetes tokens in
+                      seconds.
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum TTL for generated Kubernetes tokens in
+                      seconds. The maximum TTL for generated Kubernetes tokens in
+                      seconds.
+                    type: number
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedKubernetesNamespaces:
+                    description: The list of Kubernetes namespaces this role can generate
+                      credentials for. If set to * all namespaces are allowed. The
+                      list of Kubernetes namespaces this role can generate credentials
+                      for. If set to '*' all namespaces are allowed.
+                    items:
+                      type: string
+                    type: array
+                  backend:
+                    description: The path of the Kubernetes Secrets Engine backend
+                      mount to create the role in. The mount path for the Kubernetes
+                      secrets engine.
+                    type: string
+                  extraAnnotations:
+                    additionalProperties:
+                      type: string
+                    description: Additional annotations to apply to all generated
+                      Kubernetes objects. Additional annotations to apply to all generated
+                      Kubernetes objects.
+                    type: object
+                  extraLabels:
+                    additionalProperties:
+                      type: string
+                    description: Additional labels to apply to all generated Kubernetes
+                      objects. Additional labels to apply to all generated Kubernetes
+                      objects.
+                    type: object
+                  generatedRoleRules:
+                    description: The Role or ClusterRole rules to use when generating
+                      a role. Accepts either JSON or YAML formatted rules. Mutually
+                      exclusive with service_account_name and kubernetes_role_name.
+                      If set, the entire chain of Kubernetes objects will be generated
+                      when credentials are requested. The Role or ClusterRole rules
+                      to use when generating a role. Accepts either JSON or YAML formatted
+                      rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'.
+                      If set, the entire chain of Kubernetes objects will be generated
+                      when credentials are requested.
+                    type: string
+                  kubernetesRoleName:
+                    description: The pre-existing Role or ClusterRole to bind a generated
+                      service account to. Mutually exclusive with service_account_name
+                      and generated_role_rules. If set, Kubernetes token, service
+                      account, and role binding objects will be created when credentials
+                      are requested. The pre-existing Role or ClusterRole to bind
+                      a generated service account to. Mutually exclusive with 'service_account_name'
+                      and 'generated_role_rules'. If set, Kubernetes token, service
+                      account, and role binding objects will be created when credentials
                       are requested.
                     type: string
+                  kubernetesRoleType:
+                    description: Specifies whether the Kubernetes role is a Role or
+                      ClusterRole. Specifies whether the Kubernetes role is a Role
+                      or ClusterRole.
+                    type: string
+                  name:
+                    description: The name of the role. The name of the role.
+                    type: string
+                  nameTemplate:
+                    description: The name template to use when generating service
+                      accounts, roles and role bindings. If unset, a default template
+                      is used. The name template to use when generating service accounts,
+                      roles and role bindings. If unset, a default template is used.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  serviceAccountName:
+                    description: The pre-existing service account to generate tokens
+                      for. Mutually exclusive with kubernetes_role_name and generated_role_rules.
+                      If set, only a Kubernetes token will be created when credentials
+                      are requested. The pre-existing service account to generate
+                      tokens for. Mutually exclusive with 'kubernetes_role_name' and
+                      'generated_role_rules'. If set, only a Kubernetes token will
+                      be created when credentials are requested.
+                    type: string
                   tokenDefaultTtl:
                     description: The default TTL for generated Kubernetes tokens in
+                      seconds. The default TTL for generated Kubernetes tokens in
                       seconds.
                     type: number
                   tokenMaxTtl:
                     description: The maximum TTL for generated Kubernetes tokens in
+                      seconds. The maximum TTL for generated Kubernetes tokens in
                       seconds.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -321,11 +459,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: allowedKubernetesNamespaces is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.allowedKubernetesNamespaces)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.allowedKubernetesNamespaces)
+                || has(self.initProvider.allowedKubernetesNamespaces)'
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendRoleStatus defines the observed state of SecretBackendRole.
             properties:
@@ -333,29 +477,39 @@ spec:
                 properties:
                   allowedKubernetesNamespaces:
                     description: The list of Kubernetes namespaces this role can generate
-                      credentials for. If set to '*' all namespaces are allowed.
+                      credentials for. If set to * all namespaces are allowed. The
+                      list of Kubernetes namespaces this role can generate credentials
+                      for. If set to '*' all namespaces are allowed.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: The mount path for the Kubernetes secrets engine.
+                    description: The path of the Kubernetes Secrets Engine backend
+                      mount to create the role in. The mount path for the Kubernetes
+                      secrets engine.
                     type: string
                   extraAnnotations:
                     additionalProperties:
                       type: string
                     description: Additional annotations to apply to all generated
+                      Kubernetes objects. Additional annotations to apply to all generated
                       Kubernetes objects.
                     type: object
                   extraLabels:
                     additionalProperties:
                       type: string
                     description: Additional labels to apply to all generated Kubernetes
+                      objects. Additional labels to apply to all generated Kubernetes
                       objects.
                     type: object
                   generatedRoleRules:
                     description: The Role or ClusterRole rules to use when generating
                       a role. Accepts either JSON or YAML formatted rules. Mutually
-                      exclusive with 'service_account_name' and 'kubernetes_role_name'.
+                      exclusive with service_account_name and kubernetes_role_name.
+                      If set, the entire chain of Kubernetes objects will be generated
+                      when credentials are requested. The Role or ClusterRole rules
+                      to use when generating a role. Accepts either JSON or YAML formatted
+                      rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'.
                       If set, the entire chain of Kubernetes objects will be generated
                       when credentials are requested.
                     type: string
@@ -363,38 +517,53 @@ spec:
                     type: string
                   kubernetesRoleName:
                     description: The pre-existing Role or ClusterRole to bind a generated
-                      service account to. Mutually exclusive with 'service_account_name'
+                      service account to. Mutually exclusive with service_account_name
+                      and generated_role_rules. If set, Kubernetes token, service
+                      account, and role binding objects will be created when credentials
+                      are requested. The pre-existing Role or ClusterRole to bind
+                      a generated service account to. Mutually exclusive with 'service_account_name'
                       and 'generated_role_rules'. If set, Kubernetes token, service
                       account, and role binding objects will be created when credentials
                       are requested.
                     type: string
                   kubernetesRoleType:
                     description: Specifies whether the Kubernetes role is a Role or
-                      ClusterRole.
+                      ClusterRole. Specifies whether the Kubernetes role is a Role
+                      or ClusterRole.
                     type: string
                   name:
-                    description: The name of the role.
+                    description: The name of the role. The name of the role.
                     type: string
                   nameTemplate:
                     description: The name template to use when generating service
                       accounts, roles and role bindings. If unset, a default template
-                      is used.
+                      is used. The name template to use when generating service accounts,
+                      roles and role bindings. If unset, a default template is used.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   serviceAccountName:
                     description: The pre-existing service account to generate tokens
-                      for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'.
+                      for. Mutually exclusive with kubernetes_role_name and generated_role_rules.
                       If set, only a Kubernetes token will be created when credentials
-                      are requested.
+                      are requested. The pre-existing service account to generate
+                      tokens for. Mutually exclusive with 'kubernetes_role_name' and
+                      'generated_role_rules'. If set, only a Kubernetes token will
+                      be created when credentials are requested.
                     type: string
                   tokenDefaultTtl:
                     description: The default TTL for generated Kubernetes tokens in
+                      seconds. The default TTL for generated Kubernetes tokens in
                       seconds.
                     type: number
                   tokenMaxTtl:
                     description: The maximum TTL for generated Kubernetes tokens in
+                      seconds. The maximum TTL for generated Kubernetes tokens in
                       seconds.
                     type: number
                 type: object
diff --git a/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml b/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml
index e7a6f979..51d3e4f6 100644
--- a/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.kubernetes.vault.upbound.io
 spec:
   group: kubernetes.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          a Kubernetes Secrets Engine in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -94,20 +94,28 @@ spec:
                     type: string
                   disableLocalCaJwt:
                     description: Disable defaulting to the local CA certificate and
-                      service account JWT when running in a Kubernetes pod.
+                      service account JWT when Vault is running in a Kubernetes pod.
+                      Disable defaulting to the local CA certificate and service account
+                      JWT when running in a Kubernetes pod.
                     type: boolean
                   externalEntropyAccess:
                     description: Enable the secrets engine to access Vault's external
                       entropy source
                     type: boolean
                   kubernetesCaCert:
-                    description: A PEM-encoded CA certificate used by the secret engine
-                      to verify the Kubernetes API server certificate. Defaults to
-                      the local pod’s CA if found, or otherwise the host's root CA
-                      set.
+                    description: A PEM-encoded CA certificate used by the secrets
+                      engine to verify the Kubernetes API server certificate. Defaults
+                      to the local pod’s CA if Vault is running in Kubernetes. Otherwise,
+                      defaults to the root CA set where Vault is running. A PEM-encoded
+                      CA certificate used by the secret engine to verify the Kubernetes
+                      API server certificate. Defaults to the local pod’s CA if found,
+                      or otherwise the host's root CA set.
                     type: string
                   kubernetesHost:
-                    description: The Kubernetes API URL to connect to.
+                    description: The Kubernetes API URL to connect to. Required if
+                      the standard pod environment variables KUBERNETES_SERVICE_HOST
+                      or KUBERNETES_SERVICE_PORT are not set on the host that Vault
+                      is running on. The Kubernetes API URL to connect to.
                     type: string
                   local:
                     description: Local mount flag that can be explicitly set to true
@@ -118,7 +126,11 @@ spec:
                       in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   options:
                     additionalProperties:
@@ -136,7 +148,10 @@ spec:
                   serviceAccountJwtSecretRef:
                     description: The JSON web token of the service account used by
                       the secrets engine to manage Kubernetes credentials. Defaults
-                      to the local pod’s JWT if found.
+                      to the local pod’s JWT if Vault is running in Kubernetes. The
+                      JSON web token of the service account used by the secrets engine
+                      to manage Kubernetes credentials. Defaults to the local pod’s
+                      JWT if found.
                     properties:
                       key:
                         description: The key to select.
@@ -153,21 +168,124 @@ spec:
                     - namespace
                     type: object
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedManagedKeys:
+                    description: List of managed key registry entry names that the
+                      mount in question is allowed to access
+                    items:
+                      type: string
+                    type: array
+                  auditNonHmacRequestKeys:
+                    description: Specifies the list of keys that will not be HMAC'd
+                      by audit devices in the request data object.
+                    items:
+                      type: string
+                    type: array
+                  auditNonHmacResponseKeys:
+                    description: Specifies the list of keys that will not be HMAC'd
+                      by audit devices in the response data object.
+                    items:
+                      type: string
+                    type: array
+                  defaultLeaseTtlSeconds:
+                    description: Default lease duration for tokens and secrets in
+                      seconds
+                    type: number
+                  description:
+                    description: Human-friendly description of the mount
+                    type: string
+                  disableLocalCaJwt:
+                    description: Disable defaulting to the local CA certificate and
+                      service account JWT when Vault is running in a Kubernetes pod.
+                      Disable defaulting to the local CA certificate and service account
+                      JWT when running in a Kubernetes pod.
+                    type: boolean
+                  externalEntropyAccess:
+                    description: Enable the secrets engine to access Vault's external
+                      entropy source
+                    type: boolean
+                  kubernetesCaCert:
+                    description: A PEM-encoded CA certificate used by the secrets
+                      engine to verify the Kubernetes API server certificate. Defaults
+                      to the local pod’s CA if Vault is running in Kubernetes. Otherwise,
+                      defaults to the root CA set where Vault is running. A PEM-encoded
+                      CA certificate used by the secret engine to verify the Kubernetes
+                      API server certificate. Defaults to the local pod’s CA if found,
+                      or otherwise the host's root CA set.
+                    type: string
+                  kubernetesHost:
+                    description: The Kubernetes API URL to connect to. Required if
+                      the standard pod environment variables KUBERNETES_SERVICE_HOST
+                      or KUBERNETES_SERVICE_PORT are not set on the host that Vault
+                      is running on. The Kubernetes API URL to connect to.
+                    type: string
+                  local:
+                    description: Local mount flag that can be explicitly set to true
+                      to enforce local mount in HA environment
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: Maximum possible lease duration for tokens and secrets
+                      in seconds
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  options:
+                    additionalProperties:
+                      type: string
+                    description: Specifies mount type specific options that are passed
+                      to the backend
+                    type: object
+                  path:
+                    description: Where the secret backend will be mounted
+                    type: string
+                  sealWrap:
+                    description: Enable seal wrapping for the mount, causing values
+                      stored by the mount to be wrapped by the seal's encryption capability
+                    type: boolean
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -341,7 +459,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: SecretBackendStatus defines the observed state of SecretBackend.
             properties:
@@ -377,7 +497,9 @@ spec:
                     type: string
                   disableLocalCaJwt:
                     description: Disable defaulting to the local CA certificate and
-                      service account JWT when running in a Kubernetes pod.
+                      service account JWT when Vault is running in a Kubernetes pod.
+                      Disable defaulting to the local CA certificate and service account
+                      JWT when running in a Kubernetes pod.
                     type: boolean
                   externalEntropyAccess:
                     description: Enable the secrets engine to access Vault's external
@@ -386,13 +508,19 @@ spec:
                   id:
                     type: string
                   kubernetesCaCert:
-                    description: A PEM-encoded CA certificate used by the secret engine
-                      to verify the Kubernetes API server certificate. Defaults to
-                      the local pod’s CA if found, or otherwise the host's root CA
-                      set.
+                    description: A PEM-encoded CA certificate used by the secrets
+                      engine to verify the Kubernetes API server certificate. Defaults
+                      to the local pod’s CA if Vault is running in Kubernetes. Otherwise,
+                      defaults to the root CA set where Vault is running. A PEM-encoded
+                      CA certificate used by the secret engine to verify the Kubernetes
+                      API server certificate. Defaults to the local pod’s CA if found,
+                      or otherwise the host's root CA set.
                     type: string
                   kubernetesHost:
-                    description: The Kubernetes API URL to connect to.
+                    description: The Kubernetes API URL to connect to. Required if
+                      the standard pod environment variables KUBERNETES_SERVICE_HOST
+                      or KUBERNETES_SERVICE_PORT are not set on the host that Vault
+                      is running on. The Kubernetes API URL to connect to.
                     type: string
                   local:
                     description: Local mount flag that can be explicitly set to true
@@ -403,7 +531,11 @@ spec:
                       in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   options:
                     additionalProperties:
diff --git a/package/crds/kv.vault.upbound.io_secretbackendv2s.yaml b/package/crds/kv.vault.upbound.io_secretbackendv2s.yaml
index 581b2030..b0cfa6b4 100644
--- a/package/crds/kv.vault.upbound.io_secretbackendv2s.yaml
+++ b/package/crds/kv.vault.upbound.io_secretbackendv2s.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendv2s.kv.vault.upbound.io
 spec:
   group: kv.vault.upbound.io
@@ -35,8 +34,9 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackendV2 is the Schema for the SecretBackendV2s API. <no
-          value>
+        description: SecretBackendV2 is the Schema for the SecretBackendV2s API. Configures
+          KV-V2 backend level settings that are applied to every key in the key-value
+          store.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,37 +70,95 @@ spec:
                 properties:
                   casRequired:
                     description: If true, all keys will require the cas parameter
-                      to be set on all write requests.
+                      to be set on all write requests. If true, all keys will require
+                      the cas parameter to be set on all write requests.
                     type: boolean
                   deleteVersionAfter:
                     description: If set, specifies the length of time before a version
-                      is deleted
+                      is deleted. Accepts duration in integer seconds. If set, specifies
+                      the length of time before a version is deleted
                     type: number
                   maxVersions:
-                    description: The number of versions to keep per key.
+                    description: The number of versions to keep per key. The number
+                      of versions to keep per key.
                     type: number
                   mount:
-                    description: Path where KV-V2 engine is mounted.
+                    description: Path where KV-V2 engine is mounted. Path where KV-V2
+                      engine is mounted.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  casRequired:
+                    description: If true, all keys will require the cas parameter
+                      to be set on all write requests. If true, all keys will require
+                      the cas parameter to be set on all write requests.
+                    type: boolean
+                  deleteVersionAfter:
+                    description: If set, specifies the length of time before a version
+                      is deleted. Accepts duration in integer seconds. If set, specifies
+                      the length of time before a version is deleted
+                    type: number
+                  maxVersions:
+                    description: The number of versions to keep per key. The number
+                      of versions to keep per key.
+                    type: number
+                  mount:
+                    description: Path where KV-V2 engine is mounted. Path where KV-V2
+                      engine is mounted.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -274,7 +332,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: mount is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mount)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mount)
+                || has(self.initProvider.mount)'
           status:
             description: SecretBackendV2Status defines the observed state of SecretBackendV2.
             properties:
@@ -282,22 +342,30 @@ spec:
                 properties:
                   casRequired:
                     description: If true, all keys will require the cas parameter
-                      to be set on all write requests.
+                      to be set on all write requests. If true, all keys will require
+                      the cas parameter to be set on all write requests.
                     type: boolean
                   deleteVersionAfter:
                     description: If set, specifies the length of time before a version
-                      is deleted
+                      is deleted. Accepts duration in integer seconds. If set, specifies
+                      the length of time before a version is deleted
                     type: number
                   id:
                     type: string
                   maxVersions:
-                    description: The number of versions to keep per key.
+                    description: The number of versions to keep per key. The number
+                      of versions to keep per key.
                     type: number
                   mount:
-                    description: Path where KV-V2 engine is mounted.
+                    description: Path where KV-V2 engine is mounted. Path where KV-V2
+                      engine is mounted.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/kv.vault.upbound.io_secrets.yaml b/package/crds/kv.vault.upbound.io_secrets.yaml
index 7c1a429f..8dd786c2 100644
--- a/package/crds/kv.vault.upbound.io_secrets.yaml
+++ b/package/crds/kv.vault.upbound.io_secrets.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secrets.kv.vault.upbound.io
 spec:
   group: kv.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Secret is the Schema for the Secrets API. <no value>
+        description: Secret is the Schema for the Secrets API. Writes a KV-V1 secret
+          to a given path in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,7 +68,8 @@ spec:
               forProvider:
                 properties:
                   dataJsonSecretRef:
-                    description: JSON-encoded secret data to write.
+                    description: JSON-encoded string that will be written as the secret
+                      data at the given path. JSON-encoded secret data to write.
                     properties:
                       key:
                         description: The key to select.
@@ -85,27 +86,68 @@ spec:
                     - namespace
                     type: object
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Full path of the KV-V1 secret.
+                    description: Full path of the KV-V1 secret. Full path of the KV-V1
+                      secret.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: Full path of the KV-V1 secret. Full path of the KV-V1
+                      secret.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -279,9 +321,12 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: dataJsonSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataJsonSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)'
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: SecretStatus defines the observed state of Secret.
             properties:
@@ -290,10 +335,15 @@ spec:
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Full path of the KV-V1 secret.
+                    description: Full path of the KV-V1 secret. Full path of the KV-V1
+                      secret.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/kv.vault.upbound.io_secretv2s.yaml b/package/crds/kv.vault.upbound.io_secretv2s.yaml
index b39eab85..338f4345 100644
--- a/package/crds/kv.vault.upbound.io_secretv2s.yaml
+++ b/package/crds/kv.vault.upbound.io_secretv2s.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretv2s.kv.vault.upbound.io
 spec:
   group: kv.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretV2 is the Schema for the SecretV2s API. <no value>
+        description: SecretV2 is the Schema for the SecretV2s API. Writes a KV-V2
+          secret to a given path in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,34 +70,45 @@ spec:
                   cas:
                     description: This flag is required if cas_required is set to true
                       on either the secret or the engine's config. In order for a
-                      write to be successful, cas must be set to the current version
-                      of the secret.
+                      write operation to be successful, cas must be set to the current
+                      version of the secret. This flag is required if cas_required
+                      is set to true on either the secret or the engine's config.
+                      In order for a write to be successful, cas must be set to the
+                      current version of the secret.
                     type: number
                   customMetadata:
-                    description: Custom metadata to be set for the secret.
+                    description: A nested block that allows configuring metadata for
+                      the KV secret. Refer to the Configuration Options for more info.
+                      Custom metadata to be set for the secret.
                     items:
                       properties:
                         casRequired:
                           description: If true, all keys will require the cas parameter
-                            to be set on all write requests.
+                            to be set on all write requests. If true, all keys will
+                            require the cas parameter to be set on all write requests.
                           type: boolean
                         data:
                           additionalProperties:
                             type: string
-                          description: A map of arbitrary string to string valued
-                            user-provided metadata meant to describe the secret.
+                          description: A string to string map describing the secret.
+                            A map of arbitrary string to string valued user-provided
+                            metadata meant to describe the secret.
                           type: object
                         deleteVersionAfter:
                           description: If set, specifies the length of time before
-                            a version is deleted.
+                            a version is deleted. Accepts duration in integer seconds.
+                            If set, specifies the length of time before a version
+                            is deleted.
                           type: number
                         maxVersions:
-                          description: The number of versions to keep per key.
+                          description: The number of versions to keep per key. The
+                            number of versions to keep per key.
                           type: number
                       type: object
                     type: array
                   dataJsonSecretRef:
-                    description: JSON-encoded secret data to write.
+                    description: JSON-encoded string that will be written as the secret
+                      data at the given path. JSON-encoded secret data to write.
                     properties:
                       key:
                         description: The key to select.
@@ -115,45 +126,156 @@ spec:
                     type: object
                   deleteAllVersions:
                     description: If set to true, permanently deletes all versions
-                      for the specified key.
+                      for the specified key. If set to true, permanently deletes all
+                      versions for the specified key.
                     type: boolean
                   disableRead:
                     description: 'If set to true, disables reading secret from Vault;
-                      note: drift won''t be detected.'
+                      note: drift won''t be detected. If set to true, disables reading
+                      secret from Vault; note: drift won''t be detected.'
                     type: boolean
                   mount:
-                    description: Path where KV-V2 engine is mounted.
+                    description: Path where KV-V2 engine is mounted. Path where KV-V2
+                      engine is mounted.
                     type: string
                   name:
-                    description: Full name of the secret. For a nested secret, the
+                    description: Full name of the secret. For a nested secret the
                       name is the nested path excluding the mount and data prefix.
+                      For example, for a secret at kvv2/data/foo/bar/baz the name
+                      is foo/bar/baz. Full name of the secret. For a nested secret,
+                      the name is the nested path excluding the mount and data prefix.
                       For example, for a secret at 'kvv2/data/foo/bar/baz', the name
                       is 'foo/bar/baz'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   options:
                     additionalProperties:
                       type: string
-                    description: An object that holds option settings.
+                    description: An object that holds option settings. An object that
+                      holds option settings.
                     type: object
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  cas:
+                    description: This flag is required if cas_required is set to true
+                      on either the secret or the engine's config. In order for a
+                      write operation to be successful, cas must be set to the current
+                      version of the secret. This flag is required if cas_required
+                      is set to true on either the secret or the engine's config.
+                      In order for a write to be successful, cas must be set to the
+                      current version of the secret.
+                    type: number
+                  customMetadata:
+                    description: A nested block that allows configuring metadata for
+                      the KV secret. Refer to the Configuration Options for more info.
+                      Custom metadata to be set for the secret.
+                    items:
+                      properties:
+                        casRequired:
+                          description: If true, all keys will require the cas parameter
+                            to be set on all write requests. If true, all keys will
+                            require the cas parameter to be set on all write requests.
+                          type: boolean
+                        data:
+                          additionalProperties:
+                            type: string
+                          description: A string to string map describing the secret.
+                            A map of arbitrary string to string valued user-provided
+                            metadata meant to describe the secret.
+                          type: object
+                        deleteVersionAfter:
+                          description: If set, specifies the length of time before
+                            a version is deleted. Accepts duration in integer seconds.
+                            If set, specifies the length of time before a version
+                            is deleted.
+                          type: number
+                        maxVersions:
+                          description: The number of versions to keep per key. The
+                            number of versions to keep per key.
+                          type: number
+                      type: object
+                    type: array
+                  deleteAllVersions:
+                    description: If set to true, permanently deletes all versions
+                      for the specified key. If set to true, permanently deletes all
+                      versions for the specified key.
+                    type: boolean
+                  disableRead:
+                    description: 'If set to true, disables reading secret from Vault;
+                      note: drift won''t be detected. If set to true, disables reading
+                      secret from Vault; note: drift won''t be detected.'
+                    type: boolean
+                  mount:
+                    description: Path where KV-V2 engine is mounted. Path where KV-V2
+                      engine is mounted.
+                    type: string
+                  name:
+                    description: Full name of the secret. For a nested secret the
+                      name is the nested path excluding the mount and data prefix.
+                      For example, for a secret at kvv2/data/foo/bar/baz the name
+                      is foo/bar/baz. Full name of the secret. For a nested secret,
+                      the name is the nested path excluding the mount and data prefix.
+                      For example, for a secret at 'kvv2/data/foo/bar/baz', the name
+                      is 'foo/bar/baz'
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  options:
+                    additionalProperties:
+                      type: string
+                    description: An object that holds option settings. An object that
+                      holds option settings.
+                    type: object
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -327,11 +449,16 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: dataJsonSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataJsonSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)'
             - message: mount is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mount)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mount)
+                || has(self.initProvider.mount)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretV2Status defines the observed state of SecretV2.
             properties:
@@ -340,39 +467,51 @@ spec:
                   cas:
                     description: This flag is required if cas_required is set to true
                       on either the secret or the engine's config. In order for a
-                      write to be successful, cas must be set to the current version
-                      of the secret.
+                      write operation to be successful, cas must be set to the current
+                      version of the secret. This flag is required if cas_required
+                      is set to true on either the secret or the engine's config.
+                      In order for a write to be successful, cas must be set to the
+                      current version of the secret.
                     type: number
                   customMetadata:
-                    description: Custom metadata to be set for the secret.
+                    description: A nested block that allows configuring metadata for
+                      the KV secret. Refer to the Configuration Options for more info.
+                      Custom metadata to be set for the secret.
                     items:
                       properties:
                         casRequired:
                           description: If true, all keys will require the cas parameter
-                            to be set on all write requests.
+                            to be set on all write requests. If true, all keys will
+                            require the cas parameter to be set on all write requests.
                           type: boolean
                         data:
                           additionalProperties:
                             type: string
-                          description: A map of arbitrary string to string valued
-                            user-provided metadata meant to describe the secret.
+                          description: A string to string map describing the secret.
+                            A map of arbitrary string to string valued user-provided
+                            metadata meant to describe the secret.
                           type: object
                         deleteVersionAfter:
                           description: If set, specifies the length of time before
-                            a version is deleted.
+                            a version is deleted. Accepts duration in integer seconds.
+                            If set, specifies the length of time before a version
+                            is deleted.
                           type: number
                         maxVersions:
-                          description: The number of versions to keep per key.
+                          description: The number of versions to keep per key. The
+                            number of versions to keep per key.
                           type: number
                       type: object
                     type: array
                   deleteAllVersions:
                     description: If set to true, permanently deletes all versions
-                      for the specified key.
+                      for the specified key. If set to true, permanently deletes all
+                      versions for the specified key.
                     type: boolean
                   disableRead:
                     description: 'If set to true, disables reading secret from Vault;
-                      note: drift won''t be detected.'
+                      note: drift won''t be detected. If set to true, disables reading
+                      secret from Vault; note: drift won''t be detected.'
                     type: boolean
                   id:
                     type: string
@@ -380,26 +519,37 @@ spec:
                     additionalProperties:
                       type: string
                     description: Metadata associated with this secret read from Vault.
+                      Metadata associated with this secret read from Vault.
                     type: object
                   mount:
-                    description: Path where KV-V2 engine is mounted.
+                    description: Path where KV-V2 engine is mounted. Path where KV-V2
+                      engine is mounted.
                     type: string
                   name:
-                    description: Full name of the secret. For a nested secret, the
+                    description: Full name of the secret. For a nested secret the
                       name is the nested path excluding the mount and data prefix.
+                      For example, for a secret at kvv2/data/foo/bar/baz the name
+                      is foo/bar/baz. Full name of the secret. For a nested secret,
+                      the name is the nested path excluding the mount and data prefix.
                       For example, for a secret at 'kvv2/data/foo/bar/baz', the name
                       is 'foo/bar/baz'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   options:
                     additionalProperties:
                       type: string
-                    description: An object that holds option settings.
+                    description: An object that holds option settings. An object that
+                      holds option settings.
                     type: object
                   path:
                     description: Full path where the KV-V2 secret will be written.
+                      Full path where the KV-V2 secret will be written.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/ldap.vault.upbound.io_authbackendgroups.yaml b/package/crds/ldap.vault.upbound.io_authbackendgroups.yaml
index 40126e1b..1b859b43 100644
--- a/package/crds/ldap.vault.upbound.io_authbackendgroups.yaml
+++ b/package/crds/ldap.vault.upbound.io_authbackendgroups.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendgroups.ldap.vault.upbound.io
 spec:
   group: ldap.vault.upbound.io
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -80,21 +79,57 @@ spec:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    type: string
+                  groupname:
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  policies:
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -268,7 +303,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: groupname is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupname)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.groupname)
+                || has(self.initProvider.groupname)'
           status:
             description: AuthBackendGroupStatus defines the observed state of AuthBackendGroup.
             properties:
diff --git a/package/crds/ldap.vault.upbound.io_authbackends.yaml b/package/crds/ldap.vault.upbound.io_authbackends.yaml
index e8d9d07e..8868af9f 100644
--- a/package/crds/ldap.vault.upbound.io_authbackends.yaml
+++ b/package/crds/ldap.vault.upbound.io_authbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackends.ldap.vault.upbound.io
 spec:
   group: ldap.vault.upbound.io
@@ -57,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -193,21 +192,135 @@ spec:
                       by the user as the alias name.
                     type: boolean
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  binddn:
+                    type: string
+                  caseSensitiveNames:
+                    type: boolean
+                  certificate:
+                    type: string
+                  clientTlsCert:
+                    type: string
+                  denyNullBind:
+                    type: boolean
+                  description:
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                    type: boolean
+                  discoverdn:
+                    type: boolean
+                  groupattr:
+                    type: string
+                  groupdn:
+                    type: string
+                  groupfilter:
+                    type: string
+                  insecureTls:
+                    type: boolean
+                  local:
+                    description: Specifies if the auth method is local only
+                    type: boolean
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  path:
+                    type: string
+                  starttls:
+                    type: boolean
+                  tlsMaxVersion:
+                    type: string
+                  tlsMinVersion:
+                    type: string
+                  tokenBoundCidrs:
+                    description: Specifies the blocks of IP addresses which are allowed
+                      to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: Generated Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If true, the 'default' policy will not automatically
+                      be added to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a token may be used,
+                      a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: The type of token to generate, service or batch
+                    type: string
+                  upndomain:
+                    type: string
+                  url:
+                    type: string
+                  useTokenGroups:
+                    type: boolean
+                  userattr:
+                    type: string
+                  userdn:
+                    type: string
+                  userfilter:
+                    type: string
+                  usernameAsAlias:
+                    description: Force the auth method to use the username passed
+                      by the user as the alias name.
+                    type: boolean
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -381,7 +494,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: url is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.url)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.url)
+                || has(self.initProvider.url)'
           status:
             description: AuthBackendStatus defines the observed state of AuthBackend.
             properties:
diff --git a/package/crds/ldap.vault.upbound.io_authbackendusers.yaml b/package/crds/ldap.vault.upbound.io_authbackendusers.yaml
index d8df5323..20f5e97b 100644
--- a/package/crds/ldap.vault.upbound.io_authbackendusers.yaml
+++ b/package/crds/ldap.vault.upbound.io_authbackendusers.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendusers.ldap.vault.upbound.io
 spec:
   group: ldap.vault.upbound.io
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -84,21 +83,61 @@ spec:
                   username:
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    type: string
+                  groups:
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  policies:
+                    items:
+                      type: string
+                    type: array
+                  username:
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -272,7 +311,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: username is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.username)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.username)
+                || has(self.initProvider.username)'
           status:
             description: AuthBackendUserStatus defines the observed state of AuthBackendUser.
             properties:
diff --git a/package/crds/managed.vault.upbound.io_keys.yaml b/package/crds/managed.vault.upbound.io_keys.yaml
index b740861a..5d8aed2e 100644
--- a/package/crds/managed.vault.upbound.io_keys.yaml
+++ b/package/crds/managed.vault.upbound.io_keys.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: keys.managed.vault.upbound.io
 spec:
   group: managed.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Keys is the Schema for the Keyss API. <no value>
+        description: Keys is the Schema for the Keyss API. Configures Managed Keys
+          in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -72,10 +72,13 @@ spec:
                     items:
                       properties:
                         accessKey:
-                          description: The AWS access key to use
+                          description: The AWS access key to use. The AWS access key
+                            to use
                           type: string
                         allowGenerateKey:
                           description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
                             backend, instructs Vault to generate a key within the
                             backend
                           type: boolean
@@ -83,53 +86,61 @@ spec:
                           description: Controls the ability for Vault to replace through
                             generation or importing a key into the configured backend
                             even if a key is present, if set to false those operations
-                            are forbidden if a key exists.
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
                           type: boolean
                         allowStoreKey:
                           description: Controls the ability for Vault to import a
-                            key to the configured backend, if 'false', those operations
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
                             will be forbidden
                           type: boolean
                         anyMount:
-                          description: Allow usage from any mount point within the
-                            namespace if 'true'
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
                           type: boolean
                         curve:
                           description: The curve to use for an ECDSA key. Used when
-                            key_type is 'ECDSA'. Required if 'allow_generate_key'
-                            is true
+                            key_type is ECDSA. Required if allow_generate_key is true.
+                            The curve to use for an ECDSA key. Used when key_type
+                            is 'ECDSA'. Required if 'allow_generate_key' is true
                           type: string
                         endpoint:
-                          description: Used to specify a custom AWS endpoint
+                          description: Used to specify a custom AWS endpoint. Used
+                            to specify a custom AWS endpoint
                           type: string
                         keyBits:
-                          description: The size in bits for an RSA key. This field
-                            is required when 'key_type' is 'RSA'
+                          description: The size in bits for an RSA key. The size in
+                            bits for an RSA key. This field is required when 'key_type'
+                            is 'RSA'
                           type: string
                         keyType:
-                          description: The type of key to use
+                          description: The type of key to use. The type of key to
+                            use
                           type: string
                         kmsKey:
-                          description: An identifier for the key
+                          description: An identifier for the key. An identifier for
+                            the key
                           type: string
                         name:
                           description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
                             the key
                           type: string
                         region:
                           description: The AWS region where the keys are stored (or
-                            will be stored)
+                            will be stored). The AWS region where the keys are stored
+                            (or will be stored)
                           type: string
                         secretKey:
-                          description: The AWS secret key to use
-                          type: string
-                      required:
-                      - accessKey
-                      - keyBits
-                      - keyType
-                      - kmsKey
-                      - name
-                      - secretKey
+                          description: The AWS access key to use. The AWS secret key
+                            to use
+                          type: string
                       type: object
                     type: array
                   azure:
@@ -138,6 +149,8 @@ spec:
                       properties:
                         allowGenerateKey:
                           description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
                             backend, instructs Vault to generate a key within the
                             backend
                           type: boolean
@@ -145,69 +158,350 @@ spec:
                           description: Controls the ability for Vault to replace through
                             generation or importing a key into the configured backend
                             even if a key is present, if set to false those operations
-                            are forbidden if a key exists.
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
                           type: boolean
                         allowStoreKey:
                           description: Controls the ability for Vault to import a
-                            key to the configured backend, if 'false', those operations
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
                             will be forbidden
                           type: boolean
                         anyMount:
-                          description: Allow usage from any mount point within the
-                            namespace if 'true'
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
                           type: boolean
                         clientId:
                           description: The client id for credentials to query the
+                            Azure APIs. The client id for credentials to query the
                             Azure APIs
                           type: string
                         clientSecret:
                           description: The client secret for credentials to query
+                            the Azure APIs. The client secret for credentials to query
                             the Azure APIs
                           type: string
                         environment:
                           description: The Azure Cloud environment API endpoints to
+                            use. The Azure Cloud environment API endpoints to use
+                          type: string
+                        keyBits:
+                          description: The size in bits for an RSA key. The size in
+                            bits for an RSA key. This field is required when 'key_type'
+                            is 'RSA' or when 'allow_generate_key' is true
+                          type: string
+                        keyName:
+                          description: The Key Vault key to use for encryption and
+                            decryption. The Key Vault key to use for encryption and
+                            decryption
+                          type: string
+                        keyType:
+                          description: The type of key to use. The type of key to
+                            use
+                          type: string
+                        name:
+                          description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
+                            the key
+                          type: string
+                        resource:
+                          description: The Azure Key Vault resource's DNS Suffix to
+                            connect to. The Azure Key Vault resource's DNS Suffix
+                            to connect to
+                          type: string
+                        tenantId:
+                          description: The tenant id for the Azure Active Directory
+                            organization. The tenant id for the Azure Active Directory
+                            organization
+                          type: string
+                        vaultName:
+                          description: The Key Vault vault to use for encryption and
+                            decryption. The Key Vault vault to use the encryption
+                            keys for encryption and decryption
+                          type: string
+                      type: object
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  pkcs:
+                    description: Configuration block for PKCS Managed Keys
+                    items:
+                      properties:
+                        allowGenerateKey:
+                          description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend
+                          type: boolean
+                        allowReplaceKey:
+                          description: Controls the ability for Vault to replace through
+                            generation or importing a key into the configured backend
+                            even if a key is present, if set to false those operations
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
+                          type: boolean
+                        allowStoreKey:
+                          description: Controls the ability for Vault to import a
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
+                            will be forbidden
+                          type: boolean
+                        anyMount:
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
+                          type: boolean
+                        curve:
+                          description: The curve to use for an ECDSA key. Used when
+                            key_type is ECDSA. Required if allow_generate_key is true.
+                            Supplies the curve value when using the 'CKM_ECDSA' mechanism.
+                            Required if 'allow_generate_key' is true
+                          type: string
+                        forceRwSession:
+                          description: Force all operations to open up a read-write
+                            session to the HSM. Force all operations to open up a
+                            read-write session to the HSM
+                          type: string
+                        keyBits:
+                          description: The size in bits for an RSA key. Supplies the
+                            size in bits of the key when using 'CKM_RSA_PKCS_PSS',
+                            'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'.
+                            Required if 'allow_generate_key' is true
+                          type: string
+                        keyId:
+                          description: The id of a PKCS#11 key to use. The id of a
+                            PKCS#11 key to use
+                          type: string
+                        keyLabel:
+                          description: The label of the key to use. The label of the
+                            key to use
+                          type: string
+                        library:
+                          description: The name of the kms_library stanza to use from
+                            Vault's config to lookup the local library path. The name
+                            of the kms_library stanza to use from Vault's config to
+                            lookup the local library path
+                          type: string
+                        mechanism:
+                          description: The encryption/decryption mechanism to use,
+                            specified as a hexadecimal (prefixed by 0x) string. The
+                            encryption/decryption mechanism to use, specified as a
+                            hexadecimal (prefixed by 0x) string.
+                          type: string
+                        name:
+                          description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
+                            the key
+                          type: string
+                        pin:
+                          description: The PIN for login. The PIN for login
+                          type: string
+                        slot:
+                          description: The slot number to use, specified as a string
+                            in a decimal format (e.g. 2305843009213693953). The slot
+                            number to use, specified as a string in a decimal format
+                            (e.g. '2305843009213693953')
+                          type: string
+                        tokenLabel:
+                          description: The slot token label to use. The slot token
+                            label to use
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  aws:
+                    description: Configuration block for AWS Managed Keys
+                    items:
+                      properties:
+                        accessKey:
+                          description: The AWS access key to use. The AWS access key
+                            to use
+                          type: string
+                        allowGenerateKey:
+                          description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend
+                          type: boolean
+                        allowReplaceKey:
+                          description: Controls the ability for Vault to replace through
+                            generation or importing a key into the configured backend
+                            even if a key is present, if set to false those operations
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
+                          type: boolean
+                        allowStoreKey:
+                          description: Controls the ability for Vault to import a
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
+                            will be forbidden
+                          type: boolean
+                        anyMount:
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
+                          type: boolean
+                        curve:
+                          description: The curve to use for an ECDSA key. Used when
+                            key_type is ECDSA. Required if allow_generate_key is true.
+                            The curve to use for an ECDSA key. Used when key_type
+                            is 'ECDSA'. Required if 'allow_generate_key' is true
+                          type: string
+                        endpoint:
+                          description: Used to specify a custom AWS endpoint. Used
+                            to specify a custom AWS endpoint
+                          type: string
+                        keyBits:
+                          description: The size in bits for an RSA key. The size in
+                            bits for an RSA key. This field is required when 'key_type'
+                            is 'RSA'
+                          type: string
+                        keyType:
+                          description: The type of key to use. The type of key to
                             use
                           type: string
+                        kmsKey:
+                          description: An identifier for the key. An identifier for
+                            the key
+                          type: string
+                        name:
+                          description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
+                            the key
+                          type: string
+                        region:
+                          description: The AWS region where the keys are stored (or
+                            will be stored). The AWS region where the keys are stored
+                            (or will be stored)
+                          type: string
+                        secretKey:
+                          description: The AWS access key to use. The AWS secret key
+                            to use
+                          type: string
+                      type: object
+                    type: array
+                  azure:
+                    description: Configuration block for Azure Managed Keys
+                    items:
+                      properties:
+                        allowGenerateKey:
+                          description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend
+                          type: boolean
+                        allowReplaceKey:
+                          description: Controls the ability for Vault to replace through
+                            generation or importing a key into the configured backend
+                            even if a key is present, if set to false those operations
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
+                          type: boolean
+                        allowStoreKey:
+                          description: Controls the ability for Vault to import a
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
+                            will be forbidden
+                          type: boolean
+                        anyMount:
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
+                          type: boolean
+                        clientId:
+                          description: The client id for credentials to query the
+                            Azure APIs. The client id for credentials to query the
+                            Azure APIs
+                          type: string
+                        clientSecret:
+                          description: The client secret for credentials to query
+                            the Azure APIs. The client secret for credentials to query
+                            the Azure APIs
+                          type: string
+                        environment:
+                          description: The Azure Cloud environment API endpoints to
+                            use. The Azure Cloud environment API endpoints to use
+                          type: string
                         keyBits:
-                          description: The size in bits for an RSA key. This field
-                            is required when 'key_type' is 'RSA' or when 'allow_generate_key'
-                            is true
+                          description: The size in bits for an RSA key. The size in
+                            bits for an RSA key. This field is required when 'key_type'
+                            is 'RSA' or when 'allow_generate_key' is true
                           type: string
                         keyName:
                           description: The Key Vault key to use for encryption and
+                            decryption. The Key Vault key to use for encryption and
                             decryption
                           type: string
                         keyType:
-                          description: The type of key to use
+                          description: The type of key to use. The type of key to
+                            use
                           type: string
                         name:
                           description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
                             the key
                           type: string
                         resource:
                           description: The Azure Key Vault resource's DNS Suffix to
-                            connect to
+                            connect to. The Azure Key Vault resource's DNS Suffix
+                            to connect to
                           type: string
                         tenantId:
                           description: The tenant id for the Azure Active Directory
+                            organization. The tenant id for the Azure Active Directory
                             organization
                           type: string
                         vaultName:
-                          description: The Key Vault vault to use the encryption keys
-                            for encryption and decryption
-                          type: string
-                      required:
-                      - clientId
-                      - clientSecret
-                      - keyName
-                      - keyType
-                      - name
-                      - tenantId
-                      - vaultName
+                          description: The Key Vault vault to use for encryption and
+                            decryption. The Key Vault vault to use the encryption
+                            keys for encryption and decryption
+                          type: string
                       type: object
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pkcs:
                     description: Configuration block for PKCS Managed Keys
@@ -215,6 +509,8 @@ spec:
                       properties:
                         allowGenerateKey:
                           description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
                             backend, instructs Vault to generate a key within the
                             backend
                           type: boolean
@@ -222,84 +518,108 @@ spec:
                           description: Controls the ability for Vault to replace through
                             generation or importing a key into the configured backend
                             even if a key is present, if set to false those operations
-                            are forbidden if a key exists.
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
                           type: boolean
                         allowStoreKey:
                           description: Controls the ability for Vault to import a
-                            key to the configured backend, if 'false', those operations
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
                             will be forbidden
                           type: boolean
                         anyMount:
-                          description: Allow usage from any mount point within the
-                            namespace if 'true'
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
                           type: boolean
                         curve:
-                          description: Supplies the curve value when using the 'CKM_ECDSA'
-                            mechanism. Required if 'allow_generate_key' is true
+                          description: The curve to use for an ECDSA key. Used when
+                            key_type is ECDSA. Required if allow_generate_key is true.
+                            Supplies the curve value when using the 'CKM_ECDSA' mechanism.
+                            Required if 'allow_generate_key' is true
                           type: string
                         forceRwSession:
                           description: Force all operations to open up a read-write
-                            session to the HSM
+                            session to the HSM. Force all operations to open up a
+                            read-write session to the HSM
                           type: string
                         keyBits:
-                          description: Supplies the size in bits of the key when using
-                            'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS'
-                            as a value for 'mechanism'. Required if 'allow_generate_key'
-                            is true
+                          description: The size in bits for an RSA key. Supplies the
+                            size in bits of the key when using 'CKM_RSA_PKCS_PSS',
+                            'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'.
+                            Required if 'allow_generate_key' is true
                           type: string
                         keyId:
-                          description: The id of a PKCS#11 key to use
+                          description: The id of a PKCS#11 key to use. The id of a
+                            PKCS#11 key to use
                           type: string
                         keyLabel:
-                          description: The label of the key to use
+                          description: The label of the key to use. The label of the
+                            key to use
                           type: string
                         library:
                           description: The name of the kms_library stanza to use from
-                            Vault's config to lookup the local library path
+                            Vault's config to lookup the local library path. The name
+                            of the kms_library stanza to use from Vault's config to
+                            lookup the local library path
                           type: string
                         mechanism:
                           description: The encryption/decryption mechanism to use,
-                            specified as a hexadecimal (prefixed by 0x) string.
+                            specified as a hexadecimal (prefixed by 0x) string. The
+                            encryption/decryption mechanism to use, specified as a
+                            hexadecimal (prefixed by 0x) string.
                           type: string
                         name:
                           description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
                             the key
                           type: string
                         pin:
-                          description: The PIN for login
+                          description: The PIN for login. The PIN for login
                           type: string
                         slot:
                           description: The slot number to use, specified as a string
-                            in a decimal format (e.g. '2305843009213693953')
+                            in a decimal format (e.g. 2305843009213693953). The slot
+                            number to use, specified as a string in a decimal format
+                            (e.g. '2305843009213693953')
                           type: string
                         tokenLabel:
-                          description: The slot token label to use
-                          type: string
-                      required:
-                      - keyId
-                      - keyLabel
-                      - library
-                      - mechanism
-                      - name
-                      - pin
+                          description: The slot token label to use. The slot token
+                            label to use
+                          type: string
                       type: object
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -481,10 +801,13 @@ spec:
                     items:
                       properties:
                         accessKey:
-                          description: The AWS access key to use
+                          description: The AWS access key to use. The AWS access key
+                            to use
                           type: string
                         allowGenerateKey:
                           description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
                             backend, instructs Vault to generate a key within the
                             backend
                           type: boolean
@@ -492,45 +815,60 @@ spec:
                           description: Controls the ability for Vault to replace through
                             generation or importing a key into the configured backend
                             even if a key is present, if set to false those operations
-                            are forbidden if a key exists.
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
                           type: boolean
                         allowStoreKey:
                           description: Controls the ability for Vault to import a
-                            key to the configured backend, if 'false', those operations
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
                             will be forbidden
                           type: boolean
                         anyMount:
-                          description: Allow usage from any mount point within the
-                            namespace if 'true'
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
                           type: boolean
                         curve:
                           description: The curve to use for an ECDSA key. Used when
-                            key_type is 'ECDSA'. Required if 'allow_generate_key'
-                            is true
+                            key_type is ECDSA. Required if allow_generate_key is true.
+                            The curve to use for an ECDSA key. Used when key_type
+                            is 'ECDSA'. Required if 'allow_generate_key' is true
                           type: string
                         endpoint:
-                          description: Used to specify a custom AWS endpoint
+                          description: Used to specify a custom AWS endpoint. Used
+                            to specify a custom AWS endpoint
                           type: string
                         keyBits:
-                          description: The size in bits for an RSA key. This field
-                            is required when 'key_type' is 'RSA'
+                          description: The size in bits for an RSA key. The size in
+                            bits for an RSA key. This field is required when 'key_type'
+                            is 'RSA'
                           type: string
                         keyType:
-                          description: The type of key to use
+                          description: The type of key to use. The type of key to
+                            use
                           type: string
                         kmsKey:
-                          description: An identifier for the key
+                          description: An identifier for the key. An identifier for
+                            the key
                           type: string
                         name:
                           description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
                             the key
                           type: string
                         region:
                           description: The AWS region where the keys are stored (or
-                            will be stored)
+                            will be stored). The AWS region where the keys are stored
+                            (or will be stored)
                           type: string
                         secretKey:
-                          description: The AWS secret key to use
+                          description: The AWS access key to use. The AWS secret key
+                            to use
                           type: string
                         uuid:
                           description: ID of the managed key read from Vault
@@ -543,6 +881,8 @@ spec:
                       properties:
                         allowGenerateKey:
                           description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
                             backend, instructs Vault to generate a key within the
                             backend
                           type: boolean
@@ -550,66 +890,85 @@ spec:
                           description: Controls the ability for Vault to replace through
                             generation or importing a key into the configured backend
                             even if a key is present, if set to false those operations
-                            are forbidden if a key exists.
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
                           type: boolean
                         allowStoreKey:
                           description: Controls the ability for Vault to import a
-                            key to the configured backend, if 'false', those operations
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
                             will be forbidden
                           type: boolean
                         anyMount:
-                          description: Allow usage from any mount point within the
-                            namespace if 'true'
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
                           type: boolean
                         clientId:
                           description: The client id for credentials to query the
+                            Azure APIs. The client id for credentials to query the
                             Azure APIs
                           type: string
                         clientSecret:
                           description: The client secret for credentials to query
+                            the Azure APIs. The client secret for credentials to query
                             the Azure APIs
                           type: string
                         environment:
                           description: The Azure Cloud environment API endpoints to
-                            use
+                            use. The Azure Cloud environment API endpoints to use
                           type: string
                         keyBits:
-                          description: The size in bits for an RSA key. This field
-                            is required when 'key_type' is 'RSA' or when 'allow_generate_key'
-                            is true
+                          description: The size in bits for an RSA key. The size in
+                            bits for an RSA key. This field is required when 'key_type'
+                            is 'RSA' or when 'allow_generate_key' is true
                           type: string
                         keyName:
                           description: The Key Vault key to use for encryption and
+                            decryption. The Key Vault key to use for encryption and
                             decryption
                           type: string
                         keyType:
-                          description: The type of key to use
+                          description: The type of key to use. The type of key to
+                            use
                           type: string
                         name:
                           description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
                             the key
                           type: string
                         resource:
                           description: The Azure Key Vault resource's DNS Suffix to
-                            connect to
+                            connect to. The Azure Key Vault resource's DNS Suffix
+                            to connect to
                           type: string
                         tenantId:
                           description: The tenant id for the Azure Active Directory
+                            organization. The tenant id for the Azure Active Directory
                             organization
                           type: string
                         uuid:
                           description: ID of the managed key read from Vault
                           type: string
                         vaultName:
-                          description: The Key Vault vault to use the encryption keys
-                            for encryption and decryption
+                          description: The Key Vault vault to use for encryption and
+                            decryption. The Key Vault vault to use the encryption
+                            keys for encryption and decryption
                           type: string
                       type: object
                     type: array
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pkcs:
                     description: Configuration block for PKCS Managed Keys
@@ -617,6 +976,8 @@ spec:
                       properties:
                         allowGenerateKey:
                           description: If no existing key can be found in the referenced
+                            backend, instructs Vault to generate a key within the
+                            backend. If no existing key can be found in the referenced
                             backend, instructs Vault to generate a key within the
                             backend
                           type: boolean
@@ -624,58 +985,78 @@ spec:
                           description: Controls the ability for Vault to replace through
                             generation or importing a key into the configured backend
                             even if a key is present, if set to false those operations
-                            are forbidden if a key exists.
+                            are forbidden if a key exists. Controls the ability for
+                            Vault to replace through generation or importing a key
+                            into the configured backend even if a key is present,
+                            if set to false those operations are forbidden if a key
+                            exists.
                           type: boolean
                         allowStoreKey:
                           description: Controls the ability for Vault to import a
-                            key to the configured backend, if 'false', those operations
+                            key to the configured backend, if false, those operations
+                            will be forbidden. Controls the ability for Vault to import
+                            a key to the configured backend, if 'false', those operations
                             will be forbidden
                           type: boolean
                         anyMount:
-                          description: Allow usage from any mount point within the
-                            namespace if 'true'
+                          description: If true, allows usage from any mount point
+                            within the namespace. Allow usage from any mount point
+                            within the namespace if 'true'
                           type: boolean
                         curve:
-                          description: Supplies the curve value when using the 'CKM_ECDSA'
-                            mechanism. Required if 'allow_generate_key' is true
+                          description: The curve to use for an ECDSA key. Used when
+                            key_type is ECDSA. Required if allow_generate_key is true.
+                            Supplies the curve value when using the 'CKM_ECDSA' mechanism.
+                            Required if 'allow_generate_key' is true
                           type: string
                         forceRwSession:
                           description: Force all operations to open up a read-write
-                            session to the HSM
+                            session to the HSM. Force all operations to open up a
+                            read-write session to the HSM
                           type: string
                         keyBits:
-                          description: Supplies the size in bits of the key when using
-                            'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS'
-                            as a value for 'mechanism'. Required if 'allow_generate_key'
-                            is true
+                          description: The size in bits for an RSA key. Supplies the
+                            size in bits of the key when using 'CKM_RSA_PKCS_PSS',
+                            'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'.
+                            Required if 'allow_generate_key' is true
                           type: string
                         keyId:
-                          description: The id of a PKCS#11 key to use
+                          description: The id of a PKCS#11 key to use. The id of a
+                            PKCS#11 key to use
                           type: string
                         keyLabel:
-                          description: The label of the key to use
+                          description: The label of the key to use. The label of the
+                            key to use
                           type: string
                         library:
                           description: The name of the kms_library stanza to use from
-                            Vault's config to lookup the local library path
+                            Vault's config to lookup the local library path. The name
+                            of the kms_library stanza to use from Vault's config to
+                            lookup the local library path
                           type: string
                         mechanism:
                           description: The encryption/decryption mechanism to use,
-                            specified as a hexadecimal (prefixed by 0x) string.
+                            specified as a hexadecimal (prefixed by 0x) string. The
+                            encryption/decryption mechanism to use, specified as a
+                            hexadecimal (prefixed by 0x) string.
                           type: string
                         name:
                           description: A unique lowercase name that serves as identifying
+                            the key. A unique lowercase name that serves as identifying
                             the key
                           type: string
                         pin:
-                          description: The PIN for login
+                          description: The PIN for login. The PIN for login
                           type: string
                         slot:
                           description: The slot number to use, specified as a string
-                            in a decimal format (e.g. '2305843009213693953')
+                            in a decimal format (e.g. 2305843009213693953). The slot
+                            number to use, specified as a string in a decimal format
+                            (e.g. '2305843009213693953')
                           type: string
                         tokenLabel:
-                          description: The slot token label to use
+                          description: The slot token label to use. The slot token
+                            label to use
                           type: string
                         uuid:
                           description: ID of the managed key read from Vault
diff --git a/package/crds/mfa.vault.upbound.io_duoes.yaml b/package/crds/mfa.vault.upbound.io_duoes.yaml
index 67d4f554..033fc9e1 100644
--- a/package/crds/mfa.vault.upbound.io_duoes.yaml
+++ b/package/crds/mfa.vault.upbound.io_duoes.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: duoes.mfa.vault.upbound.io
 spec:
   group: mfa.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Duo is the Schema for the Duos API. <no value>
+        description: Duo is the Schema for the Duos API. Managing the MFA Duo method
+          configuration
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,10 +68,10 @@ spec:
               forProvider:
                 properties:
                   apiHostname:
-                    description: API hostname for Duo.
+                    description: API hostname for Duo. API hostname for Duo.
                     type: string
                   integrationKeySecretRef:
-                    description: Integration key for Duo.
+                    description: Integration key for Duo. Integration key for Duo.
                     properties:
                       key:
                         description: The key to select.
@@ -90,19 +90,27 @@ spec:
                   mountAccessor:
                     description: The mount to tie this method to for use in automatic
                       mappings. The mapping will use the Name field of Aliases associated
-                      with this mount as the username in the mapping.
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
                     type: string
                   name:
-                    description: Name of the MFA method.
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pushInfo:
-                    description: Push information for Duo.
+                    description: Push information for Duo. Push information for Duo.
                     type: string
                   secretKeySecretRef:
-                    description: Secret key for Duo.
+                    description: Secret key for Duo. Secret key for Duo.
                     properties:
                       key:
                         description: The key to select.
@@ -119,25 +127,87 @@ spec:
                     - namespace
                     type: object
                   usernameFormat:
-                    description: A format string for mapping Identity names to MFA
-                      method names. Values to substitute should be placed in `{{}}`.
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  apiHostname:
+                    description: API hostname for Duo. API hostname for Duo.
+                    type: string
+                  mountAccessor:
+                    description: The mount to tie this method to for use in automatic
+                      mappings. The mapping will use the Name field of Aliases associated
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
+                    type: string
+                  name:
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  pushInfo:
+                    description: Push information for Duo. Push information for Duo.
+                    type: string
+                  usernameFormat:
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -311,42 +381,62 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: apiHostname is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiHostname)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.apiHostname)
+                || has(self.initProvider.apiHostname)'
             - message: integrationKeySecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.integrationKeySecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)'
             - message: mountAccessor is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor)
+                || has(self.initProvider.mountAccessor)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: secretKeySecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.secretKeySecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)'
           status:
             description: DuoStatus defines the observed state of Duo.
             properties:
               atProvider:
                 properties:
                   apiHostname:
-                    description: API hostname for Duo.
+                    description: API hostname for Duo. API hostname for Duo.
                     type: string
                   id:
                     type: string
                   mountAccessor:
                     description: The mount to tie this method to for use in automatic
                       mappings. The mapping will use the Name field of Aliases associated
-                      with this mount as the username in the mapping.
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
                     type: string
                   name:
-                    description: Name of the MFA method.
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pushInfo:
-                    description: Push information for Duo.
+                    description: Push information for Duo. Push information for Duo.
                     type: string
                   usernameFormat:
-                    description: A format string for mapping Identity names to MFA
-                      method names. Values to substitute should be placed in `{{}}`.
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/mfa.vault.upbound.io_okta.yaml b/package/crds/mfa.vault.upbound.io_oktas.yaml
similarity index 63%
rename from package/crds/mfa.vault.upbound.io_okta.yaml
rename to package/crds/mfa.vault.upbound.io_oktas.yaml
index 0c078dd9..a02ac9c2 100644
--- a/package/crds/mfa.vault.upbound.io_okta.yaml
+++ b/package/crds/mfa.vault.upbound.io_oktas.yaml
@@ -3,9 +3,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
-  name: okta.mfa.vault.upbound.io
+    controller-gen.kubebuilder.io/version: v0.12.1
+  name: oktas.mfa.vault.upbound.io
 spec:
   group: mfa.vault.upbound.io
   names:
@@ -15,7 +14,7 @@ spec:
     - vault
     kind: Okta
     listKind: OktaList
-    plural: okta
+    plural: oktas
     singular: okta
   scope: Cluster
   versions:
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Okta is the Schema for the Oktas API. <no value>
+        description: Okta is the Schema for the Oktas API. Managing the MFA Okta method
+          configuration
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,7 +68,7 @@ spec:
               forProvider:
                 properties:
                   apiTokenSecretRef:
-                    description: Okta API key.
+                    description: Okta API key. Okta API key.
                     properties:
                       key:
                         description: The key to select.
@@ -86,45 +86,127 @@ spec:
                     type: object
                   baseUrl:
                     description: If set, will be used as the base domain for API requests.
+                      Examples are okta.com, oktapreview.com, and okta-emea.com. If
+                      set, will be used as the base domain for API requests.
                     type: string
                   mountAccessor:
                     description: The mount to tie this method to for use in automatic
                       mappings. The mapping will use the Name field of Aliases associated
-                      with this mount as the username in the mapping.
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
                     type: string
                   name:
-                    description: Name of the MFA method.
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   orgName:
                     description: Name of the organization to be used in the Okta API.
+                      Name of the organization to be used in the Okta API.
                     type: string
                   primaryEmail:
                     description: If set to true, the username will only match the
-                      primary email for the account.
+                      primary email for the account. If set to true, the username
+                      will only match the primary email for the account.
                     type: boolean
                   usernameFormat:
-                    description: A format string for mapping Identity names to MFA
-                      method names. Values to substitute should be placed in `{{}}`.
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  baseUrl:
+                    description: If set, will be used as the base domain for API requests.
+                      Examples are okta.com, oktapreview.com, and okta-emea.com. If
+                      set, will be used as the base domain for API requests.
+                    type: string
+                  mountAccessor:
+                    description: The mount to tie this method to for use in automatic
+                      mappings. The mapping will use the Name field of Aliases associated
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
+                    type: string
+                  name:
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  orgName:
+                    description: Name of the organization to be used in the Okta API.
+                      Name of the organization to be used in the Okta API.
+                    type: string
+                  primaryEmail:
+                    description: If set to true, the username will only match the
+                      primary email for the account. If set to true, the username
+                      will only match the primary email for the account.
+                    type: boolean
+                  usernameFormat:
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -298,13 +380,20 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: apiTokenSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiTokenSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)'
             - message: mountAccessor is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor)
+                || has(self.initProvider.mountAccessor)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: orgName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.orgName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.orgName)
+                || has(self.initProvider.orgName)'
           status:
             description: OktaStatus defines the observed state of Okta.
             properties:
@@ -312,30 +401,46 @@ spec:
                 properties:
                   baseUrl:
                     description: If set, will be used as the base domain for API requests.
+                      Examples are okta.com, oktapreview.com, and okta-emea.com. If
+                      set, will be used as the base domain for API requests.
                     type: string
                   id:
                     type: string
                   mountAccessor:
                     description: The mount to tie this method to for use in automatic
                       mappings. The mapping will use the Name field of Aliases associated
-                      with this mount as the username in the mapping.
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
                     type: string
                   name:
-                    description: Name of the MFA method.
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   orgName:
                     description: Name of the organization to be used in the Okta API.
+                      Name of the organization to be used in the Okta API.
                     type: string
                   primaryEmail:
                     description: If set to true, the username will only match the
-                      primary email for the account.
+                      primary email for the account. If set to true, the username
+                      will only match the primary email for the account.
                     type: boolean
                   usernameFormat:
-                    description: A format string for mapping Identity names to MFA
-                      method names. Values to substitute should be placed in `{{}}`.
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/mfa.vault.upbound.io_pingids.yaml b/package/crds/mfa.vault.upbound.io_pingids.yaml
index e03d1b01..e34f3731 100644
--- a/package/crds/mfa.vault.upbound.io_pingids.yaml
+++ b/package/crds/mfa.vault.upbound.io_pingids.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: pingids.mfa.vault.upbound.io
 spec:
   group: mfa.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Pingid is the Schema for the Pingids API. <no value>
+        description: Pingid is the Schema for the Pingids API. Managing the MFA PingID
+          method configuration
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,38 +70,108 @@ spec:
                   mountAccessor:
                     description: The mount to tie this method to for use in automatic
                       mappings. The mapping will use the Name field of Aliases associated
-                      with this mount as the username in the mapping.
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
                     type: string
                   name:
-                    description: Name of the MFA method.
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   settingsFileBase64:
                     description: A base64-encoded third-party settings file retrieved
-                      from PingID's configuration page.
+                      from PingID's configuration page. A base64-encoded third-party
+                      settings file retrieved from PingID's configuration page.
                     type: string
                   usernameFormat:
-                    description: A format string for mapping Identity names to MFA
-                      method names. Values to substitute should be placed in `{{}}`.
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  mountAccessor:
+                    description: The mount to tie this method to for use in automatic
+                      mappings. The mapping will use the Name field of Aliases associated
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
+                    type: string
+                  name:
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  settingsFileBase64:
+                    description: A base64-encoded third-party settings file retrieved
+                      from PingID's configuration page. A base64-encoded third-party
+                      settings file retrieved from PingID's configuration page.
+                    type: string
+                  usernameFormat:
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -275,58 +345,85 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: mountAccessor is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mountAccessor)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor)
+                || has(self.initProvider.mountAccessor)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: settingsFileBase64 is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settingsFileBase64)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.settingsFileBase64)
+                || has(self.initProvider.settingsFileBase64)'
           status:
             description: PingidStatus defines the observed state of Pingid.
             properties:
               atProvider:
                 properties:
                   adminUrl:
-                    description: Admin URL computed by Vault.
+                    description: (string) – Admin URL computed by Vault Admin URL
+                      computed by Vault.
                     type: string
                   authenticatorUrl:
-                    description: Authenticator URL computed by Vault.
+                    description: (string) – Authenticator URL computed by Vault Authenticator
+                      URL computed by Vault.
                     type: string
                   id:
+                    description: (string) – ID computed by Vault
                     type: string
                   idpUrl:
-                    description: IDP URL computed by Vault.
+                    description: (string) – IDP URL computed by Vault IDP URL computed
+                      by Vault.
                     type: string
                   mountAccessor:
                     description: The mount to tie this method to for use in automatic
                       mappings. The mapping will use the Name field of Aliases associated
-                      with this mount as the username in the mapping.
+                      with this mount as the username in the mapping. The mount to
+                      tie this method to for use in automatic mappings. The mapping
+                      will use the Name field of Aliases associated with this mount
+                      as the username in the mapping.
                     type: string
                   name:
-                    description: Name of the MFA method.
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   namespaceId:
-                    description: Namespace ID computed by Vault.
+                    description: (string) – Namespace ID computed by Vault Namespace
+                      ID computed by Vault.
                     type: string
                   orgAlias:
-                    description: Org Alias computed by Vault.
+                    description: (string) – Org Alias computed by Vault Org Alias
+                      computed by Vault.
                     type: string
                   settingsFileBase64:
                     description: A base64-encoded third-party settings file retrieved
-                      from PingID's configuration page.
+                      from PingID's configuration page. A base64-encoded third-party
+                      settings file retrieved from PingID's configuration page.
                     type: string
                   type:
-                    description: Type of configuration computed by Vault.
+                    description: (string) – Type of configuration computed by Vault
+                      Type of configuration computed by Vault.
                     type: string
                   useSignature:
-                    description: If set, enables use of PingID signature. Computed
-                      by Vault
+                    description: (string) – If set to true, enables use of PingID
+                      signature. Computed by Vault If set, enables use of PingID signature.
+                      Computed by Vault
                     type: boolean
                   usernameFormat:
-                    description: A format string for mapping Identity names to MFA
-                      method names. Values to substitute should be placed in `{{}}`.
+                    description: 'A format string for mapping Identity names to MFA
+                      method names. Values to substitute should be placed in {{}}.
+                      For example, "{{alias.name}}@example.com". If blank, the Alias''s
+                      Name field will be used as-is. Currently-supported mappings:
+                      A format string for mapping Identity names to MFA method names.
+                      Values to substitute should be placed in `{{}}`.'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/mfa.vault.upbound.io_totps.yaml b/package/crds/mfa.vault.upbound.io_totps.yaml
index c3ca1643..f71c442e 100644
--- a/package/crds/mfa.vault.upbound.io_totps.yaml
+++ b/package/crds/mfa.vault.upbound.io_totps.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: totps.mfa.vault.upbound.io
 spec:
   group: mfa.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Totp is the Schema for the Totps API. <no value>
+        description: Totp is the Schema for the Totps API. Managing the MFA TOTP method
+          configuration
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,51 +69,135 @@ spec:
                 properties:
                   algorithm:
                     description: Specifies the hashing algorithm used to generate
-                      the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.
+                      the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies
+                      the hashing algorithm used to generate the TOTP code. Options
+                      include 'SHA1', 'SHA256' and 'SHA512'.
                     type: string
                   digits:
                     description: The number of digits in the generated TOTP token.
-                      This value can either be 6 or 8.
+                      This value can either be 6 or 8. The number of digits in the
+                      generated TOTP token. This value can either be 6 or 8.
                     type: number
                   issuer:
-                    description: The name of the key's issuing organization.
+                    description: The name of the key's issuing organization. The name
+                      of the key's issuing organization.
                     type: string
                   keySize:
                     description: Specifies the size in bytes of the generated key.
+                      Specifies the size in bytes of the generated key.
                     type: number
                   name:
-                    description: Name of the MFA method.
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   period:
                     description: The length of time used to generate a counter for
-                      the TOTP token calculation.
+                      the TOTP token calculation. The length of time used to generate
+                      a counter for the TOTP token calculation.
                     type: number
                   qrSize:
-                    description: The pixel size of the generated square QR code.
+                    description: The pixel size of the generated square QR code. The
+                      pixel size of the generated square QR code.
                     type: number
                   skew:
                     description: The number of delay periods that are allowed when
-                      validating a TOTP token. This value can either be 0 or 1.
+                      validating a TOTP token. This value can either be 0 or 1. The
+                      number of delay periods that are allowed when validating a TOTP
+                      token. This value can either be 0 or 1.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  algorithm:
+                    description: Specifies the hashing algorithm used to generate
+                      the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies
+                      the hashing algorithm used to generate the TOTP code. Options
+                      include 'SHA1', 'SHA256' and 'SHA512'.
+                    type: string
+                  digits:
+                    description: The number of digits in the generated TOTP token.
+                      This value can either be 6 or 8. The number of digits in the
+                      generated TOTP token. This value can either be 6 or 8.
+                    type: number
+                  issuer:
+                    description: The name of the key's issuing organization. The name
+                      of the key's issuing organization.
+                    type: string
+                  keySize:
+                    description: Specifies the size in bytes of the generated key.
+                      Specifies the size in bytes of the generated key.
+                    type: number
+                  name:
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  period:
+                    description: The length of time used to generate a counter for
+                      the TOTP token calculation. The length of time used to generate
+                      a counter for the TOTP token calculation.
+                    type: number
+                  qrSize:
+                    description: The pixel size of the generated square QR code. The
+                      pixel size of the generated square QR code.
+                    type: number
+                  skew:
+                    description: The number of delay periods that are allowed when
+                      validating a TOTP token. This value can either be 0 or 1. The
+                      number of delay periods that are allowed when validating a TOTP
+                      token. This value can either be 0 or 1.
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -287,9 +371,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: issuer is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.issuer)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.issuer)
+                || has(self.initProvider.issuer)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: TotpStatus defines the observed state of Totp.
             properties:
@@ -297,36 +385,50 @@ spec:
                 properties:
                   algorithm:
                     description: Specifies the hashing algorithm used to generate
-                      the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.
+                      the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies
+                      the hashing algorithm used to generate the TOTP code. Options
+                      include 'SHA1', 'SHA256' and 'SHA512'.
                     type: string
                   digits:
                     description: The number of digits in the generated TOTP token.
-                      This value can either be 6 or 8.
+                      This value can either be 6 or 8. The number of digits in the
+                      generated TOTP token. This value can either be 6 or 8.
                     type: number
                   id:
                     type: string
                   issuer:
-                    description: The name of the key's issuing organization.
+                    description: The name of the key's issuing organization. The name
+                      of the key's issuing organization.
                     type: string
                   keySize:
                     description: Specifies the size in bytes of the generated key.
+                      Specifies the size in bytes of the generated key.
                     type: number
                   name:
-                    description: Name of the MFA method.
+                    description: '(string: <required>) – Name of the MFA method. Name
+                      of the MFA method.'
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   period:
                     description: The length of time used to generate a counter for
-                      the TOTP token calculation.
+                      the TOTP token calculation. The length of time used to generate
+                      a counter for the TOTP token calculation.
                     type: number
                   qrSize:
-                    description: The pixel size of the generated square QR code.
+                    description: The pixel size of the generated square QR code. The
+                      pixel size of the generated square QR code.
                     type: number
                   skew:
                     description: The number of delay periods that are allowed when
-                      validating a TOTP token. This value can either be 0 or 1.
+                      validating a TOTP token. This value can either be 0 or 1. The
+                      number of delay periods that are allowed when validating a TOTP
+                      token. This value can either be 0 or 1.
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/mongodbatlas.vault.upbound.io_secretbackends.yaml b/package/crds/mongodbatlas.vault.upbound.io_secretbackends.yaml
index 98db4eee..396e4c54 100644
--- a/package/crds/mongodbatlas.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/mongodbatlas.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.mongodbatlas.vault.upbound.io
 spec:
   group: mongodbatlas.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          a MongoDB Atlas secret backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,35 +68,88 @@ spec:
               forProvider:
                 properties:
                   mount:
-                    description: Path where MongoDB Atlas secret backend is mounted
+                    description: Path where the MongoDB Atlas Secrets Engine is mounted.
+                      Path where MongoDB Atlas secret backend is mounted
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   privateKey:
-                    description: The Private Programmatic API Key used to connect
-                      with MongoDB Atlas API
+                    description: Specifies the Private API Key used to authenticate
+                      with the MongoDB Atlas API. The Private Programmatic API Key
+                      used to connect with MongoDB Atlas API
                     type: string
                   publicKey:
-                    description: The Public Programmatic API Key used to authenticate
-                      with the MongoDB Atlas API
+                    description: Specifies the Public API Key used to authenticate
+                      with the MongoDB Atlas API. The Public Programmatic API Key
+                      used to authenticate with the MongoDB Atlas API
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  mount:
+                    description: Path where the MongoDB Atlas Secrets Engine is mounted.
+                      Path where MongoDB Atlas secret backend is mounted
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  privateKey:
+                    description: Specifies the Private API Key used to authenticate
+                      with the MongoDB Atlas API. The Private Programmatic API Key
+                      used to connect with MongoDB Atlas API
+                    type: string
+                  publicKey:
+                    description: Specifies the Public API Key used to authenticate
+                      with the MongoDB Atlas API. The Public Programmatic API Key
+                      used to authenticate with the MongoDB Atlas API
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -270,11 +323,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: mount is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mount)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mount)
+                || has(self.initProvider.mount)'
             - message: privateKey is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.privateKey)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.privateKey)
+                || has(self.initProvider.privateKey)'
             - message: publicKey is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.publicKey)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.publicKey)
+                || has(self.initProvider.publicKey)'
           status:
             description: SecretBackendStatus defines the observed state of SecretBackend.
             properties:
@@ -283,21 +342,28 @@ spec:
                   id:
                     type: string
                   mount:
-                    description: Path where MongoDB Atlas secret backend is mounted
+                    description: Path where the MongoDB Atlas Secrets Engine is mounted.
+                      Path where MongoDB Atlas secret backend is mounted
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
                     description: Path where MongoDB Atlas configuration is located
                     type: string
                   privateKey:
-                    description: The Private Programmatic API Key used to connect
-                      with MongoDB Atlas API
+                    description: Specifies the Private API Key used to authenticate
+                      with the MongoDB Atlas API. The Private Programmatic API Key
+                      used to connect with MongoDB Atlas API
                     type: string
                   publicKey:
-                    description: The Public Programmatic API Key used to authenticate
-                      with the MongoDB Atlas API
+                    description: Specifies the Public API Key used to authenticate
+                      with the MongoDB Atlas API. The Public Programmatic API Key
+                      used to authenticate with the MongoDB Atlas API
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml b/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml
index 18e0ea18..38711200 100644
--- a/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml
+++ b/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretroles.mongodbatlas.vault.upbound.io
 spec:
   group: mongodbatlas.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretRole is the Schema for the SecretRoles API. <no value>
+        description: SecretRole is the Schema for the SecretRoles API. Creates a role
+          for the MongoDB Atlas Secret Engine in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,67 +69,165 @@ spec:
                 properties:
                   cidrBlocks:
                     description: Whitelist entry in CIDR notation to be added for
+                      the API key. Whitelist entry in CIDR notation to be added for
                       the API key
                     items:
                       type: string
                     type: array
                   ipAddresses:
                     description: IP address to be added to the whitelist for the API
-                      key
+                      key. IP address to be added to the whitelist for the API key
                     items:
                       type: string
                     type: array
                   maxTtl:
                     description: The maximum allowed lifetime of credentials issued
-                      using this role
+                      using this role. The maximum allowed lifetime of credentials
+                      issued using this role
                     type: string
                   mount:
-                    description: Path where MongoDB Atlas secret backend is mounted
+                    description: Path where the MongoDB Atlas Secrets Engine is mounted.
+                      Path where MongoDB Atlas secret backend is mounted
                     type: string
                   name:
-                    description: Name of the role
+                    description: The name of the role. Name of the role
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organizationId:
-                    description: ID for the organization to which the target API Key
-                      belongs
+                    description: Unique identifier for the organization to which the
+                      target API Key belongs. Required if project_id is not set. ID
+                      for the organization to which the target API Key belongs
                     type: string
                   projectId:
-                    description: ID for the project to which the target API Key belongs
+                    description: Unique identifier for the project to which the target
+                      API Key belongs. Required if organization_id is not set. ID
+                      for the project to which the target API Key belongs
                     type: string
                   projectRoles:
                     description: Roles assigned when an org API key is assigned to
-                      a project API key
+                      a project API key. Roles assigned when an org API key is assigned
+                      to a project API key
                     items:
                       type: string
                     type: array
                   roles:
-                    description: List of roles that the API Key needs to have
+                    description: List of roles that the API Key needs to have. List
+                      of roles that the API Key needs to have
                     items:
                       type: string
                     type: array
                   ttl:
                     description: Duration in seconds after which the issued credential
+                      should expire. Duration in seconds after which the issued credential
                       should expire
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  cidrBlocks:
+                    description: Whitelist entry in CIDR notation to be added for
+                      the API key. Whitelist entry in CIDR notation to be added for
+                      the API key
+                    items:
+                      type: string
+                    type: array
+                  ipAddresses:
+                    description: IP address to be added to the whitelist for the API
+                      key. IP address to be added to the whitelist for the API key
+                    items:
+                      type: string
+                    type: array
+                  maxTtl:
+                    description: The maximum allowed lifetime of credentials issued
+                      using this role. The maximum allowed lifetime of credentials
+                      issued using this role
+                    type: string
+                  mount:
+                    description: Path where the MongoDB Atlas Secrets Engine is mounted.
+                      Path where MongoDB Atlas secret backend is mounted
+                    type: string
+                  name:
+                    description: The name of the role. Name of the role
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  organizationId:
+                    description: Unique identifier for the organization to which the
+                      target API Key belongs. Required if project_id is not set. ID
+                      for the organization to which the target API Key belongs
+                    type: string
+                  projectId:
+                    description: Unique identifier for the project to which the target
+                      API Key belongs. Required if organization_id is not set. ID
+                      for the project to which the target API Key belongs
+                    type: string
+                  projectRoles:
+                    description: Roles assigned when an org API key is assigned to
+                      a project API key. Roles assigned when an org API key is assigned
+                      to a project API key
+                    items:
+                      type: string
+                    type: array
+                  roles:
+                    description: List of roles that the API Key needs to have. List
+                      of roles that the API Key needs to have
+                    items:
+                      type: string
+                    type: array
+                  ttl:
+                    description: Duration in seconds after which the issued credential
+                      should expire. Duration in seconds after which the issued credential
+                      should expire
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -303,11 +401,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: mount is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mount)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.mount)
+                || has(self.initProvider.mount)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: roles is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roles)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.roles)
+                || has(self.initProvider.roles)'
           status:
             description: SecretRoleStatus defines the observed state of SecretRole.
             properties:
@@ -315,6 +419,7 @@ spec:
                 properties:
                   cidrBlocks:
                     description: Whitelist entry in CIDR notation to be added for
+                      the API key. Whitelist entry in CIDR notation to be added for
                       the API key
                     items:
                       type: string
@@ -323,43 +428,55 @@ spec:
                     type: string
                   ipAddresses:
                     description: IP address to be added to the whitelist for the API
-                      key
+                      key. IP address to be added to the whitelist for the API key
                     items:
                       type: string
                     type: array
                   maxTtl:
                     description: The maximum allowed lifetime of credentials issued
-                      using this role
+                      using this role. The maximum allowed lifetime of credentials
+                      issued using this role
                     type: string
                   mount:
-                    description: Path where MongoDB Atlas secret backend is mounted
+                    description: Path where the MongoDB Atlas Secrets Engine is mounted.
+                      Path where MongoDB Atlas secret backend is mounted
                     type: string
                   name:
-                    description: Name of the role
+                    description: The name of the role. Name of the role
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organizationId:
-                    description: ID for the organization to which the target API Key
-                      belongs
+                    description: Unique identifier for the organization to which the
+                      target API Key belongs. Required if project_id is not set. ID
+                      for the organization to which the target API Key belongs
                     type: string
                   projectId:
-                    description: ID for the project to which the target API Key belongs
+                    description: Unique identifier for the project to which the target
+                      API Key belongs. Required if organization_id is not set. ID
+                      for the project to which the target API Key belongs
                     type: string
                   projectRoles:
                     description: Roles assigned when an org API key is assigned to
-                      a project API key
+                      a project API key. Roles assigned when an org API key is assigned
+                      to a project API key
                     items:
                       type: string
                     type: array
                   roles:
-                    description: List of roles that the API Key needs to have
+                    description: List of roles that the API Key needs to have. List
+                      of roles that the API Key needs to have
                     items:
                       type: string
                     type: array
                   ttl:
                     description: Duration in seconds after which the issued credential
+                      should expire. Duration in seconds after which the issued credential
                       should expire
                     type: string
                 type: object
diff --git a/package/crds/nomad.vault.upbound.io_secretbackends.yaml b/package/crds/nomad.vault.upbound.io_secretbackends.yaml
index 80512c5c..65373628 100644
--- a/package/crds/nomad.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/nomad.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.nomad.vault.upbound.io
 spec:
   group: nomad.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          a Nomad secret backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,19 +69,25 @@ spec:
                 properties:
                   address:
                     description: Specifies the address of the Nomad instance, provided
-                      as "protocol://host:port" like "http://127.0.0.1:4646".
+                      as "protocol://host:port" like "http://127.0.0.1:4646". Specifies
+                      the address of the Nomad instance, provided as "protocol://host:port"
+                      like "http://127.0.0.1:4646".
                     type: string
                   backend:
-                    description: The mount path for the Nomad backend.
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to nomad. The mount
+                      path for the Nomad backend.
                     type: string
                   caCert:
-                    description: CA certificate to use when verifying Nomad server
-                      certificate, must be x509 PEM encoded.
+                    description: CA certificate to use when verifying the Nomad server
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying Nomad server certificate, must be x509 PEM encoded.
                     type: string
                   clientCertSecretRef:
-                    description: Client certificate used for Nomad's TLS communication,
-                      must be x509 PEM encoded and if this is set you need to also
-                      set client_key.
+                    description: Client certificate to provide to the Nomad server,
+                      must be x509 PEM encoded. Client certificate used for Nomad's
+                      TLS communication, must be x509 PEM encoded and if this is set
+                      you need to also set client_key.
                     properties:
                       key:
                         description: The key to select.
@@ -98,9 +104,10 @@ spec:
                     - namespace
                     type: object
                   clientKeySecretRef:
-                    description: Client key used for Nomad's TLS communication, must
-                      be x509 PEM encoded and if this is set you need to also set
-                      client_cert.
+                    description: Client certificate key to provide to the Nomad server,
+                      must be x509 PEM encoded. Client key used for Nomad's TLS communication,
+                      must be x509 PEM encoded and if this is set you need to also
+                      set client_cert.
                     properties:
                       key:
                         description: The key to select.
@@ -117,18 +124,26 @@ spec:
                     - namespace
                     type: object
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds.
+                    description: Default lease duration for secrets in seconds. Default
+                      lease duration for secrets in seconds.
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: Human-friendly description of the mount for the Active
+                      Directory backend. Human-friendly description of the mount for
+                      the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   local:
                     description: Mark the secrets engine as local-only. Local engines
-                      are not replicated or removed by replication. Tolerance duration
-                      to use when checking the last rotation time.
+                      are not replicated or removed by replication.Tolerance duration
+                      to use when checking the last rotation time. Mark the secrets
+                      engine as local-only. Local engines are not replicated or removed
+                      by replication. Tolerance duration to use when checking the
+                      last rotation time.
                     type: boolean
                   maxLeaseTtlSeconds:
                     description: Maximum possible lease duration for secrets in seconds.
@@ -137,16 +152,25 @@ spec:
                     description: Specifies the maximum length to use for the name
                       of the Nomad token generated with Generate Credential. If omitted,
                       0 is used and ignored, defaulting to the max value allowed by
-                      the Nomad version.
+                      the Nomad version. Specifies the maximum length to use for the
+                      name of the Nomad token generated with Generate Credential.
+                      If omitted, 0 is used and ignored, defaulting to the max value
+                      allowed by the Nomad version.
                     type: number
                   maxTtl:
                     description: Maximum possible lease duration for secrets in seconds.
+                      Maximum possible lease duration for secrets in seconds.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   tokenSecretRef:
-                    description: Specifies the Nomad Management token to use.
+                    description: Specifies the Nomad Management token to use. Specifies
+                      the Nomad Management token to use.
                     properties:
                       key:
                         description: The key to select.
@@ -163,24 +187,115 @@ spec:
                     - namespace
                     type: object
                   ttl:
+                    description: Specifies the ttl of the lease for the generated
+                      token. Maximum possible lease duration for secrets in seconds.
+                    type: number
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  address:
+                    description: Specifies the address of the Nomad instance, provided
+                      as "protocol://host:port" like "http://127.0.0.1:4646". Specifies
+                      the address of the Nomad instance, provided as "protocol://host:port"
+                      like "http://127.0.0.1:4646".
+                    type: string
+                  backend:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to nomad. The mount
+                      path for the Nomad backend.
+                    type: string
+                  caCert:
+                    description: CA certificate to use when verifying the Nomad server
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying Nomad server certificate, must be x509 PEM encoded.
+                    type: string
+                  defaultLeaseTtlSeconds:
+                    description: Default lease duration for secrets in seconds. Default
+                      lease duration for secrets in seconds.
+                    type: number
+                  description:
+                    description: Human-friendly description of the mount for the Active
+                      Directory backend. Human-friendly description of the mount for
+                      the backend.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  local:
+                    description: Mark the secrets engine as local-only. Local engines
+                      are not replicated or removed by replication.Tolerance duration
+                      to use when checking the last rotation time. Mark the secrets
+                      engine as local-only. Local engines are not replicated or removed
+                      by replication. Tolerance duration to use when checking the
+                      last rotation time.
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: Maximum possible lease duration for secrets in seconds.
+                    type: number
+                  maxTokenNameLength:
+                    description: Specifies the maximum length to use for the name
+                      of the Nomad token generated with Generate Credential. If omitted,
+                      0 is used and ignored, defaulting to the max value allowed by
+                      the Nomad version. Specifies the maximum length to use for the
+                      name of the Nomad token generated with Generate Credential.
+                      If omitted, 0 is used and ignored, defaulting to the max value
+                      allowed by the Nomad version.
+                    type: number
+                  maxTtl:
                     description: Maximum possible lease duration for secrets in seconds.
+                      Maximum possible lease duration for secrets in seconds.
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  ttl:
+                    description: Specifies the ttl of the lease for the generated
+                      token. Maximum possible lease duration for secrets in seconds.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -359,30 +474,43 @@ spec:
                 properties:
                   address:
                     description: Specifies the address of the Nomad instance, provided
-                      as "protocol://host:port" like "http://127.0.0.1:4646".
+                      as "protocol://host:port" like "http://127.0.0.1:4646". Specifies
+                      the address of the Nomad instance, provided as "protocol://host:port"
+                      like "http://127.0.0.1:4646".
                     type: string
                   backend:
-                    description: The mount path for the Nomad backend.
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to nomad. The mount
+                      path for the Nomad backend.
                     type: string
                   caCert:
-                    description: CA certificate to use when verifying Nomad server
-                      certificate, must be x509 PEM encoded.
+                    description: CA certificate to use when verifying the Nomad server
+                      certificate, must be x509 PEM encoded. CA certificate to use
+                      when verifying Nomad server certificate, must be x509 PEM encoded.
                     type: string
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds.
+                    description: Default lease duration for secrets in seconds. Default
+                      lease duration for secrets in seconds.
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: Human-friendly description of the mount for the Active
+                      Directory backend. Human-friendly description of the mount for
+                      the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   id:
                     type: string
                   local:
                     description: Mark the secrets engine as local-only. Local engines
-                      are not replicated or removed by replication. Tolerance duration
-                      to use when checking the last rotation time.
+                      are not replicated or removed by replication.Tolerance duration
+                      to use when checking the last rotation time. Mark the secrets
+                      engine as local-only. Local engines are not replicated or removed
+                      by replication. Tolerance duration to use when checking the
+                      last rotation time.
                     type: boolean
                   maxLeaseTtlSeconds:
                     description: Maximum possible lease duration for secrets in seconds.
@@ -391,16 +519,25 @@ spec:
                     description: Specifies the maximum length to use for the name
                       of the Nomad token generated with Generate Credential. If omitted,
                       0 is used and ignored, defaulting to the max value allowed by
-                      the Nomad version.
+                      the Nomad version. Specifies the maximum length to use for the
+                      name of the Nomad token generated with Generate Credential.
+                      If omitted, 0 is used and ignored, defaulting to the max value
+                      allowed by the Nomad version.
                     type: number
                   maxTtl:
                     description: Maximum possible lease duration for secrets in seconds.
+                      Maximum possible lease duration for secrets in seconds.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   ttl:
-                    description: Maximum possible lease duration for secrets in seconds.
+                    description: Specifies the ttl of the lease for the generated
+                      token. Maximum possible lease duration for secrets in seconds.
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/nomad.vault.upbound.io_secretroles.yaml b/package/crds/nomad.vault.upbound.io_secretroles.yaml
index 83646acc..294dc296 100644
--- a/package/crds/nomad.vault.upbound.io_secretroles.yaml
+++ b/package/crds/nomad.vault.upbound.io_secretroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretroles.nomad.vault.upbound.io
 spec:
   group: nomad.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretRole is the Schema for the SecretRoles API. <no value>
+        description: SecretRole is the Schema for the SecretRoles API. Creates a Nomad
+          role.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,44 +68,114 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The mount path for the Nomad backend.
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to nomad. The mount
+                      path for the Nomad backend.
                     type: string
                   global:
-                    description: Specifies if the token should be global.
+                    description: Specifies if the generated token should be global.
+                      Defaults to false. Specifies if the token should be global.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Comma separated list of Nomad policies the token
-                      is going to be created against. These need to be created beforehand
-                      in Nomad.
+                    description: List of policies attached to the generated token.
+                      This setting is only used when type is 'client'. Comma separated
+                      list of Nomad policies the token is going to be created against.
+                      These need to be created beforehand in Nomad.
                     items:
                       type: string
                     type: array
                   role:
-                    description: Name of the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Name of the role.
                     type: string
                   type:
                     description: Specifies the type of token to create when using
+                      this role. Valid settings are 'client' and 'management'. Defaults
+                      to 'client'. Specifies the type of token to create when using
                       this role. Valid values are "client" or "management".
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to nomad. The mount
+                      path for the Nomad backend.
+                    type: string
+                  global:
+                    description: Specifies if the generated token should be global.
+                      Defaults to false. Specifies if the token should be global.
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policies:
+                    description: List of policies attached to the generated token.
+                      This setting is only used when type is 'client'. Comma separated
+                      list of Nomad policies the token is going to be created against.
+                      These need to be created beforehand in Nomad.
+                    items:
+                      type: string
+                    type: array
+                  role:
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Name of the role.
+                    type: string
+                  type:
+                    description: Specifies the type of token to create when using
+                      this role. Valid settings are 'client' and 'management'. Defaults
+                      to 'client'. Specifies the type of token to create when using
+                      this role. Valid values are "client" or "management".
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -279,37 +349,52 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
           status:
             description: SecretRoleStatus defines the observed state of SecretRole.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: The mount path for the Nomad backend.
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to nomad. The mount
+                      path for the Nomad backend.
                     type: string
                   global:
-                    description: Specifies if the token should be global.
+                    description: Specifies if the generated token should be global.
+                      Defaults to false. Specifies if the token should be global.
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policies:
-                    description: Comma separated list of Nomad policies the token
-                      is going to be created against. These need to be created beforehand
-                      in Nomad.
+                    description: List of policies attached to the generated token.
+                      This setting is only used when type is 'client'. Comma separated
+                      list of Nomad policies the token is going to be created against.
+                      These need to be created beforehand in Nomad.
                     items:
                       type: string
                     type: array
                   role:
-                    description: Name of the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Name of the role.
                     type: string
                   type:
                     description: Specifies the type of token to create when using
+                      this role. Valid settings are 'client' and 'management'. Defaults
+                      to 'client'. Specifies the type of token to create when using
                       this role. Valid values are "client" or "management".
                     type: string
                 type: object
diff --git a/package/crds/okta.vault.upbound.io_authbackendgroups.yaml b/package/crds/okta.vault.upbound.io_authbackendgroups.yaml
index 051372e2..e89bf55a 100644
--- a/package/crds/okta.vault.upbound.io_authbackendgroups.yaml
+++ b/package/crds/okta.vault.upbound.io_authbackendgroups.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendgroups.okta.vault.upbound.io
 spec:
   group: okta.vault.upbound.io
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -83,21 +82,60 @@ spec:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  groupName:
+                    description: Name of the Okta group
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  path:
+                    description: Path to the Okta auth backend
+                    type: string
+                  policies:
+                    description: Policies to associate with this group
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -271,9 +309,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: groupName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.groupName)
+                || has(self.initProvider.groupName)'
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: AuthBackendGroupStatus defines the observed state of AuthBackendGroup.
             properties:
diff --git a/package/crds/okta.vault.upbound.io_authbackends.yaml b/package/crds/okta.vault.upbound.io_authbackends.yaml
index 26652f78..4fdc1224 100644
--- a/package/crds/okta.vault.upbound.io_authbackends.yaml
+++ b/package/crds/okta.vault.upbound.io_authbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackends.okta.vault.upbound.io
 spec:
   group: okta.vault.upbound.io
@@ -57,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -145,21 +144,104 @@ spec:
                       type: object
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  baseUrl:
+                    description: 'The Okta url. Examples: oktapreview.com, okta.com
+                      (default)'
+                    type: string
+                  bypassOktaMfa:
+                    description: When true, requests by Okta for a MFA check will
+                      be bypassed. This also disallows certain status checks on the
+                      account, such as whether the password is expired.
+                    type: boolean
+                  description:
+                    description: The description of the auth backend
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                    type: boolean
+                  group:
+                    items:
+                      properties:
+                        groupName:
+                          type: string
+                        policies:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  maxTtl:
+                    description: Maximum duration after which authentication will
+                      be expired
+                    type: string
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  organization:
+                    description: The Okta organization. This will be the first part
+                      of the url https://XXX.okta.com.
+                    type: string
+                  path:
+                    description: path to mount the backend
+                    type: string
+                  ttl:
+                    description: Duration after which authentication will be expired
+                    type: string
+                  user:
+                    items:
+                      properties:
+                        groups:
+                          items:
+                            type: string
+                          type: array
+                        policies:
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -333,7 +415,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: organization is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.organization)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.organization)
+                || has(self.initProvider.organization)'
           status:
             description: AuthBackendStatus defines the observed state of AuthBackend.
             properties:
diff --git a/package/crds/okta.vault.upbound.io_authbackendusers.yaml b/package/crds/okta.vault.upbound.io_authbackendusers.yaml
index e2e46fea..cde69c8d 100644
--- a/package/crds/okta.vault.upbound.io_authbackendusers.yaml
+++ b/package/crds/okta.vault.upbound.io_authbackendusers.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendusers.okta.vault.upbound.io
 spec:
   group: okta.vault.upbound.io
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -89,21 +88,66 @@ spec:
                     description: Name of the user within Okta
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  groups:
+                    description: Groups within the Okta auth backend to associate
+                      with this user
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  path:
+                    description: Path to the Okta auth backend
+                    type: string
+                  policies:
+                    description: Policies to associate with this user
+                    items:
+                      type: string
+                    type: array
+                  username:
+                    description: Name of the user within Okta
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -277,9 +321,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
             - message: username is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.username)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.username)
+                || has(self.initProvider.username)'
           status:
             description: AuthBackendUserStatus defines the observed state of AuthBackendUser.
             properties:
diff --git a/package/crds/password.vault.upbound.io_policies.yaml b/package/crds/password.vault.upbound.io_policies.yaml
index 1c562da7..0b600eeb 100644
--- a/package/crds/password.vault.upbound.io_policies.yaml
+++ b/package/crds/password.vault.upbound.io_policies.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: policies.password.vault.upbound.io
 spec:
   group: password.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Policy is the Schema for the Policys API. <no value>
+        description: Policy is the Schema for the Policys API. Writes Password policies
+          for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,30 +68,76 @@ spec:
               forProvider:
                 properties:
                   name:
-                    description: Name of the password policy.
+                    description: The name of the password policy. Name of the password
+                      policy.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policy:
-                    description: The password policy document
+                    description: String containing a password policy. The password
+                      policy document
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  name:
+                    description: The name of the password policy. Name of the password
+                      policy.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policy:
+                    description: String containing a password policy. The password
+                      policy document
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -265,9 +311,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: policy is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.policy)
+                || has(self.initProvider.policy)'
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
@@ -276,13 +326,19 @@ spec:
                   id:
                     type: string
                   name:
-                    description: Name of the password policy.
+                    description: The name of the password policy. Name of the password
+                      policy.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policy:
-                    description: The password policy document
+                    description: String containing a password policy. The password
+                      policy document
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml b/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml
index 6b5e8f39..2d386a9a 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendcerts.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendCert is the Schema for the SecretBackendCerts API.
-          <no value>
+          Generate an PKI certificate.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,76 +68,182 @@ spec:
               forProvider:
                 properties:
                   altNames:
-                    description: List of alternative names.
+                    description: List of alternative names List of alternative names.
                     items:
                       type: string
                     type: array
                   autoRenew:
-                    description: If enabled, a new certificate will be generated if
-                      the expiration is within min_seconds_remaining
+                    description: If set to true, certs will be renewed if the expiration
+                      is within min_seconds_remaining. Default false If enabled, a
+                      new certificate will be generated if the expiration is within
+                      min_seconds_remaining
                     type: boolean
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   commonName:
-                    description: CN of the certificate to create.
+                    description: CN of certificate to create CN of the certificate
+                      to create.
                     type: string
                   excludeCnFromSans:
-                    description: Flag to exclude CN from SANs.
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
                     type: boolean
                   format:
-                    description: The format of data.
+                    description: The format of data The format of data.
                     type: string
                   ipSans:
-                    description: List of alternative IPs.
+                    description: List of alternative IPs List of alternative IPs.
                     items:
                       type: string
                     type: array
                   minSecondsRemaining:
                     description: Generate a new certificate when the expiration is
-                      within this number of seconds
+                      within this number of seconds, default is 604800 (7 days) Generate
+                      a new certificate when the expiration is within this number
+                      of seconds
                     type: number
                   name:
-                    description: Name of the role to create the certificate against.
+                    description: Name of the role to create the certificate against
+                      Name of the role to create the certificate against.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   otherSans:
-                    description: List of other SANs.
+                    description: List of other SANs List of other SANs.
                     items:
                       type: string
                     type: array
                   privateKeyFormat:
-                    description: The private key format.
+                    description: The private key format The private key format.
                     type: string
                   revoke:
-                    description: Revoke the certificate upon resource destruction.
+                    description: If set to true, the certificate will be revoked on
+                      resource destruction. Revoke the certificate upon resource destruction.
                     type: boolean
                   ttl:
-                    description: Time to live.
+                    description: Time to live Time to live.
                     type: string
                   uriSans:
-                    description: List of alternative URIs.
+                    description: List of alternative URIs List of alternative URIs.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  altNames:
+                    description: List of alternative names List of alternative names.
+                    items:
+                      type: string
+                    type: array
+                  autoRenew:
+                    description: If set to true, certs will be renewed if the expiration
+                      is within min_seconds_remaining. Default false If enabled, a
+                      new certificate will be generated if the expiration is within
+                      min_seconds_remaining
+                    type: boolean
+                  backend:
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
+                    type: string
+                  commonName:
+                    description: CN of certificate to create CN of the certificate
+                      to create.
+                    type: string
+                  excludeCnFromSans:
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
+                    type: boolean
+                  format:
+                    description: The format of data The format of data.
+                    type: string
+                  ipSans:
+                    description: List of alternative IPs List of alternative IPs.
+                    items:
+                      type: string
+                    type: array
+                  minSecondsRemaining:
+                    description: Generate a new certificate when the expiration is
+                      within this number of seconds, default is 604800 (7 days) Generate
+                      a new certificate when the expiration is within this number
+                      of seconds
+                    type: number
+                  name:
+                    description: Name of the role to create the certificate against
+                      Name of the role to create the certificate against.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  otherSans:
+                    description: List of other SANs List of other SANs.
+                    items:
+                      type: string
+                    type: array
+                  privateKeyFormat:
+                    description: The private key format The private key format.
+                    type: string
+                  revoke:
+                    description: If set to true, the certificate will be revoked on
+                      resource destruction. Revoke the certificate upon resource destruction.
+                    type: boolean
+                  ttl:
+                    description: Time to live Time to live.
+                    type: string
+                  uriSans:
+                    description: List of alternative URIs List of alternative URIs.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -312,93 +417,116 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: commonName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName)
+                || has(self.initProvider.commonName)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendCertStatus defines the observed state of SecretBackendCert.
             properties:
               atProvider:
                 properties:
                   altNames:
-                    description: List of alternative names.
+                    description: List of alternative names List of alternative names.
                     items:
                       type: string
                     type: array
                   autoRenew:
-                    description: If enabled, a new certificate will be generated if
-                      the expiration is within min_seconds_remaining
+                    description: If set to true, certs will be renewed if the expiration
+                      is within min_seconds_remaining. Default false If enabled, a
+                      new certificate will be generated if the expiration is within
+                      min_seconds_remaining
                     type: boolean
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   caChain:
-                    description: The CA chain.
+                    description: The CA chain The CA chain.
                     type: string
                   certificate:
-                    description: The certicate.
+                    description: The certificate The certicate.
                     type: string
                   commonName:
-                    description: CN of the certificate to create.
+                    description: CN of certificate to create CN of the certificate
+                      to create.
                     type: string
                   excludeCnFromSans:
-                    description: Flag to exclude CN from SANs.
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
                     type: boolean
                   expiration:
-                    description: The certificate expiration as a Unix-style timestamp.
+                    description: The expiration date of the certificate in unix epoch
+                      format The certificate expiration as a Unix-style timestamp.
                     type: number
                   format:
-                    description: The format of data.
+                    description: The format of data The format of data.
                     type: string
                   id:
                     type: string
                   ipSans:
-                    description: List of alternative IPs.
+                    description: List of alternative IPs List of alternative IPs.
                     items:
                       type: string
                     type: array
                   issuingCa:
-                    description: The issuing CA.
+                    description: The issuing CA The issuing CA.
                     type: string
                   minSecondsRemaining:
                     description: Generate a new certificate when the expiration is
-                      within this number of seconds
+                      within this number of seconds, default is 604800 (7 days) Generate
+                      a new certificate when the expiration is within this number
+                      of seconds
                     type: number
                   name:
-                    description: Name of the role to create the certificate against.
+                    description: Name of the role to create the certificate against
+                      Name of the role to create the certificate against.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   otherSans:
-                    description: List of other SANs.
+                    description: List of other SANs List of other SANs.
                     items:
                       type: string
                     type: array
                   privateKeyFormat:
-                    description: The private key format.
+                    description: The private key format The private key format.
                     type: string
                   privateKeyType:
-                    description: The private key type.
+                    description: The private key type The private key type.
                     type: string
                   renewPending:
-                    description: Initially false, and then set to true during refresh
-                      once the expiration is less than min_seconds_remaining in the
-                      future.
+                    description: true if the current time (during refresh) is after
+                      the start of the early renewal window declared by min_seconds_remaining,
+                      and false otherwise; if auto_renew is set to true then the provider
+                      will plan to replace the certificate once renewal is pending.
+                      Initially false, and then set to true during refresh once the
+                      expiration is less than min_seconds_remaining in the future.
                     type: boolean
                   revoke:
-                    description: Revoke the certificate upon resource destruction.
+                    description: If set to true, the certificate will be revoked on
+                      resource destruction. Revoke the certificate upon resource destruction.
                     type: boolean
                   serialNumber:
-                    description: The serial number.
+                    description: The serial number The serial number.
                     type: string
                   ttl:
-                    description: Time to live.
+                    description: Time to live Time to live.
                     type: string
                   uriSans:
-                    description: List of alternative URIs.
+                    description: List of alternative URIs List of alternative URIs.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/pki.vault.upbound.io_secretbackendconfigcas.yaml b/package/crds/pki.vault.upbound.io_secretbackendconfigcas.yaml
index 69579916..5d7b9aaa 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendconfigcas.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendconfigcas.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendconfigcas.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendConfigCA is the Schema for the SecretBackendConfigCAs
-          API. <no value>
+          API. Submit the CA information to PKI.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,13 +68,19 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pemBundleSecretRef:
-                    description: The key and certificate PEM bundle.
+                    description: The key and certificate PEM bundle The key and certificate
+                      PEM bundle.
                     properties:
                       key:
                         description: The key to select.
@@ -92,21 +97,57 @@ spec:
                     - namespace
                     type: object
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -280,9 +321,12 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: pemBundleSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pemBundleSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.pemBundleSecretRef)'
           status:
             description: SecretBackendConfigCAStatus defines the observed state of
               SecretBackendConfigCA.
@@ -290,12 +334,17 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml b/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml
index fdeaa804..a910d047 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendconfigurls.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendConfigUrls is the Schema for the SecretBackendConfigUrlss
-          API. <no value>
+          API. Sets the config URL's on an PKI Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,45 +69,110 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The path of the PKI secret backend the resource belongs
-                      to.
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
                     type: string
                   crlDistributionPoints:
                     description: Specifies the URL values for the CRL Distribution
+                      Points field. Specifies the URL values for the CRL Distribution
                       Points field.
                     items:
                       type: string
                     type: array
                   issuingCertificates:
                     description: Specifies the URL values for the Issuing Certificate
+                      field. Specifies the URL values for the Issuing Certificate
                       field.
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   ocspServers:
                     description: Specifies the URL values for the OCSP Servers field.
+                      Specifies the URL values for the OCSP Servers field.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
+                    type: string
+                  crlDistributionPoints:
+                    description: Specifies the URL values for the CRL Distribution
+                      Points field. Specifies the URL values for the CRL Distribution
+                      Points field.
+                    items:
+                      type: string
+                    type: array
+                  issuingCertificates:
+                    description: Specifies the URL values for the Issuing Certificate
+                      field. Specifies the URL values for the Issuing Certificate
+                      field.
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  ocspServers:
+                    description: Specifies the URL values for the OCSP Servers field.
+                      Specifies the URL values for the OCSP Servers field.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -282,7 +346,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
           status:
             description: SecretBackendConfigUrlsStatus defines the observed state
               of SecretBackendConfigUrls.
@@ -290,11 +356,13 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: The path of the PKI secret backend the resource belongs
-                      to.
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
                     type: string
                   crlDistributionPoints:
                     description: Specifies the URL values for the CRL Distribution
+                      Points field. Specifies the URL values for the CRL Distribution
                       Points field.
                     items:
                       type: string
@@ -303,15 +371,21 @@ spec:
                     type: string
                   issuingCertificates:
                     description: Specifies the URL values for the Issuing Certificate
+                      field. Specifies the URL values for the Issuing Certificate
                       field.
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   ocspServers:
                     description: Specifies the URL values for the OCSP Servers field.
+                      Specifies the URL values for the OCSP Servers field.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/pki.vault.upbound.io_secretbackendcrlconfigs.yaml b/package/crds/pki.vault.upbound.io_secretbackendcrlconfigs.yaml
index a320573e..6bd7142b 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendcrlconfigs.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendcrlconfigs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendcrlconfigs.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendCrlConfig is the Schema for the SecretBackendCrlConfigs
-          API. <no value>
+          API. Sets the CRL config on an PKI Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,67 +68,176 @@ spec:
               forProvider:
                 properties:
                   autoRebuild:
-                    description: Enables or disables periodic rebuilding of the CRL
+                    description: Enables periodic rebuilding of the CRL upon expiry.
+                      Vault 1.12+ Enables or disables periodic rebuilding of the CRL
                       upon expiry.
                     type: boolean
                   autoRebuildGracePeriod:
                     description: Grace period before CRL expiry to attempt rebuild
-                      of CRL.
+                      of CRL. Vault 1.12+ Grace period before CRL expiry to attempt
+                      rebuild of CRL.
                     type: string
                   backend:
-                    description: The path of the PKI secret backend the resource belongs
-                      to.
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
                     type: string
                   crossClusterRevocation:
-                    description: Enable cross-cluster revocation request queues.
+                    description: Enable cross-cluster revocation request queues. Vault
+                      1.13+ Enable cross-cluster revocation request queues.
                     type: boolean
                   deltaRebuildInterval:
                     description: Interval to check for new revocations on, to regenerate
-                      the delta CRL.
+                      the delta CRL. Interval to check for new revocations on, to
+                      regenerate the delta CRL.
                     type: string
                   disable:
-                    description: Disables or enables CRL building
+                    description: Disables or enables CRL building. Disables or enables
+                      CRL building
                     type: boolean
                   enableDelta:
-                    description: Enables or disables building of delta CRLs with up-to-date
-                      revocation information, augmenting the last complete CRL.
+                    description: Enables building of delta CRLs with up-to-date revocation
+                      information, augmenting the last complete CRL.  Vault 1.12+
+                      Enables or disables building of delta CRLs with up-to-date revocation
+                      information, augmenting the last complete CRL.
                     type: boolean
                   expiry:
-                    description: Specifies the time until expiration.
+                    description: Specifies the time until expiration. Specifies the
+                      time until expiration.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   ocspDisable:
-                    description: Disables or enables the OCSP responder in Vault.
+                    description: Disables the OCSP responder in Vault. Vault 1.12+
+                      Disables or enables the OCSP responder in Vault.
                     type: boolean
                   ocspExpiry:
                     description: The amount of time an OCSP response can be cached
-                      for, useful for OCSP stapling refresh durations.
+                      for, useful for OCSP stapling refresh durations. Vault 1.12+
+                      The amount of time an OCSP response can be cached for, useful
+                      for OCSP stapling refresh durations.
                     type: string
                   unifiedCrl:
-                    description: Enables unified CRL and OCSP building.
+                    description: Enables unified CRL and OCSP building. Vault 1.13+
+                      Enables unified CRL and OCSP building.
                     type: boolean
                   unifiedCrlOnExistingPaths:
                     description: Enables serving the unified CRL and OCSP on the existing,
-                      previously cluster-local paths.
+                      previously cluster-local paths. Vault 1.13+ Enables serving
+                      the unified CRL and OCSP on the existing, previously cluster-local
+                      paths.
                     type: boolean
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  autoRebuild:
+                    description: Enables periodic rebuilding of the CRL upon expiry.
+                      Vault 1.12+ Enables or disables periodic rebuilding of the CRL
+                      upon expiry.
+                    type: boolean
+                  autoRebuildGracePeriod:
+                    description: Grace period before CRL expiry to attempt rebuild
+                      of CRL. Vault 1.12+ Grace period before CRL expiry to attempt
+                      rebuild of CRL.
+                    type: string
+                  backend:
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
+                    type: string
+                  crossClusterRevocation:
+                    description: Enable cross-cluster revocation request queues. Vault
+                      1.13+ Enable cross-cluster revocation request queues.
+                    type: boolean
+                  deltaRebuildInterval:
+                    description: Interval to check for new revocations on, to regenerate
+                      the delta CRL. Interval to check for new revocations on, to
+                      regenerate the delta CRL.
+                    type: string
+                  disable:
+                    description: Disables or enables CRL building. Disables or enables
+                      CRL building
+                    type: boolean
+                  enableDelta:
+                    description: Enables building of delta CRLs with up-to-date revocation
+                      information, augmenting the last complete CRL.  Vault 1.12+
+                      Enables or disables building of delta CRLs with up-to-date revocation
+                      information, augmenting the last complete CRL.
+                    type: boolean
+                  expiry:
+                    description: Specifies the time until expiration. Specifies the
+                      time until expiration.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  ocspDisable:
+                    description: Disables the OCSP responder in Vault. Vault 1.12+
+                      Disables or enables the OCSP responder in Vault.
+                    type: boolean
+                  ocspExpiry:
+                    description: The amount of time an OCSP response can be cached
+                      for, useful for OCSP stapling refresh durations. Vault 1.12+
+                      The amount of time an OCSP response can be cached for, useful
+                      for OCSP stapling refresh durations.
+                    type: string
+                  unifiedCrl:
+                    description: Enables unified CRL and OCSP building. Vault 1.13+
+                      Enables unified CRL and OCSP building.
+                    type: boolean
+                  unifiedCrlOnExistingPaths:
+                    description: Enables serving the unified CRL and OCSP on the existing,
+                      previously cluster-local paths. Vault 1.13+ Enables serving
+                      the unified CRL and OCSP on the existing, previously cluster-local
+                      paths.
+                    type: boolean
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -303,7 +411,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
           status:
             description: SecretBackendCrlConfigStatus defines the observed state of
               SecretBackendCrlConfig.
@@ -311,52 +421,71 @@ spec:
               atProvider:
                 properties:
                   autoRebuild:
-                    description: Enables or disables periodic rebuilding of the CRL
+                    description: Enables periodic rebuilding of the CRL upon expiry.
+                      Vault 1.12+ Enables or disables periodic rebuilding of the CRL
                       upon expiry.
                     type: boolean
                   autoRebuildGracePeriod:
                     description: Grace period before CRL expiry to attempt rebuild
-                      of CRL.
+                      of CRL. Vault 1.12+ Grace period before CRL expiry to attempt
+                      rebuild of CRL.
                     type: string
                   backend:
-                    description: The path of the PKI secret backend the resource belongs
-                      to.
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
                     type: string
                   crossClusterRevocation:
-                    description: Enable cross-cluster revocation request queues.
+                    description: Enable cross-cluster revocation request queues. Vault
+                      1.13+ Enable cross-cluster revocation request queues.
                     type: boolean
                   deltaRebuildInterval:
                     description: Interval to check for new revocations on, to regenerate
-                      the delta CRL.
+                      the delta CRL. Interval to check for new revocations on, to
+                      regenerate the delta CRL.
                     type: string
                   disable:
-                    description: Disables or enables CRL building
+                    description: Disables or enables CRL building. Disables or enables
+                      CRL building
                     type: boolean
                   enableDelta:
-                    description: Enables or disables building of delta CRLs with up-to-date
-                      revocation information, augmenting the last complete CRL.
+                    description: Enables building of delta CRLs with up-to-date revocation
+                      information, augmenting the last complete CRL.  Vault 1.12+
+                      Enables or disables building of delta CRLs with up-to-date revocation
+                      information, augmenting the last complete CRL.
                     type: boolean
                   expiry:
-                    description: Specifies the time until expiration.
+                    description: Specifies the time until expiration. Specifies the
+                      time until expiration.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   ocspDisable:
-                    description: Disables or enables the OCSP responder in Vault.
+                    description: Disables the OCSP responder in Vault. Vault 1.12+
+                      Disables or enables the OCSP responder in Vault.
                     type: boolean
                   ocspExpiry:
                     description: The amount of time an OCSP response can be cached
-                      for, useful for OCSP stapling refresh durations.
+                      for, useful for OCSP stapling refresh durations. Vault 1.12+
+                      The amount of time an OCSP response can be cached for, useful
+                      for OCSP stapling refresh durations.
                     type: string
                   unifiedCrl:
-                    description: Enables unified CRL and OCSP building.
+                    description: Enables unified CRL and OCSP building. Vault 1.13+
+                      Enables unified CRL and OCSP building.
                     type: boolean
                   unifiedCrlOnExistingPaths:
                     description: Enables serving the unified CRL and OCSP on the existing,
-                      previously cluster-local paths.
+                      previously cluster-local paths. Vault 1.13+ Enables serving
+                      the unified CRL and OCSP on the existing, previously cluster-local
+                      paths.
                     type: boolean
                 type: object
               conditions:
diff --git a/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml b/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml
index 84d2185b..c9bd0119 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendintermediatecertrequests.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendIntermediateCertRequest is the Schema for the SecretBackendIntermediateCertRequests
-          API. <no value>
+          API. Generate a new private key and a CSR for signing the PKI.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,101 +69,240 @@ spec:
               forProvider:
                 properties:
                   addBasicConstraints:
-                    description: 'Set ''CA: true'' in a Basic Constraints extension.
+                    description: 'Adds a Basic Constraints extension with ''CA: true''.
                       Only needed as a workaround in some compatibility scenarios
-                      with Active Directory Certificate Services.'
+                      with Active Directory Certificate Services Set ''CA: true''
+                      in a Basic Constraints extension. Only needed as a workaround
+                      in some compatibility scenarios with Active Directory Certificate
+                      Services.'
                     type: boolean
                   altNames:
-                    description: List of alternative names.
+                    description: List of alternative names List of alternative names.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   commonName:
-                    description: CN of intermediate to create.
+                    description: CN of intermediate to create CN of intermediate to
+                      create.
                     type: string
                   country:
-                    description: The country.
+                    description: The country The country.
                     type: string
                   excludeCnFromSans:
-                    description: Flag to exclude CN from SANs.
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
                     type: boolean
                   format:
-                    description: The format of data.
+                    description: The format of data The format of data.
                     type: string
                   ipSans:
-                    description: List of alternative IPs.
+                    description: List of alternative IPs List of alternative IPs.
                     items:
                       type: string
                     type: array
                   keyBits:
-                    description: The number of bits to use.
+                    description: The number of bits to use The number of bits to use.
                     type: number
                   keyType:
-                    description: The desired key type.
+                    description: The desired key type The desired key type.
                     type: string
                   locality:
-                    description: The locality.
+                    description: The locality The locality.
                     type: string
                   managedKeyId:
                     description: The ID of the previously configured managed key.
+                      This field is required if type is kms and it conflicts with
+                      managed_key_name The ID of the previously configured managed
+                      key.
                     type: string
                   managedKeyName:
                     description: The name of the previously configured managed key.
+                      This field is required if type is kms  and it conflicts with
+                      managed_key_id The name of the previously configured managed
+                      key.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: The organization.
+                    description: The organization The organization.
                     type: string
                   otherSans:
-                    description: List of other SANs.
+                    description: List of other SANs List of other SANs.
                     items:
                       type: string
                     type: array
                   ou:
-                    description: The organization unit.
+                    description: The organization unit The organization unit.
                     type: string
                   postalCode:
-                    description: The postal code.
+                    description: The postal code The postal code.
                     type: string
                   privateKeyFormat:
-                    description: The private key format.
+                    description: The private key format The private key format.
                     type: string
                   province:
-                    description: The province.
+                    description: The province The province.
                     type: string
                   streetAddress:
-                    description: The street address.
+                    description: The street address The street address.
                     type: string
                   type:
                     description: Type of intermediate to create. Must be either "exported"
-                      or "internal".
+                      or "internal" or "kms" Type of intermediate to create. Must
+                      be either "exported" or "internal".
                     type: string
                   uriSans:
-                    description: List of alternative URIs.
+                    description: List of alternative URIs List of alternative URIs.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  addBasicConstraints:
+                    description: 'Adds a Basic Constraints extension with ''CA: true''.
+                      Only needed as a workaround in some compatibility scenarios
+                      with Active Directory Certificate Services Set ''CA: true''
+                      in a Basic Constraints extension. Only needed as a workaround
+                      in some compatibility scenarios with Active Directory Certificate
+                      Services.'
+                    type: boolean
+                  altNames:
+                    description: List of alternative names List of alternative names.
+                    items:
+                      type: string
+                    type: array
+                  backend:
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
+                    type: string
+                  commonName:
+                    description: CN of intermediate to create CN of intermediate to
+                      create.
+                    type: string
+                  country:
+                    description: The country The country.
+                    type: string
+                  excludeCnFromSans:
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
+                    type: boolean
+                  format:
+                    description: The format of data The format of data.
+                    type: string
+                  ipSans:
+                    description: List of alternative IPs List of alternative IPs.
+                    items:
+                      type: string
+                    type: array
+                  keyBits:
+                    description: The number of bits to use The number of bits to use.
+                    type: number
+                  keyType:
+                    description: The desired key type The desired key type.
+                    type: string
+                  locality:
+                    description: The locality The locality.
+                    type: string
+                  managedKeyId:
+                    description: The ID of the previously configured managed key.
+                      This field is required if type is kms and it conflicts with
+                      managed_key_name The ID of the previously configured managed
+                      key.
+                    type: string
+                  managedKeyName:
+                    description: The name of the previously configured managed key.
+                      This field is required if type is kms  and it conflicts with
+                      managed_key_id The name of the previously configured managed
+                      key.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  organization:
+                    description: The organization The organization.
+                    type: string
+                  otherSans:
+                    description: List of other SANs List of other SANs.
+                    items:
+                      type: string
+                    type: array
+                  ou:
+                    description: The organization unit The organization unit.
+                    type: string
+                  postalCode:
+                    description: The postal code The postal code.
+                    type: string
+                  privateKeyFormat:
+                    description: The private key format The private key format.
+                    type: string
+                  province:
+                    description: The province The province.
+                    type: string
+                  streetAddress:
+                    description: The street address The street address.
+                    type: string
+                  type:
+                    description: Type of intermediate to create. Must be either "exported"
+                      or "internal" or "kms" Type of intermediate to create. Must
+                      be either "exported" or "internal".
+                    type: string
+                  uriSans:
+                    description: List of alternative URIs List of alternative URIs.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -338,11 +476,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: commonName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName)
+                || has(self.initProvider.commonName)'
             - message: type is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.type)
+                || has(self.initProvider.type)'
           status:
             description: SecretBackendIntermediateCertRequestStatus defines the observed
               state of SecretBackendIntermediateCertRequest.
@@ -350,90 +494,107 @@ spec:
               atProvider:
                 properties:
                   addBasicConstraints:
-                    description: 'Set ''CA: true'' in a Basic Constraints extension.
+                    description: 'Adds a Basic Constraints extension with ''CA: true''.
                       Only needed as a workaround in some compatibility scenarios
-                      with Active Directory Certificate Services.'
+                      with Active Directory Certificate Services Set ''CA: true''
+                      in a Basic Constraints extension. Only needed as a workaround
+                      in some compatibility scenarios with Active Directory Certificate
+                      Services.'
                     type: boolean
                   altNames:
-                    description: List of alternative names.
+                    description: List of alternative names List of alternative names.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   commonName:
-                    description: CN of intermediate to create.
+                    description: CN of intermediate to create CN of intermediate to
+                      create.
                     type: string
                   country:
-                    description: The country.
+                    description: The country The country.
                     type: string
                   csr:
-                    description: The CSR.
+                    description: The CSR The CSR.
                     type: string
                   excludeCnFromSans:
-                    description: Flag to exclude CN from SANs.
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
                     type: boolean
                   format:
-                    description: The format of data.
+                    description: The format of data The format of data.
                     type: string
                   id:
                     type: string
                   ipSans:
-                    description: List of alternative IPs.
+                    description: List of alternative IPs List of alternative IPs.
                     items:
                       type: string
                     type: array
                   keyBits:
-                    description: The number of bits to use.
+                    description: The number of bits to use The number of bits to use.
                     type: number
                   keyType:
-                    description: The desired key type.
+                    description: The desired key type The desired key type.
                     type: string
                   locality:
-                    description: The locality.
+                    description: The locality The locality.
                     type: string
                   managedKeyId:
                     description: The ID of the previously configured managed key.
+                      This field is required if type is kms and it conflicts with
+                      managed_key_name The ID of the previously configured managed
+                      key.
                     type: string
                   managedKeyName:
                     description: The name of the previously configured managed key.
+                      This field is required if type is kms  and it conflicts with
+                      managed_key_id The name of the previously configured managed
+                      key.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: The organization.
+                    description: The organization The organization.
                     type: string
                   otherSans:
-                    description: List of other SANs.
+                    description: List of other SANs List of other SANs.
                     items:
                       type: string
                     type: array
                   ou:
-                    description: The organization unit.
+                    description: The organization unit The organization unit.
                     type: string
                   postalCode:
-                    description: The postal code.
+                    description: The postal code The postal code.
                     type: string
                   privateKeyFormat:
-                    description: The private key format.
+                    description: The private key format The private key format.
                     type: string
                   privateKeyType:
-                    description: The private key type.
+                    description: The private key type The private key type.
                     type: string
                   province:
-                    description: The province.
+                    description: The province The province.
                     type: string
                   streetAddress:
-                    description: The street address.
+                    description: The street address The street address.
                     type: string
                   type:
                     description: Type of intermediate to create. Must be either "exported"
-                      or "internal".
+                      or "internal" or "kms" Type of intermediate to create. Must
+                      be either "exported" or "internal".
                     type: string
                   uriSans:
-                    description: List of alternative URIs.
+                    description: List of alternative URIs List of alternative URIs.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml b/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml
index d3382da4..e3710db6 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendintermediatesetsigneds.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendIntermediateSetSigned is the Schema for the SecretBackendIntermediateSetSigneds
-          API. <no value>
+          API. Submit the PKI CA certificate.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,30 +69,80 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   certificate:
-                    description: The certificate.
+                    description: Specifies the PEM encoded certificate. May optionally
+                      append additional CA certificates to populate the whole chain,
+                      which will then enable returning the full chain from issue and
+                      sign operations. The certificate.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
+                    type: string
+                  certificate:
+                    description: Specifies the PEM encoded certificate. May optionally
+                      append additional CA certificates to populate the whole chain,
+                      which will then enable returning the full chain from issue and
+                      sign operations. The certificate.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -267,9 +316,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: certificate is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificate)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.certificate)
+                || has(self.initProvider.certificate)'
           status:
             description: SecretBackendIntermediateSetSignedStatus defines the observed
               state of SecretBackendIntermediateSetSigned.
@@ -277,15 +330,23 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   certificate:
-                    description: The certificate.
+                    description: Specifies the PEM encoded certificate. May optionally
+                      append additional CA certificates to populate the whole chain,
+                      which will then enable returning the full chain from issue and
+                      sign operations. The certificate.
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/pki.vault.upbound.io_secretbackendroles.yaml b/package/crds/pki.vault.upbound.io_secretbackendroles.yaml
index 44621762..43e72deb 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendroles.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendroles.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRole is the Schema for the SecretBackendRoles API.
-          <no value>
+          Create a role on an PKI Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,195 +68,478 @@ spec:
               forProvider:
                 properties:
                   allowAnyName:
-                    description: Flag to allow any name
+                    description: Flag to allow any name Flag to allow any name
                     type: boolean
                   allowBareDomains:
-                    description: Flag to allow certificates matching the actual domain.
+                    description: Flag to allow certificates matching the actual domain
+                      Flag to allow certificates matching the actual domain.
                     type: boolean
                   allowGlobDomains:
-                    description: Flag to allow names containing glob patterns.
+                    description: Flag to allow names containing glob patterns. Flag
+                      to allow names containing glob patterns.
                     type: boolean
                   allowIpSans:
-                    description: Flag to allow IP SANs
+                    description: Flag to allow IP SANs Flag to allow IP SANs
                     type: boolean
                   allowLocalhost:
-                    description: Flag to allow certificates for localhost.
+                    description: Flag to allow certificates for localhost Flag to
+                      allow certificates for localhost.
                     type: boolean
                   allowSubdomains:
-                    description: Flag to allow certificates matching subdomains.
+                    description: Flag to allow certificates matching subdomains Flag
+                      to allow certificates matching subdomains.
                     type: boolean
                   allowedDomains:
-                    description: The domains of the role.
+                    description: List of allowed domains for certificates The domains
+                      of the role.
                     items:
                       type: string
                     type: array
                   allowedDomainsTemplate:
-                    description: Flag to indicate that `allowed_domains` specifies
+                    description: Flag, if set, allowed_domains can be specified using
+                      identity template expressions such as {{identity.entity.aliases.<mount
+                      accessor>.name}}. Flag to indicate that `allowed_domains` specifies
                       a template expression (e.g. {{identity.entity.aliases.<mount
                       accessor>.name}})
                     type: boolean
                   allowedOtherSans:
-                    description: Defines allowed custom SANs
+                    description: Defines allowed custom SANs Defines allowed custom
+                      SANs
                     items:
                       type: string
                     type: array
                   allowedSerialNumbers:
-                    description: Defines allowed Subject serial numbers.
+                    description: An array of allowed serial numbers to put in Subject
+                      Defines allowed Subject serial numbers.
                     items:
                       type: string
                     type: array
                   allowedUriSans:
-                    description: Defines allowed URI SANs
+                    description: Defines allowed URI SANs Defines allowed URI SANs
                     items:
                       type: string
                     type: array
                   backend:
-                    description: The path of the PKI secret backend the resource belongs
-                      to.
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
                     type: string
                   basicConstraintsValidForNonCa:
                     description: Flag to mark basic constraints valid when issuing
-                      non-CA certificates.
+                      non-CA certificates Flag to mark basic constraints valid when
+                      issuing non-CA certificates.
                     type: boolean
                   clientFlag:
-                    description: Flag to specify certificates for client use.
+                    description: Flag to specify certificates for client use Flag
+                      to specify certificates for client use.
                     type: boolean
                   codeSigningFlag:
-                    description: Flag to specify certificates for code signing use.
+                    description: Flag to specify certificates for code signing use
+                      Flag to specify certificates for code signing use.
                     type: boolean
                   country:
-                    description: The country of generated certificates.
+                    description: The country of generated certificates The country
+                      of generated certificates.
                     items:
                       type: string
                     type: array
                   emailProtectionFlag:
                     description: Flag to specify certificates for email protection
-                      use.
+                      use Flag to specify certificates for email protection use.
                     type: boolean
                   enforceHostnames:
-                    description: Flag to allow only valid host names
+                    description: Flag to allow only valid host names Flag to allow
+                      only valid host names
                     type: boolean
                   extKeyUsage:
                     description: Specify the allowed extended key usage constraint
-                      on issued certificates.
+                      on issued certificates Specify the allowed extended key usage
+                      constraint on issued certificates.
                     items:
                       type: string
                     type: array
                   generateLease:
-                    description: Flag to generate leases with certificates.
+                    description: Flag to generate leases with certificates Flag to
+                      generate leases with certificates.
                     type: boolean
                   keyBits:
-                    description: The number of bits of generated keys.
+                    description: The number of bits of generated keys The number of
+                      bits of generated keys.
                     type: number
                   keyType:
-                    description: The generated key type.
+                    description: 'The generated key type, choices: rsa, ec, ed25519,
+                      any Defaults to rsa The generated key type.'
                     type: string
                   keyUsage:
                     description: Specify the allowed key usage constraint on issued
+                      certificates Specify the allowed key usage constraint on issued
                       certificates.
                     items:
                       type: string
                     type: array
                   locality:
-                    description: The locality of generated certificates.
+                    description: The locality of generated certificates The locality
+                      of generated certificates.
                     items:
                       type: string
                     type: array
                   maxTtl:
-                    description: The maximum TTL.
+                    description: The maximum lease TTL, in seconds, for the role.
+                      The maximum TTL.
                     type: string
                   name:
-                    description: Unique name for the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   noStore:
-                    description: Flag to not store certificates in the storage backend.
+                    description: Flag to not store certificates in the storage backend
+                      Flag to not store certificates in the storage backend.
                     type: boolean
                   notBeforeDuration:
                     description: Specifies the duration by which to backdate the NotBefore
+                      property. Specifies the duration by which to backdate the NotBefore
                       property.
                     type: string
                   organization:
-                    description: The organization of generated certificates.
+                    description: The organization of generated certificates The organization
+                      of generated certificates.
                     items:
                       type: string
                     type: array
                   ou:
-                    description: The organization unit of generated certificates.
+                    description: The organization unit of generated certificates The
+                      organization unit of generated certificates.
                     items:
                       type: string
                     type: array
                   policyIdentifier:
-                    description: Policy identifier block; can only be used with Vault
-                      1.11+
+                    description: '(Vault 1.11+ only) A block for specifying policy
+                      identifers. The policy_identifier block can be repeated, and
+                      supports the following arguments: Policy identifier block; can
+                      only be used with Vault 1.11+'
                     items:
                       properties:
                         cps:
-                          description: Optional CPS URL
+                          description: The URL of the CPS for the policy identifier
+                            Optional CPS URL
                           type: string
                         notice:
-                          description: Optional notice
+                          description: A notice for the policy identifier Optional
+                            notice
                           type: string
                         oid:
-                          description: OID
+                          description: The OID for the policy identifier OID
                           type: string
-                      required:
-                      - oid
                       type: object
                     type: array
                   policyIdentifiers:
-                    description: Specify the list of allowed policies OIDs.
+                    description: Specify the list of allowed policies OIDs. Use with
+                      Vault 1.10 or before. For Vault 1.11+, use policy_identifier
+                      blocks instead Specify the list of allowed policies OIDs.
                     items:
                       type: string
                     type: array
                   postalCode:
-                    description: The postal code of generated certificates.
+                    description: The postal code of generated certificates The postal
+                      code of generated certificates.
                     items:
                       type: string
                     type: array
                   province:
-                    description: The province of generated certificates.
+                    description: The province of generated certificates The province
+                      of generated certificates.
                     items:
                       type: string
                     type: array
                   requireCn:
-                    description: Flag to force CN usage.
+                    description: Flag to force CN usage Flag to force CN usage.
                     type: boolean
                   serverFlag:
-                    description: Flag to specify certificates for server use.
+                    description: Flag to specify certificates for server use Flag
+                      to specify certificates for server use.
                     type: boolean
                   streetAddress:
-                    description: The street address of generated certificates.
+                    description: The street address of generated certificates The
+                      street address of generated certificates.
                     items:
                       type: string
                     type: array
                   ttl:
-                    description: The TTL.
+                    description: The TTL, in seconds, for any certificate issued against
+                      this role. The TTL.
                     type: string
                   useCsrCommonName:
-                    description: Flag to use the CN in the CSR.
+                    description: Flag to use the CN in the CSR Flag to use the CN
+                      in the CSR.
                     type: boolean
                   useCsrSans:
-                    description: Flag to use the SANs in the CSR.
+                    description: Flag to use the SANs in the CSR Flag to use the SANs
+                      in the CSR.
                     type: boolean
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowAnyName:
+                    description: Flag to allow any name Flag to allow any name
+                    type: boolean
+                  allowBareDomains:
+                    description: Flag to allow certificates matching the actual domain
+                      Flag to allow certificates matching the actual domain.
+                    type: boolean
+                  allowGlobDomains:
+                    description: Flag to allow names containing glob patterns. Flag
+                      to allow names containing glob patterns.
+                    type: boolean
+                  allowIpSans:
+                    description: Flag to allow IP SANs Flag to allow IP SANs
+                    type: boolean
+                  allowLocalhost:
+                    description: Flag to allow certificates for localhost Flag to
+                      allow certificates for localhost.
+                    type: boolean
+                  allowSubdomains:
+                    description: Flag to allow certificates matching subdomains Flag
+                      to allow certificates matching subdomains.
+                    type: boolean
+                  allowedDomains:
+                    description: List of allowed domains for certificates The domains
+                      of the role.
+                    items:
+                      type: string
+                    type: array
+                  allowedDomainsTemplate:
+                    description: Flag, if set, allowed_domains can be specified using
+                      identity template expressions such as {{identity.entity.aliases.<mount
+                      accessor>.name}}. Flag to indicate that `allowed_domains` specifies
+                      a template expression (e.g. {{identity.entity.aliases.<mount
+                      accessor>.name}})
+                    type: boolean
+                  allowedOtherSans:
+                    description: Defines allowed custom SANs Defines allowed custom
+                      SANs
+                    items:
+                      type: string
+                    type: array
+                  allowedSerialNumbers:
+                    description: An array of allowed serial numbers to put in Subject
+                      Defines allowed Subject serial numbers.
+                    items:
+                      type: string
+                    type: array
+                  allowedUriSans:
+                    description: Defines allowed URI SANs Defines allowed URI SANs
+                    items:
+                      type: string
+                    type: array
+                  backend:
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
+                    type: string
+                  basicConstraintsValidForNonCa:
+                    description: Flag to mark basic constraints valid when issuing
+                      non-CA certificates Flag to mark basic constraints valid when
+                      issuing non-CA certificates.
+                    type: boolean
+                  clientFlag:
+                    description: Flag to specify certificates for client use Flag
+                      to specify certificates for client use.
+                    type: boolean
+                  codeSigningFlag:
+                    description: Flag to specify certificates for code signing use
+                      Flag to specify certificates for code signing use.
+                    type: boolean
+                  country:
+                    description: The country of generated certificates The country
+                      of generated certificates.
+                    items:
+                      type: string
+                    type: array
+                  emailProtectionFlag:
+                    description: Flag to specify certificates for email protection
+                      use Flag to specify certificates for email protection use.
+                    type: boolean
+                  enforceHostnames:
+                    description: Flag to allow only valid host names Flag to allow
+                      only valid host names
+                    type: boolean
+                  extKeyUsage:
+                    description: Specify the allowed extended key usage constraint
+                      on issued certificates Specify the allowed extended key usage
+                      constraint on issued certificates.
+                    items:
+                      type: string
+                    type: array
+                  generateLease:
+                    description: Flag to generate leases with certificates Flag to
+                      generate leases with certificates.
+                    type: boolean
+                  keyBits:
+                    description: The number of bits of generated keys The number of
+                      bits of generated keys.
+                    type: number
+                  keyType:
+                    description: 'The generated key type, choices: rsa, ec, ed25519,
+                      any Defaults to rsa The generated key type.'
+                    type: string
+                  keyUsage:
+                    description: Specify the allowed key usage constraint on issued
+                      certificates Specify the allowed key usage constraint on issued
+                      certificates.
+                    items:
+                      type: string
+                    type: array
+                  locality:
+                    description: The locality of generated certificates The locality
+                      of generated certificates.
+                    items:
+                      type: string
+                    type: array
+                  maxTtl:
+                    description: The maximum lease TTL, in seconds, for the role.
+                      The maximum TTL.
+                    type: string
+                  name:
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  noStore:
+                    description: Flag to not store certificates in the storage backend
+                      Flag to not store certificates in the storage backend.
+                    type: boolean
+                  notBeforeDuration:
+                    description: Specifies the duration by which to backdate the NotBefore
+                      property. Specifies the duration by which to backdate the NotBefore
+                      property.
+                    type: string
+                  organization:
+                    description: The organization of generated certificates The organization
+                      of generated certificates.
+                    items:
+                      type: string
+                    type: array
+                  ou:
+                    description: The organization unit of generated certificates The
+                      organization unit of generated certificates.
+                    items:
+                      type: string
+                    type: array
+                  policyIdentifier:
+                    description: '(Vault 1.11+ only) A block for specifying policy
+                      identifers. The policy_identifier block can be repeated, and
+                      supports the following arguments: Policy identifier block; can
+                      only be used with Vault 1.11+'
+                    items:
+                      properties:
+                        cps:
+                          description: The URL of the CPS for the policy identifier
+                            Optional CPS URL
+                          type: string
+                        notice:
+                          description: A notice for the policy identifier Optional
+                            notice
+                          type: string
+                        oid:
+                          description: The OID for the policy identifier OID
+                          type: string
+                      type: object
+                    type: array
+                  policyIdentifiers:
+                    description: Specify the list of allowed policies OIDs. Use with
+                      Vault 1.10 or before. For Vault 1.11+, use policy_identifier
+                      blocks instead Specify the list of allowed policies OIDs.
+                    items:
+                      type: string
+                    type: array
+                  postalCode:
+                    description: The postal code of generated certificates The postal
+                      code of generated certificates.
+                    items:
+                      type: string
+                    type: array
+                  province:
+                    description: The province of generated certificates The province
+                      of generated certificates.
+                    items:
+                      type: string
+                    type: array
+                  requireCn:
+                    description: Flag to force CN usage Flag to force CN usage.
+                    type: boolean
+                  serverFlag:
+                    description: Flag to specify certificates for server use Flag
+                      to specify certificates for server use.
+                    type: boolean
+                  streetAddress:
+                    description: The street address of generated certificates The
+                      street address of generated certificates.
+                    items:
+                      type: string
+                    type: array
+                  ttl:
+                    description: The TTL, in seconds, for any certificate issued against
+                      this role. The TTL.
+                    type: string
+                  useCsrCommonName:
+                    description: Flag to use the CN in the CSR Flag to use the CN
+                      in the CSR.
+                    type: boolean
+                  useCsrSans:
+                    description: Flag to use the SANs in the CSR Flag to use the SANs
+                      in the CSR.
+                    type: boolean
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -431,187 +713,235 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendRoleStatus defines the observed state of SecretBackendRole.
             properties:
               atProvider:
                 properties:
                   allowAnyName:
-                    description: Flag to allow any name
+                    description: Flag to allow any name Flag to allow any name
                     type: boolean
                   allowBareDomains:
-                    description: Flag to allow certificates matching the actual domain.
+                    description: Flag to allow certificates matching the actual domain
+                      Flag to allow certificates matching the actual domain.
                     type: boolean
                   allowGlobDomains:
-                    description: Flag to allow names containing glob patterns.
+                    description: Flag to allow names containing glob patterns. Flag
+                      to allow names containing glob patterns.
                     type: boolean
                   allowIpSans:
-                    description: Flag to allow IP SANs
+                    description: Flag to allow IP SANs Flag to allow IP SANs
                     type: boolean
                   allowLocalhost:
-                    description: Flag to allow certificates for localhost.
+                    description: Flag to allow certificates for localhost Flag to
+                      allow certificates for localhost.
                     type: boolean
                   allowSubdomains:
-                    description: Flag to allow certificates matching subdomains.
+                    description: Flag to allow certificates matching subdomains Flag
+                      to allow certificates matching subdomains.
                     type: boolean
                   allowedDomains:
-                    description: The domains of the role.
+                    description: List of allowed domains for certificates The domains
+                      of the role.
                     items:
                       type: string
                     type: array
                   allowedDomainsTemplate:
-                    description: Flag to indicate that `allowed_domains` specifies
+                    description: Flag, if set, allowed_domains can be specified using
+                      identity template expressions such as {{identity.entity.aliases.<mount
+                      accessor>.name}}. Flag to indicate that `allowed_domains` specifies
                       a template expression (e.g. {{identity.entity.aliases.<mount
                       accessor>.name}})
                     type: boolean
                   allowedOtherSans:
-                    description: Defines allowed custom SANs
+                    description: Defines allowed custom SANs Defines allowed custom
+                      SANs
                     items:
                       type: string
                     type: array
                   allowedSerialNumbers:
-                    description: Defines allowed Subject serial numbers.
+                    description: An array of allowed serial numbers to put in Subject
+                      Defines allowed Subject serial numbers.
                     items:
                       type: string
                     type: array
                   allowedUriSans:
-                    description: Defines allowed URI SANs
+                    description: Defines allowed URI SANs Defines allowed URI SANs
                     items:
                       type: string
                     type: array
                   backend:
-                    description: The path of the PKI secret backend the resource belongs
-                      to.
+                    description: The path the PKI secret backend is mounted at, with
+                      no leading or trailing /s. The path of the PKI secret backend
+                      the resource belongs to.
                     type: string
                   basicConstraintsValidForNonCa:
                     description: Flag to mark basic constraints valid when issuing
-                      non-CA certificates.
+                      non-CA certificates Flag to mark basic constraints valid when
+                      issuing non-CA certificates.
                     type: boolean
                   clientFlag:
-                    description: Flag to specify certificates for client use.
+                    description: Flag to specify certificates for client use Flag
+                      to specify certificates for client use.
                     type: boolean
                   codeSigningFlag:
-                    description: Flag to specify certificates for code signing use.
+                    description: Flag to specify certificates for code signing use
+                      Flag to specify certificates for code signing use.
                     type: boolean
                   country:
-                    description: The country of generated certificates.
+                    description: The country of generated certificates The country
+                      of generated certificates.
                     items:
                       type: string
                     type: array
                   emailProtectionFlag:
                     description: Flag to specify certificates for email protection
-                      use.
+                      use Flag to specify certificates for email protection use.
                     type: boolean
                   enforceHostnames:
-                    description: Flag to allow only valid host names
+                    description: Flag to allow only valid host names Flag to allow
+                      only valid host names
                     type: boolean
                   extKeyUsage:
                     description: Specify the allowed extended key usage constraint
-                      on issued certificates.
+                      on issued certificates Specify the allowed extended key usage
+                      constraint on issued certificates.
                     items:
                       type: string
                     type: array
                   generateLease:
-                    description: Flag to generate leases with certificates.
+                    description: Flag to generate leases with certificates Flag to
+                      generate leases with certificates.
                     type: boolean
                   id:
                     type: string
                   keyBits:
-                    description: The number of bits of generated keys.
+                    description: The number of bits of generated keys The number of
+                      bits of generated keys.
                     type: number
                   keyType:
-                    description: The generated key type.
+                    description: 'The generated key type, choices: rsa, ec, ed25519,
+                      any Defaults to rsa The generated key type.'
                     type: string
                   keyUsage:
                     description: Specify the allowed key usage constraint on issued
+                      certificates Specify the allowed key usage constraint on issued
                       certificates.
                     items:
                       type: string
                     type: array
                   locality:
-                    description: The locality of generated certificates.
+                    description: The locality of generated certificates The locality
+                      of generated certificates.
                     items:
                       type: string
                     type: array
                   maxTtl:
-                    description: The maximum TTL.
+                    description: The maximum lease TTL, in seconds, for the role.
+                      The maximum TTL.
                     type: string
                   name:
-                    description: Unique name for the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   noStore:
-                    description: Flag to not store certificates in the storage backend.
+                    description: Flag to not store certificates in the storage backend
+                      Flag to not store certificates in the storage backend.
                     type: boolean
                   notBeforeDuration:
                     description: Specifies the duration by which to backdate the NotBefore
+                      property. Specifies the duration by which to backdate the NotBefore
                       property.
                     type: string
                   organization:
-                    description: The organization of generated certificates.
+                    description: The organization of generated certificates The organization
+                      of generated certificates.
                     items:
                       type: string
                     type: array
                   ou:
-                    description: The organization unit of generated certificates.
+                    description: The organization unit of generated certificates The
+                      organization unit of generated certificates.
                     items:
                       type: string
                     type: array
                   policyIdentifier:
-                    description: Policy identifier block; can only be used with Vault
-                      1.11+
+                    description: '(Vault 1.11+ only) A block for specifying policy
+                      identifers. The policy_identifier block can be repeated, and
+                      supports the following arguments: Policy identifier block; can
+                      only be used with Vault 1.11+'
                     items:
                       properties:
                         cps:
-                          description: Optional CPS URL
+                          description: The URL of the CPS for the policy identifier
+                            Optional CPS URL
                           type: string
                         notice:
-                          description: Optional notice
+                          description: A notice for the policy identifier Optional
+                            notice
                           type: string
                         oid:
-                          description: OID
+                          description: The OID for the policy identifier OID
                           type: string
                       type: object
                     type: array
                   policyIdentifiers:
-                    description: Specify the list of allowed policies OIDs.
+                    description: Specify the list of allowed policies OIDs. Use with
+                      Vault 1.10 or before. For Vault 1.11+, use policy_identifier
+                      blocks instead Specify the list of allowed policies OIDs.
                     items:
                       type: string
                     type: array
                   postalCode:
-                    description: The postal code of generated certificates.
+                    description: The postal code of generated certificates The postal
+                      code of generated certificates.
                     items:
                       type: string
                     type: array
                   province:
-                    description: The province of generated certificates.
+                    description: The province of generated certificates The province
+                      of generated certificates.
                     items:
                       type: string
                     type: array
                   requireCn:
-                    description: Flag to force CN usage.
+                    description: Flag to force CN usage Flag to force CN usage.
                     type: boolean
                   serverFlag:
-                    description: Flag to specify certificates for server use.
+                    description: Flag to specify certificates for server use Flag
+                      to specify certificates for server use.
                     type: boolean
                   streetAddress:
-                    description: The street address of generated certificates.
+                    description: The street address of generated certificates The
+                      street address of generated certificates.
                     items:
                       type: string
                     type: array
                   ttl:
-                    description: The TTL.
+                    description: The TTL, in seconds, for any certificate issued against
+                      this role. The TTL.
                     type: string
                   useCsrCommonName:
-                    description: Flag to use the CN in the CSR.
+                    description: Flag to use the CN in the CSR Flag to use the CN
+                      in the CSR.
                     type: boolean
                   useCsrSans:
-                    description: Flag to use the SANs in the CSR.
+                    description: Flag to use the SANs in the CSR Flag to use the SANs
+                      in the CSR.
                     type: boolean
                 type: object
               conditions:
diff --git a/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml b/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml
index ad4509e9..977a84b3 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendrootcerts.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRootCert is the Schema for the SecretBackendRootCerts
-          API. <no value>
+          API. Generate root.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,109 +68,252 @@ spec:
               forProvider:
                 properties:
                   altNames:
-                    description: List of alternative names.
+                    description: List of alternative names List of alternative names.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   commonName:
-                    description: CN of root to create.
+                    description: CN of intermediate to create CN of root to create.
                     type: string
                   country:
-                    description: The country.
+                    description: The country The country.
                     type: string
                   excludeCnFromSans:
-                    description: Flag to exclude CN from SANs.
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
                     type: boolean
                   format:
-                    description: The format of data.
+                    description: The format of data The format of data.
                     type: string
                   ipSans:
-                    description: List of alternative IPs.
+                    description: List of alternative IPs List of alternative IPs.
                     items:
                       type: string
                     type: array
                   keyBits:
-                    description: The number of bits to use.
+                    description: The number of bits to use The number of bits to use.
                     type: number
                   keyType:
-                    description: The desired key type.
+                    description: The desired key type The desired key type.
                     type: string
                   locality:
-                    description: The locality.
+                    description: The locality The locality.
                     type: string
                   managedKeyId:
                     description: The ID of the previously configured managed key.
+                      This field is required if type is kms and it conflicts with
+                      managed_key_name The ID of the previously configured managed
+                      key.
                     type: string
                   managedKeyName:
                     description: The name of the previously configured managed key.
+                      This field is required if type is kms  and it conflicts with
+                      managed_key_id The name of the previously configured managed
+                      key.
                     type: string
                   maxPathLength:
                     description: The maximum path length to encode in the generated
+                      certificate The maximum path length to encode in the generated
                       certificate.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: The organization.
+                    description: The organization The organization.
                     type: string
                   otherSans:
-                    description: List of other SANs.
+                    description: List of other SANs List of other SANs.
                     items:
                       type: string
                     type: array
                   ou:
-                    description: The organization unit.
+                    description: The organization unit The organization unit.
                     type: string
                   permittedDnsDomains:
                     description: List of domains for which certificates are allowed
+                      to be issued List of domains for which certificates are allowed
                       to be issued.
                     items:
                       type: string
                     type: array
                   postalCode:
-                    description: The postal code.
+                    description: The postal code The postal code.
                     type: string
                   privateKeyFormat:
-                    description: The private key format.
+                    description: The private key format The private key format.
                     type: string
                   province:
-                    description: The province.
+                    description: The province The province.
                     type: string
                   streetAddress:
-                    description: The street address.
+                    description: The street address The street address.
                     type: string
                   ttl:
-                    description: Time to live.
+                    description: Time to live Time to live.
                     type: string
                   type:
-                    description: Type of root to create. Must be either "exported"
+                    description: Type of intermediate to create. Must be either "exported",
+                      "internal" or "kms" Type of root to create. Must be either "exported"
                       or "internal".
                     type: string
                   uriSans:
-                    description: List of alternative URIs.
+                    description: List of alternative URIs List of alternative URIs.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  altNames:
+                    description: List of alternative names List of alternative names.
+                    items:
+                      type: string
+                    type: array
+                  backend:
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
+                    type: string
+                  commonName:
+                    description: CN of intermediate to create CN of root to create.
+                    type: string
+                  country:
+                    description: The country The country.
+                    type: string
+                  excludeCnFromSans:
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
+                    type: boolean
+                  format:
+                    description: The format of data The format of data.
+                    type: string
+                  ipSans:
+                    description: List of alternative IPs List of alternative IPs.
+                    items:
+                      type: string
+                    type: array
+                  keyBits:
+                    description: The number of bits to use The number of bits to use.
+                    type: number
+                  keyType:
+                    description: The desired key type The desired key type.
+                    type: string
+                  locality:
+                    description: The locality The locality.
+                    type: string
+                  managedKeyId:
+                    description: The ID of the previously configured managed key.
+                      This field is required if type is kms and it conflicts with
+                      managed_key_name The ID of the previously configured managed
+                      key.
+                    type: string
+                  managedKeyName:
+                    description: The name of the previously configured managed key.
+                      This field is required if type is kms  and it conflicts with
+                      managed_key_id The name of the previously configured managed
+                      key.
+                    type: string
+                  maxPathLength:
+                    description: The maximum path length to encode in the generated
+                      certificate The maximum path length to encode in the generated
+                      certificate.
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  organization:
+                    description: The organization The organization.
+                    type: string
+                  otherSans:
+                    description: List of other SANs List of other SANs.
+                    items:
+                      type: string
+                    type: array
+                  ou:
+                    description: The organization unit The organization unit.
+                    type: string
+                  permittedDnsDomains:
+                    description: List of domains for which certificates are allowed
+                      to be issued List of domains for which certificates are allowed
+                      to be issued.
+                    items:
+                      type: string
+                    type: array
+                  postalCode:
+                    description: The postal code The postal code.
+                    type: string
+                  privateKeyFormat:
+                    description: The private key format The private key format.
+                    type: string
+                  province:
+                    description: The province The province.
+                    type: string
+                  streetAddress:
+                    description: The street address The street address.
+                    type: string
+                  ttl:
+                    description: Time to live Time to live.
+                    type: string
+                  type:
+                    description: Type of intermediate to create. Must be either "exported",
+                      "internal" or "kms" Type of root to create. Must be either "exported"
+                      or "internal".
+                    type: string
+                  uriSans:
+                    description: List of alternative URIs List of alternative URIs.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -345,11 +487,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: commonName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName)
+                || has(self.initProvider.commonName)'
             - message: type is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.type)
+                || has(self.initProvider.type)'
           status:
             description: SecretBackendRootCertStatus defines the observed state of
               SecretBackendRootCert.
@@ -357,104 +505,121 @@ spec:
               atProvider:
                 properties:
                   altNames:
-                    description: List of alternative names.
+                    description: List of alternative names List of alternative names.
                     items:
                       type: string
                     type: array
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   certificate:
-                    description: The certificate.
+                    description: The certificate. The certificate.
                     type: string
                   commonName:
-                    description: CN of root to create.
+                    description: CN of intermediate to create CN of root to create.
                     type: string
                   country:
-                    description: The country.
+                    description: The country The country.
                     type: string
                   excludeCnFromSans:
-                    description: Flag to exclude CN from SANs.
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
                     type: boolean
                   format:
-                    description: The format of data.
+                    description: The format of data The format of data.
                     type: string
                   id:
                     type: string
                   ipSans:
-                    description: List of alternative IPs.
+                    description: List of alternative IPs List of alternative IPs.
                     items:
                       type: string
                     type: array
                   issuingCa:
-                    description: The issuing CA.
+                    description: The issuing CA certificate. The issuing CA.
                     type: string
                   keyBits:
-                    description: The number of bits to use.
+                    description: The number of bits to use The number of bits to use.
                     type: number
                   keyType:
-                    description: The desired key type.
+                    description: The desired key type The desired key type.
                     type: string
                   locality:
-                    description: The locality.
+                    description: The locality The locality.
                     type: string
                   managedKeyId:
                     description: The ID of the previously configured managed key.
+                      This field is required if type is kms and it conflicts with
+                      managed_key_name The ID of the previously configured managed
+                      key.
                     type: string
                   managedKeyName:
                     description: The name of the previously configured managed key.
+                      This field is required if type is kms  and it conflicts with
+                      managed_key_id The name of the previously configured managed
+                      key.
                     type: string
                   maxPathLength:
                     description: The maximum path length to encode in the generated
+                      certificate The maximum path length to encode in the generated
                       certificate.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: The organization.
+                    description: The organization The organization.
                     type: string
                   otherSans:
-                    description: List of other SANs.
+                    description: List of other SANs List of other SANs.
                     items:
                       type: string
                     type: array
                   ou:
-                    description: The organization unit.
+                    description: The organization unit The organization unit.
                     type: string
                   permittedDnsDomains:
                     description: List of domains for which certificates are allowed
+                      to be issued List of domains for which certificates are allowed
                       to be issued.
                     items:
                       type: string
                     type: array
                   postalCode:
-                    description: The postal code.
+                    description: The postal code The postal code.
                     type: string
                   privateKeyFormat:
-                    description: The private key format.
+                    description: The private key format The private key format.
                     type: string
                   province:
-                    description: The province.
+                    description: The province The province.
                     type: string
                   serial:
-                    description: The serial number.
+                    description: Deprecated, use serial_number instead. The serial
+                      number.
                     type: string
                   serialNumber:
-                    description: The certificate's serial number, hex formatted.
+                    description: The certificate's serial number, hex formatted. The
+                      certificate's serial number, hex formatted.
                     type: string
                   streetAddress:
-                    description: The street address.
+                    description: The street address The street address.
                     type: string
                   ttl:
-                    description: Time to live.
+                    description: Time to live Time to live.
                     type: string
                   type:
-                    description: Type of root to create. Must be either "exported"
+                    description: Type of intermediate to create. Must be either "exported",
+                      "internal" or "kms" Type of root to create. Must be either "exported"
                       or "internal".
                     type: string
                   uriSans:
-                    description: List of alternative URIs.
+                    description: List of alternative URIs List of alternative URIs.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml b/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml
index a55ddf5f..52851654 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendrootsignintermediates.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -59,7 +58,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -148,21 +147,124 @@ spec:
                     description: Preserve CSR values.
                     type: boolean
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  altNames:
+                    description: List of alternative names.
+                    items:
+                      type: string
+                    type: array
+                  backend:
+                    description: The PKI secret backend the resource belongs to.
+                    type: string
+                  commonName:
+                    description: CN of intermediate to create.
+                    type: string
+                  country:
+                    description: The country.
+                    type: string
+                  csr:
+                    description: The CSR.
+                    type: string
+                  excludeCnFromSans:
+                    description: Flag to exclude CN from SANs.
+                    type: boolean
+                  format:
+                    description: The format of data.
+                    type: string
+                  ipSans:
+                    description: List of alternative IPs.
+                    items:
+                      type: string
+                    type: array
+                  locality:
+                    description: The locality.
+                    type: string
+                  maxPathLength:
+                    description: The maximum path length to encode in the generated
+                      certificate.
+                    type: number
+                  namespace:
+                    description: Target namespace. (requires Enterprise)
+                    type: string
+                  organization:
+                    description: The organization.
+                    type: string
+                  otherSans:
+                    description: List of other SANs.
+                    items:
+                      type: string
+                    type: array
+                  ou:
+                    description: The organization unit.
+                    type: string
+                  permittedDnsDomains:
+                    description: List of domains for which certificates are allowed
+                      to be issued.
+                    items:
+                      type: string
+                    type: array
+                  postalCode:
+                    description: The postal code.
+                    type: string
+                  province:
+                    description: The province.
+                    type: string
+                  revoke:
+                    description: Revoke the certificate upon resource destruction.
+                    type: boolean
+                  streetAddress:
+                    description: The street address.
+                    type: string
+                  ttl:
+                    description: Time to live.
+                    type: string
+                  uriSans:
+                    description: List of alternative URIs.
+                    items:
+                      type: string
+                    type: array
+                  useCsrValues:
+                    description: Preserve CSR values.
+                    type: boolean
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -336,11 +438,17 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: commonName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName)
+                || has(self.initProvider.commonName)'
             - message: csr is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.csr)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.csr)
+                || has(self.initProvider.csr)'
           status:
             description: SecretBackendRootSignIntermediateStatus defines the observed
               state of SecretBackendRootSignIntermediate.
diff --git a/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml b/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml
index a21e1946..1990e53f 100644
--- a/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml
+++ b/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendsigns.pki.vault.upbound.io
 spec:
   group: pki.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendSign is the Schema for the SecretBackendSigns API.
-          <no value>
+          Sign a new certificate based on the CSR by the PKI.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,73 +68,174 @@ spec:
               forProvider:
                 properties:
                   altNames:
-                    description: List of alternative names.
+                    description: List of alternative names List of alternative names.
                     items:
                       type: string
                     type: array
                   autoRenew:
-                    description: If enabled, a new certificate will be generated if
-                      the expiration is within min_seconds_remaining
+                    description: If set to true, certs will be renewed if the expiration
+                      is within min_seconds_remaining. Default false If enabled, a
+                      new certificate will be generated if the expiration is within
+                      min_seconds_remaining
                     type: boolean
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   commonName:
-                    description: CN of intermediate to create.
+                    description: CN of certificate to create CN of intermediate to
+                      create.
                     type: string
                   csr:
-                    description: The CSR.
+                    description: The CSR The CSR.
                     type: string
                   excludeCnFromSans:
-                    description: Flag to exclude CN from SANs.
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
                     type: boolean
                   format:
-                    description: The format of data.
+                    description: The format of data The format of data.
                     type: string
                   ipSans:
-                    description: List of alternative IPs.
+                    description: List of alternative IPs List of alternative IPs.
                     items:
                       type: string
                     type: array
                   minSecondsRemaining:
                     description: Generate a new certificate when the expiration is
-                      within this number of seconds
+                      within this number of seconds, default is 604800 (7 days) Generate
+                      a new certificate when the expiration is within this number
+                      of seconds
                     type: number
                   name:
-                    description: Name of the role to create the certificate against.
+                    description: Name of the role to create the certificate against
+                      Name of the role to create the certificate against.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   otherSans:
-                    description: List of other SANs.
+                    description: List of other SANs List of other SANs.
                     items:
                       type: string
                     type: array
                   ttl:
-                    description: Time to live.
+                    description: Time to live Time to live.
                     type: string
                   uriSans:
-                    description: List of alternative URIs.
+                    description: List of alternative URIs List of alternative URIs.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  altNames:
+                    description: List of alternative names List of alternative names.
+                    items:
+                      type: string
+                    type: array
+                  autoRenew:
+                    description: If set to true, certs will be renewed if the expiration
+                      is within min_seconds_remaining. Default false If enabled, a
+                      new certificate will be generated if the expiration is within
+                      min_seconds_remaining
+                    type: boolean
+                  backend:
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
+                    type: string
+                  commonName:
+                    description: CN of certificate to create CN of intermediate to
+                      create.
+                    type: string
+                  csr:
+                    description: The CSR The CSR.
+                    type: string
+                  excludeCnFromSans:
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
+                    type: boolean
+                  format:
+                    description: The format of data The format of data.
+                    type: string
+                  ipSans:
+                    description: List of alternative IPs List of alternative IPs.
+                    items:
+                      type: string
+                    type: array
+                  minSecondsRemaining:
+                    description: Generate a new certificate when the expiration is
+                      within this number of seconds, default is 604800 (7 days) Generate
+                      a new certificate when the expiration is within this number
+                      of seconds
+                    type: number
+                  name:
+                    description: Name of the role to create the certificate against
+                      Name of the role to create the certificate against.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  otherSans:
+                    description: List of other SANs List of other SANs.
+                    items:
+                      type: string
+                    type: array
+                  ttl:
+                    description: Time to live Time to live.
+                    type: string
+                  uriSans:
+                    description: List of alternative URIs List of alternative URIs.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -309,94 +409,119 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: commonName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.commonName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName)
+                || has(self.initProvider.commonName)'
             - message: csr is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.csr)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.csr)
+                || has(self.initProvider.csr)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendSignStatus defines the observed state of SecretBackendSign.
             properties:
               atProvider:
                 properties:
                   altNames:
-                    description: List of alternative names.
+                    description: List of alternative names List of alternative names.
                     items:
                       type: string
                     type: array
                   autoRenew:
-                    description: If enabled, a new certificate will be generated if
-                      the expiration is within min_seconds_remaining
+                    description: If set to true, certs will be renewed if the expiration
+                      is within min_seconds_remaining. Default false If enabled, a
+                      new certificate will be generated if the expiration is within
+                      min_seconds_remaining
                     type: boolean
                   backend:
-                    description: The PKI secret backend the resource belongs to.
+                    description: The PKI secret backend the resource belongs to. The
+                      PKI secret backend the resource belongs to.
                     type: string
                   caChain:
-                    description: The CA chain.
+                    description: The CA chain The CA chain.
                     items:
                       type: string
                     type: array
                   certificate:
-                    description: The certicate.
+                    description: The certificate The certicate.
                     type: string
                   commonName:
-                    description: CN of intermediate to create.
+                    description: CN of certificate to create CN of intermediate to
+                      create.
                     type: string
                   csr:
-                    description: The CSR.
+                    description: The CSR The CSR.
                     type: string
                   excludeCnFromSans:
-                    description: Flag to exclude CN from SANs.
+                    description: Flag to exclude CN from SANs Flag to exclude CN from
+                      SANs.
                     type: boolean
                   expiration:
-                    description: The certificate expiration as a Unix-style timestamp.
+                    description: The expiration date of the certificate in unix epoch
+                      format The certificate expiration as a Unix-style timestamp.
                     type: number
                   format:
-                    description: The format of data.
+                    description: The format of data The format of data.
                     type: string
                   id:
                     type: string
                   ipSans:
-                    description: List of alternative IPs.
+                    description: List of alternative IPs List of alternative IPs.
                     items:
                       type: string
                     type: array
                   issuingCa:
-                    description: The issuing CA.
+                    description: The issuing CA The issuing CA.
                     type: string
                   minSecondsRemaining:
                     description: Generate a new certificate when the expiration is
-                      within this number of seconds
+                      within this number of seconds, default is 604800 (7 days) Generate
+                      a new certificate when the expiration is within this number
+                      of seconds
                     type: number
                   name:
-                    description: Name of the role to create the certificate against.
+                    description: Name of the role to create the certificate against
+                      Name of the role to create the certificate against.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   otherSans:
-                    description: List of other SANs.
+                    description: List of other SANs List of other SANs.
                     items:
                       type: string
                     type: array
                   renewPending:
-                    description: Initially false, and then set to true during refresh
-                      once the expiration is less than min_seconds_remaining in the
-                      future.
+                    description: true if the current time (during refresh) is after
+                      the start of the early renewal window declared by min_seconds_remaining,
+                      and false otherwise; if auto_renew is set to true then the provider
+                      will plan to replace the certificate once renewal is pending.
+                      Initially false, and then set to true during refresh once the
+                      expiration is less than min_seconds_remaining in the future.
                     type: boolean
                   serial:
-                    description: The serial number.
+                    description: Use serial_number instead. The serial number.
                     type: string
                   serialNumber:
-                    description: The certificate's serial number, hex formatted.
+                    description: The certificate's serial number, hex formatted. The
+                      certificate's serial number, hex formatted.
                     type: string
                   ttl:
-                    description: Time to live.
+                    description: Time to live Time to live.
                     type: string
                   uriSans:
-                    description: List of alternative URIs.
+                    description: List of alternative URIs List of alternative URIs.
                     items:
                       type: string
                     type: array
diff --git a/package/crds/quota.vault.upbound.io_leasecounts.yaml b/package/crds/quota.vault.upbound.io_leasecounts.yaml
index 78629b86..d37d6ad8 100644
--- a/package/crds/quota.vault.upbound.io_leasecounts.yaml
+++ b/package/crds/quota.vault.upbound.io_leasecounts.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: leasecounts.quota.vault.upbound.io
 spec:
   group: quota.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: LeaseCount is the Schema for the LeaseCounts API. <no value>
+        description: LeaseCount is the Schema for the LeaseCounts API. Manage Lease
+          Count Quota
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,34 +69,101 @@ spec:
                 properties:
                   maxLeases:
                     description: The maximum number of leases to be allowed by the
-                      quota rule. The max_leases must be positive.
+                      quota rule. The max_leases must be positive. The maximum number
+                      of leases to be allowed by the quota rule. The max_leases must
+                      be positive.
                     type: number
                   name:
-                    description: The name of the quota.
+                    description: Name of the rate limit quota The name of the quota.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
                     description: Path of the mount or namespace to apply the quota.
-                      A blank path configures a global lease count quota.
+                      A blank path configures a global rate limit quota. For example
+                      namespace1/ adds a quota to a full namespace, namespace1/auth/userpass
+                      adds a quota to userpass in namespace1. Updating this field
+                      on an existing quota can have "moving" effects. For example,
+                      updating auth/userpass to namespace1/auth/userpass moves this
+                      quota from being a global mount quota to a namespace specific
+                      mount quota. Note, namespaces are supported in Enterprise only.
+                      Path of the mount or namespace to apply the quota. A blank path
+                      configures a global lease count quota.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  maxLeases:
+                    description: The maximum number of leases to be allowed by the
+                      quota rule. The max_leases must be positive. The maximum number
+                      of leases to be allowed by the quota rule. The max_leases must
+                      be positive.
+                    type: number
+                  name:
+                    description: Name of the rate limit quota The name of the quota.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: Path of the mount or namespace to apply the quota.
+                      A blank path configures a global rate limit quota. For example
+                      namespace1/ adds a quota to a full namespace, namespace1/auth/userpass
+                      adds a quota to userpass in namespace1. Updating this field
+                      on an existing quota can have "moving" effects. For example,
+                      updating auth/userpass to namespace1/auth/userpass moves this
+                      quota from being a global mount quota to a namespace specific
+                      mount quota. Note, namespaces are supported in Enterprise only.
+                      Path of the mount or namespace to apply the quota. A blank path
+                      configures a global lease count quota.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -270,9 +337,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: maxLeases is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.maxLeases)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.maxLeases)
+                || has(self.initProvider.maxLeases)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: LeaseCountStatus defines the observed state of LeaseCount.
             properties:
@@ -282,17 +353,31 @@ spec:
                     type: string
                   maxLeases:
                     description: The maximum number of leases to be allowed by the
-                      quota rule. The max_leases must be positive.
+                      quota rule. The max_leases must be positive. The maximum number
+                      of leases to be allowed by the quota rule. The max_leases must
+                      be positive.
                     type: number
                   name:
-                    description: The name of the quota.
+                    description: Name of the rate limit quota The name of the quota.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
                     description: Path of the mount or namespace to apply the quota.
-                      A blank path configures a global lease count quota.
+                      A blank path configures a global rate limit quota. For example
+                      namespace1/ adds a quota to a full namespace, namespace1/auth/userpass
+                      adds a quota to userpass in namespace1. Updating this field
+                      on an existing quota can have "moving" effects. For example,
+                      updating auth/userpass to namespace1/auth/userpass moves this
+                      quota from being a global mount quota to a namespace specific
+                      mount quota. Note, namespaces are supported in Enterprise only.
+                      Path of the mount or namespace to apply the quota. A blank path
+                      configures a global lease count quota.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/quota.vault.upbound.io_ratelimits.yaml b/package/crds/quota.vault.upbound.io_ratelimits.yaml
index b1686c12..f80c6b4f 100644
--- a/package/crds/quota.vault.upbound.io_ratelimits.yaml
+++ b/package/crds/quota.vault.upbound.io_ratelimits.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: ratelimits.quota.vault.upbound.io
 spec:
   group: quota.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: RateLimit is the Schema for the RateLimits API. <no value>
+        description: RateLimit is the Schema for the RateLimits API. Manage Rate Limit
+          Quota
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,42 +70,124 @@ spec:
                   blockInterval:
                     description: If set, when a client reaches a rate limit threshold,
                       the client will be prohibited from any further requests until
-                      after the 'block_interval' in seconds has elapsed.
+                      after the 'block_interval' in seconds has elapsed. If set, when
+                      a client reaches a rate limit threshold, the client will be
+                      prohibited from any further requests until after the 'block_interval'
+                      in seconds has elapsed.
                     type: number
                   interval:
                     description: The duration in seconds to enforce rate limiting
-                      for.
+                      for. The duration in seconds to enforce rate limiting for.
                     type: number
                   name:
-                    description: The name of the quota.
+                    description: Name of the rate limit quota The name of the quota.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
                     description: Path of the mount or namespace to apply the quota.
-                      A blank path configures a global rate limit quota.
+                      A blank path configures a global rate limit quota. For example
+                      namespace1/ adds a quota to a full namespace, namespace1/auth/userpass
+                      adds a quota to userpass in namespace1. Updating this field
+                      on an existing quota can have "moving" effects. For example,
+                      updating auth/userpass to namespace1/auth/userpass moves this
+                      quota from being a global mount quota to a namespace specific
+                      mount quota. Note, namespaces are supported in Enterprise only.
+                      Path of the mount or namespace to apply the quota. A blank path
+                      configures a global rate limit quota.
                     type: string
                   rate:
                     description: The maximum number of requests at any given second
                       to be allowed by the quota rule. The rate must be positive.
+                      The maximum number of requests at any given second to be allowed
+                      by the quota rule. The rate must be positive.
                     type: number
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  blockInterval:
+                    description: If set, when a client reaches a rate limit threshold,
+                      the client will be prohibited from any further requests until
+                      after the 'block_interval' in seconds has elapsed. If set, when
+                      a client reaches a rate limit threshold, the client will be
+                      prohibited from any further requests until after the 'block_interval'
+                      in seconds has elapsed.
+                    type: number
+                  interval:
+                    description: The duration in seconds to enforce rate limiting
+                      for. The duration in seconds to enforce rate limiting for.
+                    type: number
+                  name:
+                    description: Name of the rate limit quota The name of the quota.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: Path of the mount or namespace to apply the quota.
+                      A blank path configures a global rate limit quota. For example
+                      namespace1/ adds a quota to a full namespace, namespace1/auth/userpass
+                      adds a quota to userpass in namespace1. Updating this field
+                      on an existing quota can have "moving" effects. For example,
+                      updating auth/userpass to namespace1/auth/userpass moves this
+                      quota from being a global mount quota to a namespace specific
+                      mount quota. Note, namespaces are supported in Enterprise only.
+                      Path of the mount or namespace to apply the quota. A blank path
+                      configures a global rate limit quota.
+                    type: string
+                  rate:
+                    description: The maximum number of requests at any given second
+                      to be allowed by the quota rule. The rate must be positive.
+                      The maximum number of requests at any given second to be allowed
+                      by the quota rule. The rate must be positive.
+                    type: number
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -279,9 +361,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: rate is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rate)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.rate)
+                || has(self.initProvider.rate)'
           status:
             description: RateLimitStatus defines the observed state of RateLimit.
             properties:
@@ -290,27 +376,44 @@ spec:
                   blockInterval:
                     description: If set, when a client reaches a rate limit threshold,
                       the client will be prohibited from any further requests until
-                      after the 'block_interval' in seconds has elapsed.
+                      after the 'block_interval' in seconds has elapsed. If set, when
+                      a client reaches a rate limit threshold, the client will be
+                      prohibited from any further requests until after the 'block_interval'
+                      in seconds has elapsed.
                     type: number
                   id:
                     type: string
                   interval:
                     description: The duration in seconds to enforce rate limiting
-                      for.
+                      for. The duration in seconds to enforce rate limiting for.
                     type: number
                   name:
-                    description: The name of the quota.
+                    description: Name of the rate limit quota The name of the quota.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
                     description: Path of the mount or namespace to apply the quota.
-                      A blank path configures a global rate limit quota.
+                      A blank path configures a global rate limit quota. For example
+                      namespace1/ adds a quota to a full namespace, namespace1/auth/userpass
+                      adds a quota to userpass in namespace1. Updating this field
+                      on an existing quota can have "moving" effects. For example,
+                      updating auth/userpass to namespace1/auth/userpass moves this
+                      quota from being a global mount quota to a namespace specific
+                      mount quota. Note, namespaces are supported in Enterprise only.
+                      Path of the mount or namespace to apply the quota. A blank path
+                      configures a global rate limit quota.
                     type: string
                   rate:
                     description: The maximum number of requests at any given second
                       to be allowed by the quota rule. The rate must be positive.
+                      The maximum number of requests at any given second to be allowed
+                      by the quota rule. The rate must be positive.
                     type: number
                 type: object
               conditions:
diff --git a/package/crds/rabbitmq.vault.upbound.io_secretbackendroles.yaml b/package/crds/rabbitmq.vault.upbound.io_secretbackendroles.yaml
index 91aa745d..0e52eec5 100644
--- a/package/crds/rabbitmq.vault.upbound.io_secretbackendroles.yaml
+++ b/package/crds/rabbitmq.vault.upbound.io_secretbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendroles.rabbitmq.vault.upbound.io
 spec:
   group: rabbitmq.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRole is the Schema for the SecretBackendRoles API.
-          <no value>
+          Creates a role on an RabbitMQ Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,20 +68,28 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The path of the Rabbitmq Secret Backend the role
-                      belongs to.
+                    description: The path the RabbitMQ secret backend is mounted at,
+                      with no leading or trailing /s. The path of the Rabbitmq Secret
+                      Backend the role belongs to.
                     type: string
                   name:
-                    description: Unique name for the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   tags:
                     description: Specifies a comma-separated RabbitMQ management tags.
+                      Specifies a comma-separated RabbitMQ management tags.
                     type: string
                   vhost:
                     description: Specifies a map of virtual hosts to permissions.
+                      Specifies a map of virtual hosts to permissions.
                     items:
                       properties:
                         configure:
@@ -97,16 +104,13 @@ spec:
                         write:
                           description: The write permissions for this vhost.
                           type: string
-                      required:
-                      - configure
-                      - host
-                      - read
-                      - write
                       type: object
                     type: array
                   vhostTopic:
                     description: Specifies a map of virtual hosts and exchanges to
                       topic permissions. This option requires RabbitMQ 3.7.0 or later.
+                      Specifies a map of virtual hosts and exchanges to topic permissions.
+                      This option requires RabbitMQ 3.7.0 or later.
                     items:
                       properties:
                         host:
@@ -114,6 +118,7 @@ spec:
                           type: string
                         vhost:
                           description: Specifies a map of virtual hosts to permissions.
+                            Specifies a map of virtual hosts to permissions.
                           items:
                             properties:
                               read:
@@ -125,32 +130,118 @@ spec:
                               write:
                                 description: The write permissions for this vhost.
                                 type: string
-                            required:
-                            - read
-                            - topic
-                            - write
                             type: object
                           type: array
-                      required:
-                      - host
                       type: object
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path the RabbitMQ secret backend is mounted at,
+                      with no leading or trailing /s. The path of the Rabbitmq Secret
+                      Backend the role belongs to.
+                    type: string
+                  name:
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  tags:
+                    description: Specifies a comma-separated RabbitMQ management tags.
+                      Specifies a comma-separated RabbitMQ management tags.
+                    type: string
+                  vhost:
+                    description: Specifies a map of virtual hosts to permissions.
+                      Specifies a map of virtual hosts to permissions.
+                    items:
+                      properties:
+                        configure:
+                          description: The configure permissions for this vhost.
+                          type: string
+                        host:
+                          description: The vhost to set permissions for.
+                          type: string
+                        read:
+                          description: The read permissions for this vhost.
+                          type: string
+                        write:
+                          description: The write permissions for this vhost.
+                          type: string
+                      type: object
+                    type: array
+                  vhostTopic:
+                    description: Specifies a map of virtual hosts and exchanges to
+                      topic permissions. This option requires RabbitMQ 3.7.0 or later.
+                      Specifies a map of virtual hosts and exchanges to topic permissions.
+                      This option requires RabbitMQ 3.7.0 or later.
+                    items:
+                      properties:
+                        host:
+                          description: The vhost to set permissions for.
+                          type: string
+                        vhost:
+                          description: Specifies a map of virtual hosts to permissions.
+                            Specifies a map of virtual hosts to permissions.
+                          items:
+                            properties:
+                              read:
+                                description: The read permissions for this vhost.
+                                type: string
+                              topic:
+                                description: The vhost to set permissions for.
+                                type: string
+                              write:
+                                description: The write permissions for this vhost.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -324,31 +415,43 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendRoleStatus defines the observed state of SecretBackendRole.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: The path of the Rabbitmq Secret Backend the role
-                      belongs to.
+                    description: The path the RabbitMQ secret backend is mounted at,
+                      with no leading or trailing /s. The path of the Rabbitmq Secret
+                      Backend the role belongs to.
                     type: string
                   id:
                     type: string
                   name:
-                    description: Unique name for the role.
+                    description: The name to identify this role within the backend.
+                      Must be unique within the backend. Unique name for the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   tags:
                     description: Specifies a comma-separated RabbitMQ management tags.
+                      Specifies a comma-separated RabbitMQ management tags.
                     type: string
                   vhost:
                     description: Specifies a map of virtual hosts to permissions.
+                      Specifies a map of virtual hosts to permissions.
                     items:
                       properties:
                         configure:
@@ -368,6 +471,8 @@ spec:
                   vhostTopic:
                     description: Specifies a map of virtual hosts and exchanges to
                       topic permissions. This option requires RabbitMQ 3.7.0 or later.
+                      Specifies a map of virtual hosts and exchanges to topic permissions.
+                      This option requires RabbitMQ 3.7.0 or later.
                     items:
                       properties:
                         host:
@@ -375,6 +480,7 @@ spec:
                           type: string
                         vhost:
                           description: Specifies a map of virtual hosts to permissions.
+                            Specifies a map of virtual hosts to permissions.
                           items:
                             properties:
                               read:
diff --git a/package/crds/rabbitmq.vault.upbound.io_secretbackends.yaml b/package/crds/rabbitmq.vault.upbound.io_secretbackends.yaml
index 3a1d8f0a..5f39ca71 100644
--- a/package/crds/rabbitmq.vault.upbound.io_secretbackends.yaml
+++ b/package/crds/rabbitmq.vault.upbound.io_secretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackends.rabbitmq.vault.upbound.io
 spec:
   group: rabbitmq.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackend is the Schema for the SecretBackends API. <no value>
+        description: SecretBackend is the Schema for the SecretBackends API. Creates
+          an RabbitMQ secret backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,30 +68,44 @@ spec:
               forProvider:
                 properties:
                   connectionUri:
-                    description: Specifies the RabbitMQ connection URI.
+                    description: Specifies the RabbitMQ connection URI. Specifies
+                      the RabbitMQ connection URI.
                     type: string
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   passwordPolicy:
                     description: Specifies a password policy to use when creating
                       dynamic credentials. Defaults to generating an alphanumeric
+                      password if not set. Specifies a password policy to use when
+                      creating dynamic credentials. Defaults to generating an alphanumeric
                       password if not set.
                     type: string
                   passwordSecretRef:
-                    description: Specifies the RabbitMQ management administrator password
+                    description: Specifies the RabbitMQ management administrator password.
+                      Specifies the RabbitMQ management administrator password
                     properties:
                       key:
                         description: The key to select.
@@ -108,11 +122,14 @@ spec:
                     - namespace
                     type: object
                   path:
-                    description: The path of the RabbitMQ Secret Backend where the
-                      connection should be configured
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to rabbitmq. The path
+                      of the RabbitMQ Secret Backend where the connection should be
+                      configured
                     type: string
                   usernameSecretRef:
-                    description: Specifies the RabbitMQ management administrator username
+                    description: Specifies the RabbitMQ management administrator username.
+                      Specifies the RabbitMQ management administrator username
                     properties:
                       key:
                         description: The key to select.
@@ -130,27 +147,105 @@ spec:
                     type: object
                   usernameTemplate:
                     description: Template describing how dynamic usernames are generated.
+                      Template describing how dynamic usernames are generated.
                     type: string
                   verifyConnection:
                     description: Specifies whether to verify connection URI, username,
-                      and password.
+                      and password. Defaults to true. Specifies whether to verify
+                      connection URI, username, and password.
                     type: boolean
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  connectionUri:
+                    description: Specifies the RabbitMQ connection URI. Specifies
+                      the RabbitMQ connection URI.
+                    type: string
+                  defaultLeaseTtlSeconds:
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
+                    type: number
+                  description:
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  passwordPolicy:
+                    description: Specifies a password policy to use when creating
+                      dynamic credentials. Defaults to generating an alphanumeric
+                      password if not set. Specifies a password policy to use when
+                      creating dynamic credentials. Defaults to generating an alphanumeric
+                      password if not set.
+                    type: string
+                  path:
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to rabbitmq. The path
+                      of the RabbitMQ Secret Backend where the connection should be
+                      configured
+                    type: string
+                  usernameTemplate:
+                    description: Template describing how dynamic usernames are generated.
+                      Template describing how dynamic usernames are generated.
+                    type: string
+                  verifyConnection:
+                    description: Specifies whether to verify connection URI, username,
+                      and password. Defaults to true. Specifies whether to verify
+                      connection URI, username, and password.
+                    type: boolean
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -324,51 +419,72 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: connectionUri is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.connectionUri)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.connectionUri)
+                || has(self.initProvider.connectionUri)'
             - message: passwordSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.passwordSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.passwordSecretRef)'
             - message: usernameSecretRef is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.usernameSecretRef)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.usernameSecretRef)'
           status:
             description: SecretBackendStatus defines the observed state of SecretBackend.
             properties:
               atProvider:
                 properties:
                   connectionUri:
-                    description: Specifies the RabbitMQ connection URI.
+                    description: Specifies the RabbitMQ connection URI. Specifies
+                      the RabbitMQ connection URI.
                     type: string
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   id:
                     type: string
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   passwordPolicy:
                     description: Specifies a password policy to use when creating
                       dynamic credentials. Defaults to generating an alphanumeric
+                      password if not set. Specifies a password policy to use when
+                      creating dynamic credentials. Defaults to generating an alphanumeric
                       password if not set.
                     type: string
                   path:
-                    description: The path of the RabbitMQ Secret Backend where the
-                      connection should be configured
+                    description: The unique path this backend should be mounted at.
+                      Must not begin or end with a /. Defaults to rabbitmq. The path
+                      of the RabbitMQ Secret Backend where the connection should be
+                      configured
                     type: string
                   usernameTemplate:
                     description: Template describing how dynamic usernames are generated.
+                      Template describing how dynamic usernames are generated.
                     type: string
                   verifyConnection:
                     description: Specifies whether to verify connection URI, username,
-                      and password.
+                      and password. Defaults to true. Specifies whether to verify
+                      connection URI, username, and password.
                     type: boolean
                 type: object
               conditions:
diff --git a/package/crds/raft.vault.upbound.io_autopilots.yaml b/package/crds/raft.vault.upbound.io_autopilots.yaml
index 4f8f2031..2cbca0c5 100644
--- a/package/crds/raft.vault.upbound.io_autopilots.yaml
+++ b/package/crds/raft.vault.upbound.io_autopilots.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: autopilots.raft.vault.upbound.io
 spec:
   group: raft.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Autopilot is the Schema for the Autopilots API. <no value>
+        description: Autopilot is the Schema for the Autopilots API. Configures Raft's
+          Autopilot capabilities.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,55 +68,144 @@ spec:
               forProvider:
                 properties:
                   cleanupDeadServers:
-                    description: Specifies whether to remove dead server nodes periodically
-                      or when a new server joins. This requires that min-quorum is
-                      also set.
+                    description: quorum is also set. Specifies whether to remove dead
+                      server nodes periodically or when a new server joins. This requires
+                      that min-quorum is also set.
                     type: boolean
                   deadServerLastContactThreshold:
                     description: Limit the amount of time a server can go without
                       leader contact before being considered failed. This only takes
-                      effect when cleanup_dead_servers is set.
+                      effect when cleanup_dead_servers is set. Limit the amount of
+                      time a server can go without leader contact before being considered
+                      failed. This only takes effect when cleanup_dead_servers is
+                      set.
                     type: string
                   disableUpgradeMigration:
-                    description: Disables automatically upgrading Vault using autopilot.
-                      (Enterprise-only)
+                    description: only) Disables automatically upgrading Vault using
+                      autopilot. (Enterprise-only)
                     type: boolean
                   lastContactThreshold:
                     description: Limit the amount of time a server can go without
-                      leader contact before being considered unhealthy.
+                      leader contact before being considered unhealthy. Limit the
+                      amount of time a server can go without leader contact before
+                      being considered unhealthy.
                     type: string
                   maxTrailingLogs:
                     description: Maximum number of log entries in the Raft log that
                       a server can be behind its leader before being considered unhealthy.
+                      Maximum number of log entries in the Raft log that a server
+                      can be behind its leader before being considered unhealthy.
                     type: number
                   minQuorum:
                     description: Minimum number of servers allowed in a cluster before
                       autopilot can prune dead servers. This should at least be 3.
-                      Applicable only for voting nodes.
+                      Applicable only for voting nodes. Minimum number of servers
+                      allowed in a cluster before autopilot can prune dead servers.
+                      This should at least be 3. Applicable only for voting nodes.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   serverStabilizationTime:
                     description: Minimum amount of time a server must be stable in
-                      the 'healthy' state before being added to the cluster.
+                      the 'healthy' state before being added to the cluster. Minimum
+                      amount of time a server must be stable in the 'healthy' state
+                      before being added to the cluster.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  cleanupDeadServers:
+                    description: quorum is also set. Specifies whether to remove dead
+                      server nodes periodically or when a new server joins. This requires
+                      that min-quorum is also set.
+                    type: boolean
+                  deadServerLastContactThreshold:
+                    description: Limit the amount of time a server can go without
+                      leader contact before being considered failed. This only takes
+                      effect when cleanup_dead_servers is set. Limit the amount of
+                      time a server can go without leader contact before being considered
+                      failed. This only takes effect when cleanup_dead_servers is
+                      set.
+                    type: string
+                  disableUpgradeMigration:
+                    description: only) Disables automatically upgrading Vault using
+                      autopilot. (Enterprise-only)
+                    type: boolean
+                  lastContactThreshold:
+                    description: Limit the amount of time a server can go without
+                      leader contact before being considered unhealthy. Limit the
+                      amount of time a server can go without leader contact before
+                      being considered unhealthy.
+                    type: string
+                  maxTrailingLogs:
+                    description: Maximum number of log entries in the Raft log that
+                      a server can be behind its leader before being considered unhealthy.
+                      Maximum number of log entries in the Raft log that a server
+                      can be behind its leader before being considered unhealthy.
+                    type: number
+                  minQuorum:
+                    description: Minimum number of servers allowed in a cluster before
+                      autopilot can prune dead servers. This should at least be 3.
+                      Applicable only for voting nodes. Minimum number of servers
+                      allowed in a cluster before autopilot can prune dead servers.
+                      This should at least be 3. Applicable only for voting nodes.
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  serverStabilizationTime:
+                    description: Minimum amount of time a server must be stable in
+                      the 'healthy' state before being added to the cluster. Minimum
+                      amount of time a server must be stable in the 'healthy' state
+                      before being added to the cluster.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -294,40 +383,55 @@ spec:
               atProvider:
                 properties:
                   cleanupDeadServers:
-                    description: Specifies whether to remove dead server nodes periodically
-                      or when a new server joins. This requires that min-quorum is
-                      also set.
+                    description: quorum is also set. Specifies whether to remove dead
+                      server nodes periodically or when a new server joins. This requires
+                      that min-quorum is also set.
                     type: boolean
                   deadServerLastContactThreshold:
                     description: Limit the amount of time a server can go without
                       leader contact before being considered failed. This only takes
-                      effect when cleanup_dead_servers is set.
+                      effect when cleanup_dead_servers is set. Limit the amount of
+                      time a server can go without leader contact before being considered
+                      failed. This only takes effect when cleanup_dead_servers is
+                      set.
                     type: string
                   disableUpgradeMigration:
-                    description: Disables automatically upgrading Vault using autopilot.
-                      (Enterprise-only)
+                    description: only) Disables automatically upgrading Vault using
+                      autopilot. (Enterprise-only)
                     type: boolean
                   id:
                     type: string
                   lastContactThreshold:
                     description: Limit the amount of time a server can go without
-                      leader contact before being considered unhealthy.
+                      leader contact before being considered unhealthy. Limit the
+                      amount of time a server can go without leader contact before
+                      being considered unhealthy.
                     type: string
                   maxTrailingLogs:
                     description: Maximum number of log entries in the Raft log that
                       a server can be behind its leader before being considered unhealthy.
+                      Maximum number of log entries in the Raft log that a server
+                      can be behind its leader before being considered unhealthy.
                     type: number
                   minQuorum:
                     description: Minimum number of servers allowed in a cluster before
                       autopilot can prune dead servers. This should at least be 3.
-                      Applicable only for voting nodes.
+                      Applicable only for voting nodes. Minimum number of servers
+                      allowed in a cluster before autopilot can prune dead servers.
+                      This should at least be 3. Applicable only for voting nodes.
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   serverStabilizationTime:
                     description: Minimum amount of time a server must be stable in
-                      the 'healthy' state before being added to the cluster.
+                      the 'healthy' state before being added to the cluster. Minimum
+                      amount of time a server must be stable in the 'healthy' state
+                      before being added to the cluster.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/raft.vault.upbound.io_snapshotagentconfigs.yaml b/package/crds/raft.vault.upbound.io_snapshotagentconfigs.yaml
index f37e4b58..7a868fb1 100644
--- a/package/crds/raft.vault.upbound.io_snapshotagentconfigs.yaml
+++ b/package/crds/raft.vault.upbound.io_snapshotagentconfigs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: snapshotagentconfigs.raft.vault.upbound.io
 spec:
   group: raft.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SnapshotAgentConfig is the Schema for the SnapshotAgentConfigs
-          API. <no value>
+          API. Creates a Raft Snapshot Agent Configuration for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,111 +68,306 @@ spec:
               forProvider:
                 properties:
                   awsAccessKeyId:
-                    description: AWS access key ID.
+                    description: AWS access key ID. AWS access key ID.
                     type: string
                   awsS3Bucket:
-                    description: S3 bucket to write snapshots to.
+                    description: S3 bucket to write snapshots to. S3 bucket to write
+                      snapshots to.
                     type: string
                   awsS3DisableTls:
                     description: Disable TLS for the S3 endpoint. This should only
-                      be used for testing purposes.
+                      be used for testing purposes, typically in conjunction with
+                      aws_s3_endpoint. Disable TLS for the S3 endpoint. This should
+                      only be used for testing purposes.
                     type: boolean
                   awsS3EnableKms:
-                    description: Use KMS to encrypt bucket contents.
+                    description: Use KMS to encrypt bucket contents. Use KMS to encrypt
+                      bucket contents.
                     type: boolean
                   awsS3Endpoint:
                     description: AWS endpoint. This is typically only set when using
-                      a non-AWS S3 implementation like Minio.
+                      a non-AWS S3 implementation like Minio. AWS endpoint. This is
+                      typically only set when using a non-AWS S3 implementation like
+                      Minio.
                     type: string
                   awsS3ForcePathStyle:
                     description: Use the endpoint/bucket URL style instead of bucket.endpoint.
+                      May be needed when setting aws_s3_endpoint. Use the endpoint/bucket
+                      URL style instead of bucket.endpoint.
                     type: boolean
                   awsS3KmsKey:
-                    description: Use named KMS key, when aws_s3_enable_kms=true
+                    description: Use named KMS key, when aws_s3_enable_kms = true
+                      Use named KMS key, when aws_s3_enable_kms=true
                     type: string
                   awsS3Region:
-                    description: AWS region bucket is in.
+                    description: AWS region bucket is in. AWS region bucket is in.
                     type: string
                   awsS3ServerSideEncryption:
-                    description: Use AES256 to encrypt bucket contents.
+                    description: Use AES256 to encrypt bucket contents. Use AES256
+                      to encrypt bucket contents.
                     type: boolean
                   awsSecretAccessKey:
-                    description: AWS secret access key.
+                    description: AWS secret access key. AWS secret access key.
                     type: string
                   awsSessionToken:
-                    description: AWS session token.
+                    description: AWS session token. AWS session token.
                     type: string
                   azureAccountKey:
-                    description: Azure account key.
+                    description: Azure account key. Azure account key.
                     type: string
                   azureAccountName:
-                    description: Azure account name.
+                    description: Azure account name. Azure account name.
                     type: string
                   azureBlobEnvironment:
-                    description: Azure blob environment.
+                    description: Azure blob environment. Azure blob environment.
                     type: string
                   azureContainerName:
-                    description: Azure container name to write snapshots to.
+                    description: Azure container name to write snapshots to. Azure
+                      container name to write snapshots to.
                     type: string
                   azureEndpoint:
                     description: Azure blob storage endpoint. This is typically only
-                      set when using a non-Azure implementation like Azurite.
+                      set when using a non-Azure implementation like Azurite. Azure
+                      blob storage endpoint. This is typically only set when using
+                      a non-Azure implementation like Azurite.
                     type: string
                   filePrefix:
-                    description: The file or object name of snapshot files will start
+                    description: Within the directory or bucket prefix given by path_prefix,
+                      the file or object name of snapshot files will start with this
+                      string. The file or object name of snapshot files will start
                       with this string.
                     type: string
                   googleDisableTls:
-                    description: Disable TLS for the GCS endpoint.
+                    description: Disable TLS for the GCS endpoint. This should only
+                      be used for testing purposes, typically in conjunction with
+                      google_endpoint. Disable TLS for the GCS endpoint.
                     type: boolean
                   googleEndpoint:
                     description: GCS endpoint. This is typically only set when using
-                      a non-Google GCS implementation like fake-gcs-server.
+                      a non-Google GCS implementation like fake-gcs-server. GCS endpoint.
+                      This is typically only set when using a non-Google GCS implementation
+                      like fake-gcs-server.
                     type: string
                   googleGcsBucket:
-                    description: GCS bucket to write snapshots to.
+                    description: GCS bucket to write snapshots to. GCS bucket to write
+                      snapshots to.
                     type: string
                   googleServiceAccountKey:
-                    description: Google service account key in JSON format.
+                    description: 'Google service account key in JSON format. The raw
+                      value looks like this: Google service account key in JSON format.'
                     type: string
                   intervalSeconds:
-                    description: Number of seconds between snapshots.
+                    description: Time (in seconds) between snapshots. Number of seconds
+                      between snapshots.
                     type: number
                   localMaxSpace:
-                    description: The maximum space, in bytes, to use for snapshots.
+                    description: For storage_type = local, the maximum space, in bytes,
+                      to use for snapshots. Snapshot attempts will fail if there is
+                      not enough space left in this allowance. The maximum space,
+                      in bytes, to use for snapshots.
                     type: number
                   name:
-                    description: Name of the snapshot agent configuration.
+                    description: <required> – Name of the configuration to modify.
+                      Name of the snapshot agent configuration.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pathPrefix:
-                    description: The directory or bucket prefix to to use.
+                    description: For storage_type = "local", the directory to write
+                      the snapshots in. For cloud storage types, the bucket prefix
+                      to use. Types azure-s3 and google-gcs require a trailing / (slash).
+                      Types local and aws-s3 the trailing / is optional. The directory
+                      or bucket prefix to to use.
                     type: string
                   retain:
-                    description: How many snapshots are to be kept.
+                    description: How many snapshots are to be kept; when writing a
+                      snapshot, if there are more snapshots already stored than this
+                      number, the oldest ones will be deleted. How many snapshots
+                      are to be kept.
                     type: number
                   storageType:
-                    description: What storage service to send snapshots to. One of
-                      "local", "azure-blob", "aws-s3", or "google-gcs".
+                    description: One of "local", "azure-blob", "aws-s3", or "google-gcs".
+                      The remaining parameters described below are all specific to
+                      the selected storage_type and prefixed accordingly. What storage
+                      service to send snapshots to. One of "local", "azure-blob",
+                      "aws-s3", or "google-gcs".
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  awsAccessKeyId:
+                    description: AWS access key ID. AWS access key ID.
+                    type: string
+                  awsS3Bucket:
+                    description: S3 bucket to write snapshots to. S3 bucket to write
+                      snapshots to.
+                    type: string
+                  awsS3DisableTls:
+                    description: Disable TLS for the S3 endpoint. This should only
+                      be used for testing purposes, typically in conjunction with
+                      aws_s3_endpoint. Disable TLS for the S3 endpoint. This should
+                      only be used for testing purposes.
+                    type: boolean
+                  awsS3EnableKms:
+                    description: Use KMS to encrypt bucket contents. Use KMS to encrypt
+                      bucket contents.
+                    type: boolean
+                  awsS3Endpoint:
+                    description: AWS endpoint. This is typically only set when using
+                      a non-AWS S3 implementation like Minio. AWS endpoint. This is
+                      typically only set when using a non-AWS S3 implementation like
+                      Minio.
+                    type: string
+                  awsS3ForcePathStyle:
+                    description: Use the endpoint/bucket URL style instead of bucket.endpoint.
+                      May be needed when setting aws_s3_endpoint. Use the endpoint/bucket
+                      URL style instead of bucket.endpoint.
+                    type: boolean
+                  awsS3KmsKey:
+                    description: Use named KMS key, when aws_s3_enable_kms = true
+                      Use named KMS key, when aws_s3_enable_kms=true
+                    type: string
+                  awsS3Region:
+                    description: AWS region bucket is in. AWS region bucket is in.
+                    type: string
+                  awsS3ServerSideEncryption:
+                    description: Use AES256 to encrypt bucket contents. Use AES256
+                      to encrypt bucket contents.
+                    type: boolean
+                  awsSecretAccessKey:
+                    description: AWS secret access key. AWS secret access key.
+                    type: string
+                  awsSessionToken:
+                    description: AWS session token. AWS session token.
+                    type: string
+                  azureAccountKey:
+                    description: Azure account key. Azure account key.
+                    type: string
+                  azureAccountName:
+                    description: Azure account name. Azure account name.
+                    type: string
+                  azureBlobEnvironment:
+                    description: Azure blob environment. Azure blob environment.
+                    type: string
+                  azureContainerName:
+                    description: Azure container name to write snapshots to. Azure
+                      container name to write snapshots to.
+                    type: string
+                  azureEndpoint:
+                    description: Azure blob storage endpoint. This is typically only
+                      set when using a non-Azure implementation like Azurite. Azure
+                      blob storage endpoint. This is typically only set when using
+                      a non-Azure implementation like Azurite.
+                    type: string
+                  filePrefix:
+                    description: Within the directory or bucket prefix given by path_prefix,
+                      the file or object name of snapshot files will start with this
+                      string. The file or object name of snapshot files will start
+                      with this string.
+                    type: string
+                  googleDisableTls:
+                    description: Disable TLS for the GCS endpoint. This should only
+                      be used for testing purposes, typically in conjunction with
+                      google_endpoint. Disable TLS for the GCS endpoint.
+                    type: boolean
+                  googleEndpoint:
+                    description: GCS endpoint. This is typically only set when using
+                      a non-Google GCS implementation like fake-gcs-server. GCS endpoint.
+                      This is typically only set when using a non-Google GCS implementation
+                      like fake-gcs-server.
+                    type: string
+                  googleGcsBucket:
+                    description: GCS bucket to write snapshots to. GCS bucket to write
+                      snapshots to.
+                    type: string
+                  googleServiceAccountKey:
+                    description: 'Google service account key in JSON format. The raw
+                      value looks like this: Google service account key in JSON format.'
+                    type: string
+                  intervalSeconds:
+                    description: Time (in seconds) between snapshots. Number of seconds
+                      between snapshots.
+                    type: number
+                  localMaxSpace:
+                    description: For storage_type = local, the maximum space, in bytes,
+                      to use for snapshots. Snapshot attempts will fail if there is
+                      not enough space left in this allowance. The maximum space,
+                      in bytes, to use for snapshots.
+                    type: number
+                  name:
+                    description: <required> – Name of the configuration to modify.
+                      Name of the snapshot agent configuration.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  pathPrefix:
+                    description: For storage_type = "local", the directory to write
+                      the snapshots in. For cloud storage types, the bucket prefix
+                      to use. Types azure-s3 and google-gcs require a trailing / (slash).
+                      Types local and aws-s3 the trailing / is optional. The directory
+                      or bucket prefix to to use.
+                    type: string
+                  retain:
+                    description: How many snapshots are to be kept; when writing a
+                      snapshot, if there are more snapshots already stored than this
+                      number, the oldest ones will be deleted. How many snapshots
+                      are to be kept.
+                    type: number
+                  storageType:
+                    description: One of "local", "azure-blob", "aws-s3", or "google-gcs".
+                      The remaining parameters described below are all specific to
+                      the selected storage_type and prefixed accordingly. What storage
+                      service to send snapshots to. One of "local", "azure-blob",
+                      "aws-s3", or "google-gcs".
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -347,109 +541,157 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: intervalSeconds is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.intervalSeconds)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.intervalSeconds)
+                || has(self.initProvider.intervalSeconds)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: pathPrefix is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pathPrefix)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.pathPrefix)
+                || has(self.initProvider.pathPrefix)'
             - message: storageType is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.storageType)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.storageType)
+                || has(self.initProvider.storageType)'
           status:
             description: SnapshotAgentConfigStatus defines the observed state of SnapshotAgentConfig.
             properties:
               atProvider:
                 properties:
                   awsAccessKeyId:
-                    description: AWS access key ID.
+                    description: AWS access key ID. AWS access key ID.
                     type: string
                   awsS3Bucket:
-                    description: S3 bucket to write snapshots to.
+                    description: S3 bucket to write snapshots to. S3 bucket to write
+                      snapshots to.
                     type: string
                   awsS3DisableTls:
                     description: Disable TLS for the S3 endpoint. This should only
-                      be used for testing purposes.
+                      be used for testing purposes, typically in conjunction with
+                      aws_s3_endpoint. Disable TLS for the S3 endpoint. This should
+                      only be used for testing purposes.
                     type: boolean
                   awsS3EnableKms:
-                    description: Use KMS to encrypt bucket contents.
+                    description: Use KMS to encrypt bucket contents. Use KMS to encrypt
+                      bucket contents.
                     type: boolean
                   awsS3Endpoint:
                     description: AWS endpoint. This is typically only set when using
-                      a non-AWS S3 implementation like Minio.
+                      a non-AWS S3 implementation like Minio. AWS endpoint. This is
+                      typically only set when using a non-AWS S3 implementation like
+                      Minio.
                     type: string
                   awsS3ForcePathStyle:
                     description: Use the endpoint/bucket URL style instead of bucket.endpoint.
+                      May be needed when setting aws_s3_endpoint. Use the endpoint/bucket
+                      URL style instead of bucket.endpoint.
                     type: boolean
                   awsS3KmsKey:
-                    description: Use named KMS key, when aws_s3_enable_kms=true
+                    description: Use named KMS key, when aws_s3_enable_kms = true
+                      Use named KMS key, when aws_s3_enable_kms=true
                     type: string
                   awsS3Region:
-                    description: AWS region bucket is in.
+                    description: AWS region bucket is in. AWS region bucket is in.
                     type: string
                   awsS3ServerSideEncryption:
-                    description: Use AES256 to encrypt bucket contents.
+                    description: Use AES256 to encrypt bucket contents. Use AES256
+                      to encrypt bucket contents.
                     type: boolean
                   awsSecretAccessKey:
-                    description: AWS secret access key.
+                    description: AWS secret access key. AWS secret access key.
                     type: string
                   awsSessionToken:
-                    description: AWS session token.
+                    description: AWS session token. AWS session token.
                     type: string
                   azureAccountKey:
-                    description: Azure account key.
+                    description: Azure account key. Azure account key.
                     type: string
                   azureAccountName:
-                    description: Azure account name.
+                    description: Azure account name. Azure account name.
                     type: string
                   azureBlobEnvironment:
-                    description: Azure blob environment.
+                    description: Azure blob environment. Azure blob environment.
                     type: string
                   azureContainerName:
-                    description: Azure container name to write snapshots to.
+                    description: Azure container name to write snapshots to. Azure
+                      container name to write snapshots to.
                     type: string
                   azureEndpoint:
                     description: Azure blob storage endpoint. This is typically only
-                      set when using a non-Azure implementation like Azurite.
+                      set when using a non-Azure implementation like Azurite. Azure
+                      blob storage endpoint. This is typically only set when using
+                      a non-Azure implementation like Azurite.
                     type: string
                   filePrefix:
-                    description: The file or object name of snapshot files will start
+                    description: Within the directory or bucket prefix given by path_prefix,
+                      the file or object name of snapshot files will start with this
+                      string. The file or object name of snapshot files will start
                       with this string.
                     type: string
                   googleDisableTls:
-                    description: Disable TLS for the GCS endpoint.
+                    description: Disable TLS for the GCS endpoint. This should only
+                      be used for testing purposes, typically in conjunction with
+                      google_endpoint. Disable TLS for the GCS endpoint.
                     type: boolean
                   googleEndpoint:
                     description: GCS endpoint. This is typically only set when using
-                      a non-Google GCS implementation like fake-gcs-server.
+                      a non-Google GCS implementation like fake-gcs-server. GCS endpoint.
+                      This is typically only set when using a non-Google GCS implementation
+                      like fake-gcs-server.
                     type: string
                   googleGcsBucket:
-                    description: GCS bucket to write snapshots to.
+                    description: GCS bucket to write snapshots to. GCS bucket to write
+                      snapshots to.
                     type: string
                   googleServiceAccountKey:
-                    description: Google service account key in JSON format.
+                    description: 'Google service account key in JSON format. The raw
+                      value looks like this: Google service account key in JSON format.'
                     type: string
                   id:
                     type: string
                   intervalSeconds:
-                    description: Number of seconds between snapshots.
+                    description: Time (in seconds) between snapshots. Number of seconds
+                      between snapshots.
                     type: number
                   localMaxSpace:
-                    description: The maximum space, in bytes, to use for snapshots.
+                    description: For storage_type = local, the maximum space, in bytes,
+                      to use for snapshots. Snapshot attempts will fail if there is
+                      not enough space left in this allowance. The maximum space,
+                      in bytes, to use for snapshots.
                     type: number
                   name:
-                    description: Name of the snapshot agent configuration.
+                    description: <required> – Name of the configuration to modify.
+                      Name of the snapshot agent configuration.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   pathPrefix:
-                    description: The directory or bucket prefix to to use.
+                    description: For storage_type = "local", the directory to write
+                      the snapshots in. For cloud storage types, the bucket prefix
+                      to use. Types azure-s3 and google-gcs require a trailing / (slash).
+                      Types local and aws-s3 the trailing / is optional. The directory
+                      or bucket prefix to to use.
                     type: string
                   retain:
-                    description: How many snapshots are to be kept.
+                    description: How many snapshots are to be kept; when writing a
+                      snapshot, if there are more snapshots already stored than this
+                      number, the oldest ones will be deleted. How many snapshots
+                      are to be kept.
                     type: number
                   storageType:
-                    description: What storage service to send snapshots to. One of
-                      "local", "azure-blob", "aws-s3", or "google-gcs".
+                    description: One of "local", "azure-blob", "aws-s3", or "google-gcs".
+                      The remaining parameters described below are all specific to
+                      the selected storage_type and prefixed accordingly. What storage
+                      service to send snapshots to. One of "local", "azure-blob",
+                      "aws-s3", or "google-gcs".
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/rgp.vault.upbound.io_policies.yaml b/package/crds/rgp.vault.upbound.io_policies.yaml
index 2dd09763..703c5d37 100644
--- a/package/crds/rgp.vault.upbound.io_policies.yaml
+++ b/package/crds/rgp.vault.upbound.io_policies.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: policies.rgp.vault.upbound.io
 spec:
   group: rgp.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Policy is the Schema for the Policys API. <no value>
+        description: Policy is the Schema for the Policys API. Writes Sentinel role
+          governing policies for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,34 +68,84 @@ spec:
               forProvider:
                 properties:
                   enforcementLevel:
-                    description: 'Enforcement level of Sentinel policy. Can be one
-                      of: ''advisory'', ''soft-mandatory'' or ''hard-mandatory'''
+                    description: 'Enforcement level of Sentinel policy. Can be either
+                      advisory or soft-mandatory or hard-mandatory Enforcement level
+                      of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory''
+                      or ''hard-mandatory'''
                     type: string
                   name:
-                    description: Name of the policy
+                    description: The name of the policy Name of the policy
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policy:
-                    description: The policy document
+                    description: String containing a Sentinel policy The policy document
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  enforcementLevel:
+                    description: 'Enforcement level of Sentinel policy. Can be either
+                      advisory or soft-mandatory or hard-mandatory Enforcement level
+                      of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory''
+                      or ''hard-mandatory'''
+                    type: string
+                  name:
+                    description: The name of the policy Name of the policy
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policy:
+                    description: String containing a Sentinel policy The policy document
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -269,30 +319,42 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: enforcementLevel is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enforcementLevel)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.enforcementLevel)
+                || has(self.initProvider.enforcementLevel)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: policy is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.policy)
+                || has(self.initProvider.policy)'
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
               atProvider:
                 properties:
                   enforcementLevel:
-                    description: 'Enforcement level of Sentinel policy. Can be one
-                      of: ''advisory'', ''soft-mandatory'' or ''hard-mandatory'''
+                    description: 'Enforcement level of Sentinel policy. Can be either
+                      advisory or soft-mandatory or hard-mandatory Enforcement level
+                      of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory''
+                      or ''hard-mandatory'''
                     type: string
                   id:
                     type: string
                   name:
-                    description: Name of the policy
+                    description: The name of the policy Name of the policy
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policy:
-                    description: The policy document
+                    description: String containing a Sentinel policy The policy document
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml b/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml
index ff690b1d..9108a981 100644
--- a/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml
+++ b/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendcas.ssh.vault.upbound.io
 spec:
   group: ssh.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretBackendCA is the Schema for the SecretBackendCAs API. <no
-          value>
+        description: SecretBackendCA is the Schema for the SecretBackendCAs API. Managing
+          CA information in an SSH secret backend in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,19 +68,26 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: The path of the SSH Secret Backend where the CA should
-                      be configured
+                    description: The path where the SSH secret backend is mounted.
+                      Defaults to 'ssh' The path of the SSH Secret Backend where the
+                      CA should be configured
                     type: string
                   generateSigningKey:
                     description: Whether Vault should generate the signing key pair
-                      internally.
+                      internally. Defaults to true Whether Vault should generate the
+                      signing key pair internally.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   privateKeySecretRef:
-                    description: Private key part the SSH CA key pair; required if
-                      generate_signing_key is false.
+                    description: The private key part the SSH CA key pair; required
+                      if generate_signing_key is false. Private key part the SSH CA
+                      key pair; required if generate_signing_key is false.
                     properties:
                       key:
                         description: The key to select.
@@ -98,25 +104,73 @@ spec:
                     - namespace
                     type: object
                   publicKey:
-                    description: Public key part the SSH CA key pair; required if
-                      generate_signing_key is false.
+                    description: The public key part the SSH CA key pair; required
+                      if generate_signing_key is false. Public key part the SSH CA
+                      key pair; required if generate_signing_key is false.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: The path where the SSH secret backend is mounted.
+                      Defaults to 'ssh' The path of the SSH Secret Backend where the
+                      CA should be configured
+                    type: string
+                  generateSigningKey:
+                    description: Whether Vault should generate the signing key pair
+                      internally. Defaults to true Whether Vault should generate the
+                      signing key pair internally.
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  publicKey:
+                    description: The public key part the SSH CA key pair; required
+                      if generate_signing_key is false. Public key part the SSH CA
+                      key pair; required if generate_signing_key is false.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -294,21 +348,28 @@ spec:
               atProvider:
                 properties:
                   backend:
-                    description: The path of the SSH Secret Backend where the CA should
-                      be configured
+                    description: The path where the SSH secret backend is mounted.
+                      Defaults to 'ssh' The path of the SSH Secret Backend where the
+                      CA should be configured
                     type: string
                   generateSigningKey:
                     description: Whether Vault should generate the signing key pair
-                      internally.
+                      internally. Defaults to true Whether Vault should generate the
+                      signing key pair internally.
                     type: boolean
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   publicKey:
-                    description: Public key part the SSH CA key pair; required if
-                      generate_signing_key is false.
+                    description: The public key part the SSH CA key pair; required
+                      if generate_signing_key is false. Public key part the SSH CA
+                      key pair; required if generate_signing_key is false.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml b/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml
index c4465b27..ec994a90 100644
--- a/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml
+++ b/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendroles.ssh.vault.upbound.io
 spec:
   group: ssh.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendRole is the Schema for the SecretBackendRoles API.
-          <no value>
+          Managing roles in an SSH secret backend in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,98 +68,306 @@ spec:
               forProvider:
                 properties:
                   algorithmSigner:
+                    description: 'When supplied, this value specifies a signing algorithm
+                      for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.'
                     type: string
                   allowBareDomains:
+                    description: Specifies if host certificates that are requested
+                      are allowed to use the base domains listed in allowed_domains.
                     type: boolean
                   allowHostCertificates:
+                    description: Specifies if certificates are allowed to be signed
+                      for use as a 'host'.
                     type: boolean
                   allowSubdomains:
+                    description: Specifies if host certificates that are requested
+                      are allowed to be subdomains of those listed in allowed_domains.
                     type: boolean
                   allowUserCertificates:
+                    description: Specifies if certificates are allowed to be signed
+                      for use as a 'user'.
                     type: boolean
                   allowUserKeyIds:
+                    description: Specifies if users can override the key ID for a
+                      signed certificate with the key_id field.
                     type: boolean
                   allowedCriticalOptions:
+                    description: Specifies a comma-separated list of critical options
+                      that certificates can have when signed.
                     type: string
                   allowedDomains:
+                    description: The list of domains for which a client can request
+                      a host certificate.
                     type: string
                   allowedExtensions:
+                    description: Specifies a comma-separated list of extensions that
+                      certificates can have when signed.
                     type: string
                   allowedUserKeyConfig:
-                    description: Set of allowed public key types and their relevant
-                      configuration
+                    description: Set of configuration blocks to define allowed user
+                      key configuration, like key type and their lengths. Can be specified
+                      multiple times. See Set of allowed public key types and their
+                      relevant configuration
                     items:
                       properties:
                         lengths:
-                          description: List of allowed key lengths, vault-1.10 and
-                            above
+                          description: A list of allowed key lengths as integers.
+                            For key types that do not support setting the length a
+                            value of [0] should be used. Setting multiple lengths
+                            is only supported on Vault 1.10+. For prior releases length
+                            must be set to a single element list. List of allowed
+                            key lengths, vault-1.10 and above
                           items:
                             type: number
                           type: array
                         type:
-                          description: 'Key type, choices: rsa, ecdsa, ec, dsa, ed25519,
-                            ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384,
+                          description: 'The SSH public key type. Supported key types
+                            are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519,
+                            ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
+                            Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa,
+                            ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384,
                             ecdsa-sha2-nistp521'
                           type: string
-                      required:
-                      - lengths
-                      - type
                       type: object
                     type: array
                   allowedUserKeyLengths:
                     additionalProperties:
                       type: number
+                    description: 'Specifies a map of ssh key types and their expected
+                      sizes which are allowed to be signed by the CA type. Deprecated:
+                      use allowed_user_key_config instead'
                     type: object
                   allowedUsers:
+                    description: Specifies a comma-separated list of usernames that
+                      are to be allowed, only if certain usernames are to be allowed.
                     type: string
                   allowedUsersTemplate:
+                    description: Specifies if allowed_users can be declared using
+                      identity template policies. Non-templated users are also permitted.
                     type: boolean
                   backend:
+                    description: The path where the SSH secret backend is mounted.
                     type: string
                   cidrList:
+                    description: The comma-separated string of CIDR blocks for which
+                      this role is applicable.
                     type: string
                   defaultCriticalOptions:
                     additionalProperties:
                       type: string
+                    description: Specifies a map of critical options that certificates
+                      have when signed.
                     type: object
                   defaultExtensions:
                     additionalProperties:
                       type: string
+                    description: Specifies a map of extensions that certificates have
+                      when signed.
                     type: object
                   defaultUser:
+                    description: Specifies the default username for which a credential
+                      will be generated.
                     type: string
                   defaultUserTemplate:
+                    description: If set, default_users can be specified using identity
+                      template values. A non-templated user is also permitted.
                     type: boolean
                   keyIdFormat:
+                    description: Specifies a custom format for the key id of a signed
+                      certificate.
                     type: string
                   keyType:
+                    description: Specifies the type of credentials generated by this
+                      role. This can be either otp, dynamic or ca.
                     type: string
                   maxTtl:
+                    description: Specifies the maximum Time To Live value.
                     type: string
                   name:
-                    description: Unique name for the role.
+                    description: Specifies the name of the role to create. Unique
+                      name for the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   ttl:
+                    description: Specifies the Time To Live value.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  algorithmSigner:
+                    description: 'When supplied, this value specifies a signing algorithm
+                      for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.'
+                    type: string
+                  allowBareDomains:
+                    description: Specifies if host certificates that are requested
+                      are allowed to use the base domains listed in allowed_domains.
+                    type: boolean
+                  allowHostCertificates:
+                    description: Specifies if certificates are allowed to be signed
+                      for use as a 'host'.
+                    type: boolean
+                  allowSubdomains:
+                    description: Specifies if host certificates that are requested
+                      are allowed to be subdomains of those listed in allowed_domains.
+                    type: boolean
+                  allowUserCertificates:
+                    description: Specifies if certificates are allowed to be signed
+                      for use as a 'user'.
+                    type: boolean
+                  allowUserKeyIds:
+                    description: Specifies if users can override the key ID for a
+                      signed certificate with the key_id field.
+                    type: boolean
+                  allowedCriticalOptions:
+                    description: Specifies a comma-separated list of critical options
+                      that certificates can have when signed.
+                    type: string
+                  allowedDomains:
+                    description: The list of domains for which a client can request
+                      a host certificate.
+                    type: string
+                  allowedExtensions:
+                    description: Specifies a comma-separated list of extensions that
+                      certificates can have when signed.
+                    type: string
+                  allowedUserKeyConfig:
+                    description: Set of configuration blocks to define allowed user
+                      key configuration, like key type and their lengths. Can be specified
+                      multiple times. See Set of allowed public key types and their
+                      relevant configuration
+                    items:
+                      properties:
+                        lengths:
+                          description: A list of allowed key lengths as integers.
+                            For key types that do not support setting the length a
+                            value of [0] should be used. Setting multiple lengths
+                            is only supported on Vault 1.10+. For prior releases length
+                            must be set to a single element list. List of allowed
+                            key lengths, vault-1.10 and above
+                          items:
+                            type: number
+                          type: array
+                        type:
+                          description: 'The SSH public key type. Supported key types
+                            are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519,
+                            ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
+                            Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa,
+                            ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384,
+                            ecdsa-sha2-nistp521'
+                          type: string
+                      type: object
+                    type: array
+                  allowedUserKeyLengths:
+                    additionalProperties:
+                      type: number
+                    description: 'Specifies a map of ssh key types and their expected
+                      sizes which are allowed to be signed by the CA type. Deprecated:
+                      use allowed_user_key_config instead'
+                    type: object
+                  allowedUsers:
+                    description: Specifies a comma-separated list of usernames that
+                      are to be allowed, only if certain usernames are to be allowed.
+                    type: string
+                  allowedUsersTemplate:
+                    description: Specifies if allowed_users can be declared using
+                      identity template policies. Non-templated users are also permitted.
+                    type: boolean
+                  backend:
+                    description: The path where the SSH secret backend is mounted.
+                    type: string
+                  cidrList:
+                    description: The comma-separated string of CIDR blocks for which
+                      this role is applicable.
+                    type: string
+                  defaultCriticalOptions:
+                    additionalProperties:
+                      type: string
+                    description: Specifies a map of critical options that certificates
+                      have when signed.
+                    type: object
+                  defaultExtensions:
+                    additionalProperties:
+                      type: string
+                    description: Specifies a map of extensions that certificates have
+                      when signed.
+                    type: object
+                  defaultUser:
+                    description: Specifies the default username for which a credential
+                      will be generated.
+                    type: string
+                  defaultUserTemplate:
+                    description: If set, default_users can be specified using identity
+                      template values. A non-templated user is also permitted.
+                    type: boolean
+                  keyIdFormat:
+                    description: Specifies a custom format for the key id of a signed
+                      certificate.
+                    type: string
+                  keyType:
+                    description: Specifies the type of credentials generated by this
+                      role. This can be either otp, dynamic or ca.
+                    type: string
+                  maxTtl:
+                    description: Specifies the maximum Time To Live value.
+                    type: string
+                  name:
+                    description: Specifies the name of the role to create. Unique
+                      name for the role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  ttl:
+                    description: Specifies the Time To Live value.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -334,48 +541,81 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: keyType is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyType)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.keyType)
+                || has(self.initProvider.keyType)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendRoleStatus defines the observed state of SecretBackendRole.
             properties:
               atProvider:
                 properties:
                   algorithmSigner:
+                    description: 'When supplied, this value specifies a signing algorithm
+                      for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.'
                     type: string
                   allowBareDomains:
+                    description: Specifies if host certificates that are requested
+                      are allowed to use the base domains listed in allowed_domains.
                     type: boolean
                   allowHostCertificates:
+                    description: Specifies if certificates are allowed to be signed
+                      for use as a 'host'.
                     type: boolean
                   allowSubdomains:
+                    description: Specifies if host certificates that are requested
+                      are allowed to be subdomains of those listed in allowed_domains.
                     type: boolean
                   allowUserCertificates:
+                    description: Specifies if certificates are allowed to be signed
+                      for use as a 'user'.
                     type: boolean
                   allowUserKeyIds:
+                    description: Specifies if users can override the key ID for a
+                      signed certificate with the key_id field.
                     type: boolean
                   allowedCriticalOptions:
+                    description: Specifies a comma-separated list of critical options
+                      that certificates can have when signed.
                     type: string
                   allowedDomains:
+                    description: The list of domains for which a client can request
+                      a host certificate.
                     type: string
                   allowedExtensions:
+                    description: Specifies a comma-separated list of extensions that
+                      certificates can have when signed.
                     type: string
                   allowedUserKeyConfig:
-                    description: Set of allowed public key types and their relevant
-                      configuration
+                    description: Set of configuration blocks to define allowed user
+                      key configuration, like key type and their lengths. Can be specified
+                      multiple times. See Set of allowed public key types and their
+                      relevant configuration
                     items:
                       properties:
                         lengths:
-                          description: List of allowed key lengths, vault-1.10 and
-                            above
+                          description: A list of allowed key lengths as integers.
+                            For key types that do not support setting the length a
+                            value of [0] should be used. Setting multiple lengths
+                            is only supported on Vault 1.10+. For prior releases length
+                            must be set to a single element list. List of allowed
+                            key lengths, vault-1.10 and above
                           items:
                             type: number
                           type: array
                         type:
-                          description: 'Key type, choices: rsa, ecdsa, ec, dsa, ed25519,
-                            ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384,
+                          description: 'The SSH public key type. Supported key types
+                            are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519,
+                            ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
+                            Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa,
+                            ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384,
                             ecdsa-sha2-nistp521'
                           type: string
                       type: object
@@ -383,42 +623,71 @@ spec:
                   allowedUserKeyLengths:
                     additionalProperties:
                       type: number
+                    description: 'Specifies a map of ssh key types and their expected
+                      sizes which are allowed to be signed by the CA type. Deprecated:
+                      use allowed_user_key_config instead'
                     type: object
                   allowedUsers:
+                    description: Specifies a comma-separated list of usernames that
+                      are to be allowed, only if certain usernames are to be allowed.
                     type: string
                   allowedUsersTemplate:
+                    description: Specifies if allowed_users can be declared using
+                      identity template policies. Non-templated users are also permitted.
                     type: boolean
                   backend:
+                    description: The path where the SSH secret backend is mounted.
                     type: string
                   cidrList:
+                    description: The comma-separated string of CIDR blocks for which
+                      this role is applicable.
                     type: string
                   defaultCriticalOptions:
                     additionalProperties:
                       type: string
+                    description: Specifies a map of critical options that certificates
+                      have when signed.
                     type: object
                   defaultExtensions:
                     additionalProperties:
                       type: string
+                    description: Specifies a map of extensions that certificates have
+                      when signed.
                     type: object
                   defaultUser:
+                    description: Specifies the default username for which a credential
+                      will be generated.
                     type: string
                   defaultUserTemplate:
+                    description: If set, default_users can be specified using identity
+                      template values. A non-templated user is also permitted.
                     type: boolean
                   id:
                     type: string
                   keyIdFormat:
+                    description: Specifies a custom format for the key id of a signed
+                      certificate.
                     type: string
                   keyType:
+                    description: Specifies the type of credentials generated by this
+                      role. This can be either otp, dynamic or ca.
                     type: string
                   maxTtl:
+                    description: Specifies the maximum Time To Live value.
                     type: string
                   name:
-                    description: Unique name for the role.
+                    description: Specifies the name of the role to create. Unique
+                      name for the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   ttl:
+                    description: Specifies the Time To Live value.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml b/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml
index 319a1a34..efac628e 100644
--- a/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml
+++ b/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: cloudsecretbackends.terraform.vault.upbound.io
 spec:
   group: terraform.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: CloudSecretBackend is the Schema for the CloudSecretBackends
-          API. <no value>
+          API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -72,25 +71,35 @@ spec:
                     description: 0.0.1:8500".
                     type: string
                   backend:
-                    description: unique name of the vault Upbound official provider
-                      cloud mount to configure
+                    description: The unique location this backend should be mounted
+                      at. Must not begin or end with a /
                     type: string
                   basePath:
                     type: string
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   tokenSecretRef:
                     description: A SecretKeySelector is a reference to a secret key
@@ -111,21 +120,80 @@ spec:
                     - namespace
                     type: object
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  address:
+                    description: 0.0.1:8500".
+                    type: string
+                  backend:
+                    description: The unique location this backend should be mounted
+                      at. Must not begin or end with a /
+                    type: string
+                  basePath:
+                    type: string
+                  defaultLeaseTtlSeconds:
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
+                    type: number
+                  description:
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
+                    type: string
+                  disableRemount:
+                    description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -306,27 +374,37 @@ spec:
                     description: 0.0.1:8500".
                     type: string
                   backend:
-                    description: unique name of the vault Upbound official provider
-                      cloud mount to configure
+                    description: The unique location this backend should be mounted
+                      at. Must not begin or end with a /
                     type: string
                   basePath:
                     type: string
                   defaultLeaseTtlSeconds:
-                    description: Default lease duration for secrets in seconds
+                    description: The default TTL for credentials issued by this backend.
+                      Default lease duration for secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount for the backend.
+                    description: A human-friendly description for this backend. Human-friendly
+                      description of the mount for the backend.
                     type: string
                   disableRemount:
                     description: If set, opts out of mount migration on path updates.
+                      See here for more info on Mount Migration If set, opts out of
+                      mount migration on path updates.
                     type: boolean
                   id:
                     type: string
                   maxLeaseTtlSeconds:
-                    description: Maximum possible lease duration for secrets in seconds
+                    description: The maximum TTL that can be requested for credentials
+                      issued by this backend. Maximum possible lease duration for
+                      secrets in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/terraform.vault.upbound.io_cloudsecretcreds.yaml b/package/crds/terraform.vault.upbound.io_cloudsecretcreds.yaml
index a6e6ce46..e9cf486f 100644
--- a/package/crds/terraform.vault.upbound.io_cloudsecretcreds.yaml
+++ b/package/crds/terraform.vault.upbound.io_cloudsecretcreds.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: cloudsecretcreds.terraform.vault.upbound.io
 spec:
   group: terraform.vault.upbound.io
@@ -36,7 +35,6 @@ spec:
     schema:
       openAPIV3Schema:
         description: CloudSecretCreds is the Schema for the CloudSecretCredss API.
-          <no value>
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,31 +67,78 @@ spec:
               forProvider:
                 properties:
                   backend:
-                    description: Upbound official provider cloud secret backend to
-                      generate tokens from
+                    description: the path to the Upbound official provider cloud secret
+                      backend to read credentials from, with no leading or trailing
+                      /s. Upbound official provider cloud secret backend to generate
+                      tokens from
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   role:
                     description: Name of the role.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: the path to the Upbound official provider cloud secret
+                      backend to read credentials from, with no leading or trailing
+                      /s. Upbound official provider cloud secret backend to generate
+                      tokens from
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  role:
+                    description: Name of the role.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -267,35 +312,47 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: role is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.role)
+                || has(self.initProvider.role)'
           status:
             description: CloudSecretCredsStatus defines the observed state of CloudSecretCreds.
             properties:
               atProvider:
                 properties:
                   backend:
-                    description: Upbound official provider cloud secret backend to
-                      generate tokens from
+                    description: the path to the Upbound official provider cloud secret
+                      backend to read credentials from, with no leading or trailing
+                      /s. Upbound official provider cloud secret backend to generate
+                      tokens from
                     type: string
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: name of the Upbound official provider cloud or enterprise
-                      organization
+                    description: The organization associated with the token provided
                     type: string
                   role:
                     description: Name of the role.
                     type: string
                   teamId:
-                    description: g., settings/teams/team-xxxxxxxxxxxxx)
+                    description: The team id associated with the token provided.g.,
+                      settings/teams/team-xxxxxxxxxxxxx)
                     type: string
                   tokenId:
-                    description: id of the Upbound official provider token provided
+                    description: The public identifier for a specific token. It can
+                      be used to look up information about a token or to revoke a
+                      token
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/terraform.vault.upbound.io_cloudsecretroles.yaml b/package/crds/terraform.vault.upbound.io_cloudsecretroles.yaml
index 50e2d608..f7656795 100644
--- a/package/crds/terraform.vault.upbound.io_cloudsecretroles.yaml
+++ b/package/crds/terraform.vault.upbound.io_cloudsecretroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: cloudsecretroles.terraform.vault.upbound.io
 spec:
   group: terraform.vault.upbound.io
@@ -35,8 +34,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: CloudSecretRole is the Schema for the CloudSecretRoles API. <no
-          value>
+        description: CloudSecretRole is the Schema for the CloudSecretRoles API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,48 +67,118 @@ spec:
               forProvider:
                 properties:
                   backend:
+                    description: Must not begin or end with a /.
                     type: string
                   maxTtl:
-                    description: Maximum allowed lease for generated credentials.
+                    description: Maximum TTL for leases associated with this role,
+                      in seconds. Maximum allowed lease for generated credentials.
                       If not set or set to 0, will use system default.
                     type: number
                   name:
-                    description: the name of an existing role against which to create
-                      this Upbound official provider cloud credential
+                    description: the name of the Upbound official provider cloud secrets
+                      engine role to create. the name of an existing role against
+                      which to create this Upbound official provider cloud credential
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: name of the Upbound official provider cloud or enterprise
-                      organization
+                    description: the organization name managing your Upbound official
+                      provider cloud instance. name of the Upbound official provider
+                      cloud or enterprise organization
                     type: string
                   teamId:
                     description: g., settings/teams/team-xxxxxxxxxxxxx)
                     type: string
                   ttl:
-                    description: Default lease for generated credentials. If not set
-                      or set to 0, will use system default.
+                    description: Specifies the TTL for this role. Default lease for
+                      generated credentials. If not set or set to 0, will use system
+                      default.
                     type: number
                   userId:
                     description: g., user-xxxxxxxxxxxxxxxx)
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  backend:
+                    description: Must not begin or end with a /.
+                    type: string
+                  maxTtl:
+                    description: Maximum TTL for leases associated with this role,
+                      in seconds. Maximum allowed lease for generated credentials.
+                      If not set or set to 0, will use system default.
+                    type: number
+                  name:
+                    description: the name of the Upbound official provider cloud secrets
+                      engine role to create. the name of an existing role against
+                      which to create this Upbound official provider cloud credential
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  organization:
+                    description: the organization name managing your Upbound official
+                      provider cloud instance. name of the Upbound official provider
+                      cloud or enterprise organization
+                    type: string
+                  teamId:
+                    description: g., settings/teams/team-xxxxxxxxxxxxx)
+                    type: string
+                  ttl:
+                    description: Specifies the TTL for this role. Default lease for
+                      generated credentials. If not set or set to 0, will use system
+                      default.
+                    type: number
+                  userId:
+                    description: g., user-xxxxxxxxxxxxxxxx)
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -284,37 +352,48 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: CloudSecretRoleStatus defines the observed state of CloudSecretRole.
             properties:
               atProvider:
                 properties:
                   backend:
+                    description: Must not begin or end with a /.
                     type: string
                   id:
                     type: string
                   maxTtl:
-                    description: Maximum allowed lease for generated credentials.
+                    description: Maximum TTL for leases associated with this role,
+                      in seconds. Maximum allowed lease for generated credentials.
                       If not set or set to 0, will use system default.
                     type: number
                   name:
-                    description: the name of an existing role against which to create
-                      this Upbound official provider cloud credential
+                    description: the name of the Upbound official provider cloud secrets
+                      engine role to create. the name of an existing role against
+                      which to create this Upbound official provider cloud credential
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   organization:
-                    description: name of the Upbound official provider cloud or enterprise
-                      organization
+                    description: the organization name managing your Upbound official
+                      provider cloud instance. name of the Upbound official provider
+                      cloud or enterprise organization
                     type: string
                   teamId:
                     description: g., settings/teams/team-xxxxxxxxxxxxx)
                     type: string
                   ttl:
-                    description: Default lease for generated credentials. If not set
-                      or set to 0, will use system default.
+                    description: Specifies the TTL for this role. Default lease for
+                      generated credentials. If not set or set to 0, will use system
+                      default.
                     type: number
                   userId:
                     description: g., user-xxxxxxxxxxxxxxxx)
diff --git a/package/crds/token.vault.upbound.io_authbackendroles.yaml b/package/crds/token.vault.upbound.io_authbackendroles.yaml
index 78ce95bf..cdb25e77 100644
--- a/package/crds/token.vault.upbound.io_authbackendroles.yaml
+++ b/package/crds/token.vault.upbound.io_authbackendroles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authbackendroles.token.vault.upbound.io
 spec:
   group: token.vault.upbound.io
@@ -35,8 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: AuthBackendRole is the Schema for the AuthBackendRoles API. <no
-          value>
+        description: AuthBackendRole is the Schema for the AuthBackendRoles API. Manages
+          Token auth backend roles in Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,72 +68,97 @@ spec:
               forProvider:
                 properties:
                   allowedEntityAliases:
-                    description: Set of allowed entity aliases for this role.
+                    description: List of allowed entity aliases. Set of allowed entity
+                      aliases for this role.
                     items:
                       type: string
                     type: array
                   allowedPolicies:
-                    description: List of allowed policies for given role.
+                    description: List of allowed policies for given role. List of
+                      allowed policies for given role.
                     items:
                       type: string
                     type: array
                   allowedPoliciesGlob:
                     description: Set of allowed policies with glob match for given
-                      role.
+                      role. Set of allowed policies with glob match for given role.
                     items:
                       type: string
                     type: array
                   disallowedPolicies:
-                    description: List of disallowed policies for given role.
+                    description: List of disallowed policies for given role. List
+                      of disallowed policies for given role.
                     items:
                       type: string
                     type: array
                   disallowedPoliciesGlob:
                     description: Set of disallowed policies with glob match for given
-                      role.
+                      role. Set of disallowed policies with glob match for given role.
                     items:
                       type: string
                     type: array
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   orphan:
                     description: If true, tokens created against this policy will
-                      be orphan tokens.
+                      be orphan tokens. If true, tokens created against this policy
+                      will be orphan tokens.
                     type: boolean
                   pathSuffix:
                     description: Tokens created against this role will have the given
-                      suffix as part of their path in addition to the role name.
+                      suffix as part of their path in addition to the role name. Tokens
+                      created against this role will have the given suffix as part
+                      of their path in addition to the role name.
                     type: string
                   renewable:
                     description: Whether to disable the ability of the token to be
-                      renewed past its initial TTL.
+                      renewed past its initial TTL. Whether to disable the ability
+                      of the token to be renewed past its initial TTL.
                     type: boolean
                   roleName:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
                     description: Generated Token's Policies
@@ -142,27 +166,172 @@ spec:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedEntityAliases:
+                    description: List of allowed entity aliases. Set of allowed entity
+                      aliases for this role.
+                    items:
+                      type: string
+                    type: array
+                  allowedPolicies:
+                    description: List of allowed policies for given role. List of
+                      allowed policies for given role.
+                    items:
+                      type: string
+                    type: array
+                  allowedPoliciesGlob:
+                    description: Set of allowed policies with glob match for given
+                      role. Set of allowed policies with glob match for given role.
+                    items:
+                      type: string
+                    type: array
+                  disallowedPolicies:
+                    description: List of disallowed policies for given role. List
+                      of disallowed policies for given role.
+                    items:
+                      type: string
+                    type: array
+                  disallowedPoliciesGlob:
+                    description: Set of disallowed policies with glob match for given
+                      role. Set of disallowed policies with glob match for given role.
+                    items:
+                      type: string
+                    type: array
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  orphan:
+                    description: If true, tokens created against this policy will
+                      be orphan tokens. If true, tokens created against this policy
+                      will be orphan tokens.
+                    type: boolean
+                  pathSuffix:
+                    description: Tokens created against this role will have the given
+                      suffix as part of their path in addition to the role name. Tokens
+                      created against this role will have the given suffix as part
+                      of their path in addition to the role name.
+                    type: string
+                  renewable:
+                    description: Whether to disable the ability of the token to be
+                      renewed past its initial TTL. Whether to disable the ability
+                      of the token to be renewed past its initial TTL.
+                    type: boolean
+                  roleName:
+                    description: The name of the role. Name of the role.
+                    type: string
+                  tokenBoundCidrs:
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
+                    items:
+                      type: string
+                    type: array
+                  tokenExplicitMaxTtl:
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
+                    type: number
+                  tokenMaxTtl:
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
+                    type: number
+                  tokenNoDefaultPolicy:
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
+                    type: boolean
+                  tokenNumUses:
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
+                    type: number
+                  tokenPeriod:
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
+                    type: number
+                  tokenPolicies:
+                    description: Generated Token's Policies
+                    items:
+                      type: string
+                    type: array
+                  tokenTtl:
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
+                    type: number
+                  tokenType:
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -336,81 +505,108 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: roleName is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roleName)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName)
+                || has(self.initProvider.roleName)'
           status:
             description: AuthBackendRoleStatus defines the observed state of AuthBackendRole.
             properties:
               atProvider:
                 properties:
                   allowedEntityAliases:
-                    description: Set of allowed entity aliases for this role.
+                    description: List of allowed entity aliases. Set of allowed entity
+                      aliases for this role.
                     items:
                       type: string
                     type: array
                   allowedPolicies:
-                    description: List of allowed policies for given role.
+                    description: List of allowed policies for given role. List of
+                      allowed policies for given role.
                     items:
                       type: string
                     type: array
                   allowedPoliciesGlob:
                     description: Set of allowed policies with glob match for given
-                      role.
+                      role. Set of allowed policies with glob match for given role.
                     items:
                       type: string
                     type: array
                   disallowedPolicies:
-                    description: List of disallowed policies for given role.
+                    description: List of disallowed policies for given role. List
+                      of disallowed policies for given role.
                     items:
                       type: string
                     type: array
                   disallowedPoliciesGlob:
                     description: Set of disallowed policies with glob match for given
-                      role.
+                      role. Set of disallowed policies with glob match for given role.
                     items:
                       type: string
                     type: array
                   id:
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   orphan:
                     description: If true, tokens created against this policy will
-                      be orphan tokens.
+                      be orphan tokens. If true, tokens created against this policy
+                      will be orphan tokens.
                     type: boolean
                   pathSuffix:
                     description: Tokens created against this role will have the given
-                      suffix as part of their path in addition to the role name.
+                      suffix as part of their path in addition to the role name. Tokens
+                      created against this role will have the given suffix as part
+                      of their path in addition to the role name.
                     type: string
                   renewable:
                     description: Whether to disable the ability of the token to be
-                      renewed past its initial TTL.
+                      renewed past its initial TTL. Whether to disable the ability
+                      of the token to be renewed past its initial TTL.
                     type: boolean
                   roleName:
-                    description: Name of the role.
+                    description: The name of the role. Name of the role.
                     type: string
                   tokenBoundCidrs:
-                    description: Specifies the blocks of IP addresses which are allowed
-                      to use the generated token
+                    description: List of CIDR blocks; if set, specifies blocks of
+                      IP addresses which can authenticate successfully, and ties the
+                      resulting token to these blocks as well. Specifies the blocks
+                      of IP addresses which are allowed to use the generated token
                     items:
                       type: string
                     type: array
                   tokenExplicitMaxTtl:
-                    description: Generated Token's Explicit Maximum TTL in seconds
+                    description: If set, will encode an explicit max TTL onto the
+                      token in number of seconds. This is a hard cap even if token_ttl
+                      and token_max_ttl would otherwise allow a renewal. Generated
+                      Token's Explicit Maximum TTL in seconds
                     type: number
                   tokenMaxTtl:
-                    description: The maximum lifetime of the generated token
+                    description: The maximum lifetime for generated tokens in number
+                      of seconds. Its current value will be referenced at renewal
+                      time. The maximum lifetime of the generated token
                     type: number
                   tokenNoDefaultPolicy:
-                    description: If true, the 'default' policy will not automatically
-                      be added to generated tokens
+                    description: If set, the default policy will not be set on generated
+                      tokens; otherwise it will be added to the policies set in token_policies.
+                      If true, the 'default' policy will not automatically be added
+                      to generated tokens
                     type: boolean
                   tokenNumUses:
-                    description: The maximum number of times a token may be used,
-                      a value of zero means unlimited
+                    description: The maximum number of times a generated token may
+                      be used (within its lifetime); 0 means unlimited. The maximum
+                      number of times a token may be used, a value of zero means unlimited
                     type: number
                   tokenPeriod:
-                    description: Generated Token's Period
+                    description: If set, indicates that the token generated using
+                      this role should never expire. The token should be renewed within
+                      the duration specified by this value. At each renewal, the token's
+                      TTL will be set to the value of this field. Specified in seconds.
+                      Generated Token's Period
                     type: number
                   tokenPolicies:
                     description: Generated Token's Policies
@@ -418,10 +614,18 @@ spec:
                       type: string
                     type: array
                   tokenTtl:
-                    description: The initial ttl of the token to generate in seconds
+                    description: The incremental lifetime for generated tokens in
+                      number of seconds. Its current value will be referenced at renewal
+                      time. The initial ttl of the token to generate in seconds
                     type: number
                   tokenType:
-                    description: The type of token to generate, service or batch
+                    description: 'The type of token that should be generated. Can
+                      be service, batch, or default to use the mount''s tuned default
+                      (which unless changed will be service tokens). For token store
+                      roles, there are two additional possibilities: default-service
+                      and default-batch which specify the type to return unless the
+                      client requests a different type at generation time. The type
+                      of token to generate, service or batch'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/transform.vault.upbound.io_alphabets.yaml b/package/crds/transform.vault.upbound.io_alphabets.yaml
index c4d5ec71..45b3a206 100644
--- a/package/crds/transform.vault.upbound.io_alphabets.yaml
+++ b/package/crds/transform.vault.upbound.io_alphabets.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: alphabets.transform.vault.upbound.io
 spec:
   group: transform.vault.upbound.io
@@ -35,7 +34,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Alphabet is the Schema for the Alphabets API. <no value>
+        description: Alphabet is the Schema for the Alphabets API. "/transform/alphabet/{name}"
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,34 +68,83 @@ spec:
                 properties:
                   alphabet:
                     description: A string of characters that contains the alphabet
-                      set.
+                      set. A string of characters that contains the alphabet set.
                     type: string
                   name:
-                    description: The name of the alphabet.
+                    description: The name of the alphabet. The name of the alphabet.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: The mount path for a back-end, for example, the path
-                      given in "$ vault auth enable -path=my-aws aws".
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  alphabet:
+                    description: A string of characters that contains the alphabet
+                      set. A string of characters that contains the alphabet set.
+                    type: string
+                  name:
+                    description: The name of the alphabet. The name of the alphabet.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -270,9 +318,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: AlphabetStatus defines the observed state of Alphabet.
             properties:
@@ -280,19 +332,24 @@ spec:
                 properties:
                   alphabet:
                     description: A string of characters that contains the alphabet
-                      set.
+                      set. A string of characters that contains the alphabet set.
                     type: string
                   id:
                     type: string
                   name:
-                    description: The name of the alphabet.
+                    description: The name of the alphabet. The name of the alphabet.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: The mount path for a back-end, for example, the path
-                      given in "$ vault auth enable -path=my-aws aws".
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/transform.vault.upbound.io_roles.yaml b/package/crds/transform.vault.upbound.io_roles.yaml
index 6bc06b77..1b663c70 100644
--- a/package/crds/transform.vault.upbound.io_roles.yaml
+++ b/package/crds/transform.vault.upbound.io_roles.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: roles.transform.vault.upbound.io
 spec:
   group: transform.vault.upbound.io
@@ -35,7 +34,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Role is the Schema for the Roles API. <no value>
+        description: Role is the Schema for the Roles API. "/transform/role/{name}"
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,37 +67,90 @@ spec:
               forProvider:
                 properties:
                   name:
-                    description: The name of the role.
+                    description: The name of the role. The name of the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: The mount path for a back-end, for example, the path
-                      given in "$ vault auth enable -path=my-aws aws".
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
                     type: string
                   transformations:
                     description: A comma separated string or slice of transformations
+                      to use. A comma separated string or slice of transformations
                       to use.
                     items:
                       type: string
                     type: array
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  name:
+                    description: The name of the role. The name of the role.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
+                    type: string
+                  transformations:
+                    description: A comma separated string or slice of transformations
+                      to use. A comma separated string or slice of transformations
+                      to use.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -272,9 +324,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: RoleStatus defines the observed state of Role.
             properties:
@@ -283,17 +339,23 @@ spec:
                   id:
                     type: string
                   name:
-                    description: The name of the role.
+                    description: The name of the role. The name of the role.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: The mount path for a back-end, for example, the path
-                      given in "$ vault auth enable -path=my-aws aws".
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
                     type: string
                   transformations:
                     description: A comma separated string or slice of transformations
+                      to use. A comma separated string or slice of transformations
                       to use.
                     items:
                       type: string
diff --git a/package/crds/transform.vault.upbound.io_templates.yaml b/package/crds/transform.vault.upbound.io_templates.yaml
index 99f3879b..978c60ac 100644
--- a/package/crds/transform.vault.upbound.io_templates.yaml
+++ b/package/crds/transform.vault.upbound.io_templates.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: templates.transform.vault.upbound.io
 spec:
   group: transform.vault.upbound.io
@@ -35,7 +34,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Template is the Schema for the Templates API. <no value>
+        description: Template is the Schema for the Templates API. "/transform/template/{name}"
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,52 +68,133 @@ spec:
                 properties:
                   alphabet:
                     description: The alphabet to use for this template. This is only
-                      used during FPE transformations.
+                      used during FPE transformations. The alphabet to use for this
+                      template. This is only used during FPE transformations.
                     type: string
                   decodeFormats:
                     additionalProperties:
                       type: string
-                    description: The map of regular expression templates used to customize
-                      decoded outputs. Only applicable to FPE transformations.
+                    description: '- Optional mapping of name to regular expression
+                      template, used to customize the decoded output. (requires Vault
+                      Enterprise 1.9+) The map of regular expression templates used
+                      to customize decoded outputs. Only applicable to FPE transformations.'
                     type: object
                   encodeFormat:
-                    description: The regular expression template used for encoding
-                      values. Only applicable to FPE transformations.
+                    description: '- The regular expression template used to format
+                      encoded values. (requires Vault Enterprise 1.9+) The regular
+                      expression template used for encoding values. Only applicable
+                      to FPE transformations.'
                     type: string
                   name:
-                    description: The name of the template.
+                    description: The name of the template. The name of the template.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: The mount path for a back-end, for example, the path
-                      given in "$ vault auth enable -path=my-aws aws".
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
                     type: string
                   pattern:
                     description: The pattern used for matching. Currently, only regular
-                      expression pattern is supported.
+                      expression pattern is supported. The pattern used for matching.
+                      Currently, only regular expression pattern is supported.
                     type: string
                   type:
                     description: The pattern type to use for match detection. Currently,
-                      only regex is supported.
+                      only regex is supported. The pattern type to use for match detection.
+                      Currently, only regex is supported.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  alphabet:
+                    description: The alphabet to use for this template. This is only
+                      used during FPE transformations. The alphabet to use for this
+                      template. This is only used during FPE transformations.
+                    type: string
+                  decodeFormats:
+                    additionalProperties:
+                      type: string
+                    description: '- Optional mapping of name to regular expression
+                      template, used to customize the decoded output. (requires Vault
+                      Enterprise 1.9+) The map of regular expression templates used
+                      to customize decoded outputs. Only applicable to FPE transformations.'
+                    type: object
+                  encodeFormat:
+                    description: '- The regular expression template used to format
+                      encoded values. (requires Vault Enterprise 1.9+) The regular
+                      expression template used for encoding values. Only applicable
+                      to FPE transformations.'
+                    type: string
+                  name:
+                    description: The name of the template. The name of the template.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
+                    type: string
+                  pattern:
+                    description: The pattern used for matching. Currently, only regular
+                      expression pattern is supported. The pattern used for matching.
+                      Currently, only regular expression pattern is supported.
+                    type: string
+                  type:
+                    description: The pattern type to use for match detection. Currently,
+                      only regex is supported. The pattern type to use for match detection.
+                      Currently, only regex is supported.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -288,9 +368,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: TemplateStatus defines the observed state of Template.
             properties:
@@ -298,37 +382,49 @@ spec:
                 properties:
                   alphabet:
                     description: The alphabet to use for this template. This is only
-                      used during FPE transformations.
+                      used during FPE transformations. The alphabet to use for this
+                      template. This is only used during FPE transformations.
                     type: string
                   decodeFormats:
                     additionalProperties:
                       type: string
-                    description: The map of regular expression templates used to customize
-                      decoded outputs. Only applicable to FPE transformations.
+                    description: '- Optional mapping of name to regular expression
+                      template, used to customize the decoded output. (requires Vault
+                      Enterprise 1.9+) The map of regular expression templates used
+                      to customize decoded outputs. Only applicable to FPE transformations.'
                     type: object
                   encodeFormat:
-                    description: The regular expression template used for encoding
-                      values. Only applicable to FPE transformations.
+                    description: '- The regular expression template used to format
+                      encoded values. (requires Vault Enterprise 1.9+) The regular
+                      expression template used for encoding values. Only applicable
+                      to FPE transformations.'
                     type: string
                   id:
                     type: string
                   name:
-                    description: The name of the template.
+                    description: The name of the template. The name of the template.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: The mount path for a back-end, for example, the path
-                      given in "$ vault auth enable -path=my-aws aws".
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
                     type: string
                   pattern:
                     description: The pattern used for matching. Currently, only regular
-                      expression pattern is supported.
+                      expression pattern is supported. The pattern used for matching.
+                      Currently, only regular expression pattern is supported.
                     type: string
                   type:
                     description: The pattern type to use for match detection. Currently,
-                      only regex is supported.
+                      only regex is supported. The pattern type to use for match detection.
+                      Currently, only regex is supported.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/transform.vault.upbound.io_transformations.yaml b/package/crds/transform.vault.upbound.io_transformations.yaml
index 8e023529..9c4fdec7 100644
--- a/package/crds/transform.vault.upbound.io_transformations.yaml
+++ b/package/crds/transform.vault.upbound.io_transformations.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: transformations.transform.vault.upbound.io
 spec:
   group: transform.vault.upbound.io
@@ -35,8 +34,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Transformation is the Schema for the Transformations API. <no
-          value>
+        description: Transformation is the Schema for the Transformations API. "/transform/transformation/{name}"
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -70,58 +68,147 @@ spec:
                 properties:
                   allowedRoles:
                     description: The set of roles allowed to perform this transformation.
+                      The set of roles allowed to perform this transformation.
                     items:
                       type: string
                     type: array
                   deletionAllowed:
-                    description: If true, this transform can be deleted. Otherwise
-                      deletion is blocked while this value remains false.
+                    description: 'If true, this transform can be deleted. Otherwise,
+                      deletion is blocked while this value remains false. Default:
+                      false Only supported on vault-1.12+ If true, this transform
+                      can be deleted. Otherwise deletion is blocked while this value
+                      remains false.'
                     type: boolean
                   maskingCharacter:
                     description: The character used to replace data when in masking
-                      mode
+                      mode The character used to replace data when in masking mode
                     type: string
                   name:
-                    description: The name of the transformation.
+                    description: The name of the transformation. The name of the transformation.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: The mount path for a back-end, for example, the path
-                      given in "$ vault auth enable -path=my-aws aws".
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
                     type: string
                   template:
-                    description: The name of the template to use.
+                    description: The name of the template to use. The name of the
+                      template to use.
                     type: string
                   templates:
-                    description: Templates configured for transformation.
+                    description: Templates configured for transformation. Templates
+                      configured for transformation.
                     items:
                       type: string
                     type: array
                   tweakSource:
                     description: The source of where the tweak value comes from. Only
-                      valid when in FPE mode.
+                      valid when in FPE mode. The source of where the tweak value
+                      comes from. Only valid when in FPE mode.
                     type: string
                   type:
-                    description: The type of transformation to perform.
+                    description: The type of transformation to perform. The type of
+                      transformation to perform.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedRoles:
+                    description: The set of roles allowed to perform this transformation.
+                      The set of roles allowed to perform this transformation.
+                    items:
+                      type: string
+                    type: array
+                  deletionAllowed:
+                    description: 'If true, this transform can be deleted. Otherwise,
+                      deletion is blocked while this value remains false. Default:
+                      false Only supported on vault-1.12+ If true, this transform
+                      can be deleted. Otherwise deletion is blocked while this value
+                      remains false.'
+                    type: boolean
+                  maskingCharacter:
+                    description: The character used to replace data when in masking
+                      mode The character used to replace data when in masking mode
+                    type: string
+                  name:
+                    description: The name of the transformation. The name of the transformation.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
+                    type: string
+                  template:
+                    description: The name of the template to use. The name of the
+                      template to use.
+                    type: string
+                  templates:
+                    description: Templates configured for transformation. Templates
+                      configured for transformation.
+                    items:
+                      type: string
+                    type: array
+                  tweakSource:
+                    description: The source of where the tweak value comes from. Only
+                      valid when in FPE mode. The source of where the tweak value
+                      comes from. Only valid when in FPE mode.
+                    type: string
+                  type:
+                    description: The type of transformation to perform. The type of
+                      transformation to perform.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -295,9 +382,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: TransformationStatus defines the observed state of Transformation.
             properties:
@@ -305,43 +396,56 @@ spec:
                 properties:
                   allowedRoles:
                     description: The set of roles allowed to perform this transformation.
+                      The set of roles allowed to perform this transformation.
                     items:
                       type: string
                     type: array
                   deletionAllowed:
-                    description: If true, this transform can be deleted. Otherwise
-                      deletion is blocked while this value remains false.
+                    description: 'If true, this transform can be deleted. Otherwise,
+                      deletion is blocked while this value remains false. Default:
+                      false Only supported on vault-1.12+ If true, this transform
+                      can be deleted. Otherwise deletion is blocked while this value
+                      remains false.'
                     type: boolean
                   id:
                     type: string
                   maskingCharacter:
                     description: The character used to replace data when in masking
-                      mode
+                      mode The character used to replace data when in masking mode
                     type: string
                   name:
-                    description: The name of the transformation.
+                    description: The name of the transformation. The name of the transformation.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: The mount path for a back-end, for example, the path
-                      given in "$ vault auth enable -path=my-aws aws".
+                    description: Path to where the back-end is mounted within Vault.
+                      The mount path for a back-end, for example, the path given in
+                      "$ vault auth enable -path=my-aws aws".
                     type: string
                   template:
-                    description: The name of the template to use.
+                    description: The name of the template to use. The name of the
+                      template to use.
                     type: string
                   templates:
-                    description: Templates configured for transformation.
+                    description: Templates configured for transformation. Templates
+                      configured for transformation.
                     items:
                       type: string
                     type: array
                   tweakSource:
                     description: The source of where the tweak value comes from. Only
-                      valid when in FPE mode.
+                      valid when in FPE mode. The source of where the tweak value
+                      comes from. Only valid when in FPE mode.
                     type: string
                   type:
-                    description: The type of transformation to perform.
+                    description: The type of transformation to perform. The type of
+                      transformation to perform.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml b/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml
index ac334189..b44ece01 100644
--- a/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml
+++ b/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: secretbackendkeys.transit.vault.upbound.io
 spec:
   group: transit.vault.upbound.io
@@ -36,7 +35,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: SecretBackendKey is the Schema for the SecretBackendKeys API.
-          <no value>
+          Create an Encryption Keyring on a Transit Secret Backend for Vault.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -58,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -69,71 +68,196 @@ spec:
               forProvider:
                 properties:
                   allowPlaintextBackup:
-                    description: If set, enables taking backup of named key in the
-                      plaintext format. Once set, this cannot be disabled.
+                    description: Enables taking backup of entire keyring in the plaintext
+                      format. Once set, this cannot be disabled. If set, enables taking
+                      backup of named key in the plaintext format. Once set, this
+                      cannot be disabled.
                     type: boolean
                   autoRotateInterval:
+                    description: Replaced by auto_rotate_period. Amount of time the
+                      key should live before being automatically rotated. A value
+                      of 0 disables automatic rotation for the key.
+                    type: number
+                  autoRotatePeriod:
                     description: Amount of time the key should live before being automatically
                       rotated. A value of 0 disables automatic rotation for the key.
+                      Amount of time the key should live before being automatically
+                      rotated. A value of 0 disables automatic rotation for the key.
+                    type: number
+                  backend:
+                    description: The path the transit secret backend is mounted at,
+                      with no leading or trailing /s. The Transit secret backend the
+                      resource belongs to.
+                    type: string
+                  convergentEncryption:
+                    description: Whether or not to support convergent encryption,
+                      where the same plaintext creates the same ciphertext. This requires
+                      derived to be set to true. Whether or not to support convergent
+                      encryption, where the same plaintext creates the same ciphertext.
+                      This requires derived to be set to true.
+                    type: boolean
+                  deletionAllowed:
+                    description: Specifies if the keyring is allowed to be deleted.
+                      Specifies if the key is allowed to be deleted.
+                    type: boolean
+                  derived:
+                    description: Specifies if key derivation is to be used. If enabled,
+                      all encrypt/decrypt requests to this key must provide a context
+                      which is used for key derivation. Specifies if key derivation
+                      is to be used. If enabled, all encrypt/decrypt requests to this
+                      key must provide a context which is used for key derivation.
+                    type: boolean
+                  exportable:
+                    description: Enables keys to be exportable. This allows for all
+                      valid private keys in the keyring to be exported. Once set,
+                      this cannot be disabled. Enables keys to be exportable. This
+                      allows for all the valid keys in the key ring to be exported.
+                      Once set, this cannot be disabled.
+                    type: boolean
+                  minDecryptionVersion:
+                    description: Minimum key version to use for decryption. Minimum
+                      key version to use for decryption.
+                    type: number
+                  minEncryptionVersion:
+                    description: Minimum key version to use for encryption Minimum
+                      key version to use for encryption
+                    type: number
+                  name:
+                    description: The name to identify this key within the backend.
+                      Must be unique within the backend. Name of the encryption key
+                      to create.
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  type:
+                    description: 'Specifies the type of key to create. The currently-supported
+                      types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305,
+                      ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072
+                      and rsa-4096. Specifies the type of key to create. The currently-supported
+                      types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519,
+                      ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096'
+                    type: string
+                type: object
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowPlaintextBackup:
+                    description: Enables taking backup of entire keyring in the plaintext
+                      format. Once set, this cannot be disabled. If set, enables taking
+                      backup of named key in the plaintext format. Once set, this
+                      cannot be disabled.
+                    type: boolean
+                  autoRotateInterval:
+                    description: Replaced by auto_rotate_period. Amount of time the
+                      key should live before being automatically rotated. A value
+                      of 0 disables automatic rotation for the key.
                     type: number
                   autoRotatePeriod:
                     description: Amount of time the key should live before being automatically
                       rotated. A value of 0 disables automatic rotation for the key.
+                      Amount of time the key should live before being automatically
+                      rotated. A value of 0 disables automatic rotation for the key.
                     type: number
                   backend:
-                    description: The Transit secret backend the resource belongs to.
+                    description: The path the transit secret backend is mounted at,
+                      with no leading or trailing /s. The Transit secret backend the
+                      resource belongs to.
                     type: string
                   convergentEncryption:
                     description: Whether or not to support convergent encryption,
                       where the same plaintext creates the same ciphertext. This requires
-                      derived to be set to true.
+                      derived to be set to true. Whether or not to support convergent
+                      encryption, where the same plaintext creates the same ciphertext.
+                      This requires derived to be set to true.
                     type: boolean
                   deletionAllowed:
-                    description: Specifies if the key is allowed to be deleted.
+                    description: Specifies if the keyring is allowed to be deleted.
+                      Specifies if the key is allowed to be deleted.
                     type: boolean
                   derived:
                     description: Specifies if key derivation is to be used. If enabled,
                       all encrypt/decrypt requests to this key must provide a context
-                      which is used for key derivation.
+                      which is used for key derivation. Specifies if key derivation
+                      is to be used. If enabled, all encrypt/decrypt requests to this
+                      key must provide a context which is used for key derivation.
                     type: boolean
                   exportable:
                     description: Enables keys to be exportable. This allows for all
-                      the valid keys in the key ring to be exported. Once set, this
-                      cannot be disabled.
+                      valid private keys in the keyring to be exported. Once set,
+                      this cannot be disabled. Enables keys to be exportable. This
+                      allows for all the valid keys in the key ring to be exported.
+                      Once set, this cannot be disabled.
                     type: boolean
                   minDecryptionVersion:
-                    description: Minimum key version to use for decryption.
+                    description: Minimum key version to use for decryption. Minimum
+                      key version to use for decryption.
                     type: number
                   minEncryptionVersion:
-                    description: Minimum key version to use for encryption
+                    description: Minimum key version to use for encryption Minimum
+                      key version to use for encryption
                     type: number
                   name:
-                    description: Name of the encryption key to create.
+                    description: The name to identify this key within the backend.
+                      Must be unique within the backend. Name of the encryption key
+                      to create.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   type:
                     description: 'Specifies the type of key to create. The currently-supported
+                      types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305,
+                      ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072
+                      and rsa-4096. Specifies the type of key to create. The currently-supported
                       types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519,
                       ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -307,92 +431,134 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: backend is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backend)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.backend)
+                || has(self.initProvider.backend)'
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
           status:
             description: SecretBackendKeyStatus defines the observed state of SecretBackendKey.
             properties:
               atProvider:
                 properties:
                   allowPlaintextBackup:
-                    description: If set, enables taking backup of named key in the
-                      plaintext format. Once set, this cannot be disabled.
+                    description: Enables taking backup of entire keyring in the plaintext
+                      format. Once set, this cannot be disabled. If set, enables taking
+                      backup of named key in the plaintext format. Once set, this
+                      cannot be disabled.
                     type: boolean
                   autoRotateInterval:
-                    description: Amount of time the key should live before being automatically
-                      rotated. A value of 0 disables automatic rotation for the key.
+                    description: Replaced by auto_rotate_period. Amount of time the
+                      key should live before being automatically rotated. A value
+                      of 0 disables automatic rotation for the key.
                     type: number
                   autoRotatePeriod:
                     description: Amount of time the key should live before being automatically
                       rotated. A value of 0 disables automatic rotation for the key.
+                      Amount of time the key should live before being automatically
+                      rotated. A value of 0 disables automatic rotation for the key.
                     type: number
                   backend:
-                    description: The Transit secret backend the resource belongs to.
+                    description: The path the transit secret backend is mounted at,
+                      with no leading or trailing /s. The Transit secret backend the
+                      resource belongs to.
                     type: string
                   convergentEncryption:
                     description: Whether or not to support convergent encryption,
                       where the same plaintext creates the same ciphertext. This requires
-                      derived to be set to true.
+                      derived to be set to true. Whether or not to support convergent
+                      encryption, where the same plaintext creates the same ciphertext.
+                      This requires derived to be set to true.
                     type: boolean
                   deletionAllowed:
-                    description: Specifies if the key is allowed to be deleted.
+                    description: Specifies if the keyring is allowed to be deleted.
+                      Specifies if the key is allowed to be deleted.
                     type: boolean
                   derived:
                     description: Specifies if key derivation is to be used. If enabled,
                       all encrypt/decrypt requests to this key must provide a context
-                      which is used for key derivation.
+                      which is used for key derivation. Specifies if key derivation
+                      is to be used. If enabled, all encrypt/decrypt requests to this
+                      key must provide a context which is used for key derivation.
                     type: boolean
                   exportable:
                     description: Enables keys to be exportable. This allows for all
-                      the valid keys in the key ring to be exported. Once set, this
-                      cannot be disabled.
+                      valid private keys in the keyring to be exported. Once set,
+                      this cannot be disabled. Enables keys to be exportable. This
+                      allows for all the valid keys in the key ring to be exported.
+                      Once set, this cannot be disabled.
                     type: boolean
                   id:
                     type: string
                   keys:
-                    description: List of key versions in the keyring.
+                    description: List of key versions in the keyring. This attribute
+                      is zero-indexed and will contain a map of values depending on
+                      the type of the encryption key. List of key versions in the
+                      keyring.
                     items:
                       additionalProperties:
                         type: string
                       type: object
                     type: array
                   latestVersion:
-                    description: Latest key version in use in the keyring
+                    description: Latest key version available. This value is 1-indexed,
+                      so if latest_version is 1, then the key's information can be
+                      referenced from keys by selecting element 0 Latest key version
+                      in use in the keyring
                     type: number
                   minAvailableVersion:
-                    description: Minimum key version available for use.
+                    description: Minimum key version available for use. If keys have
+                      been archived by increasing min_decryption_version, this attribute
+                      will reflect that change. Minimum key version available for
+                      use.
                     type: number
                   minDecryptionVersion:
-                    description: Minimum key version to use for decryption.
+                    description: Minimum key version to use for decryption. Minimum
+                      key version to use for decryption.
                     type: number
                   minEncryptionVersion:
-                    description: Minimum key version to use for encryption
+                    description: Minimum key version to use for encryption Minimum
+                      key version to use for encryption
                     type: number
                   name:
-                    description: Name of the encryption key to create.
+                    description: The name to identify this key within the backend.
+                      Must be unique within the backend. Name of the encryption key
+                      to create.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   supportsDecryption:
                     description: Whether or not the key supports decryption, based
+                      on key type. Whether or not the key supports decryption, based
                       on key type.
                     type: boolean
                   supportsDerivation:
                     description: Whether or not the key supports derivation, based
+                      on key type. Whether or not the key supports derivation, based
                       on key type.
                     type: boolean
                   supportsEncryption:
                     description: Whether or not the key supports encryption, based
+                      on key type. Whether or not the key supports encryption, based
                       on key type.
                     type: boolean
                   supportsSigning:
                     description: Whether or not the key supports signing, based on
+                      key type. Whether or not the key supports signing, based on
                       key type.
                     type: boolean
                   type:
                     description: 'Specifies the type of key to create. The currently-supported
+                      types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305,
+                      ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072
+                      and rsa-4096. Specifies the type of key to create. The currently-supported
                       types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519,
                       ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096'
                     type: string
diff --git a/package/crds/vault.upbound.io_providerconfigs.yaml b/package/crds/vault.upbound.io_providerconfigs.yaml
index 2d712f35..8f08b063 100644
--- a/package/crds/vault.upbound.io_providerconfigs.yaml
+++ b/package/crds/vault.upbound.io_providerconfigs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: providerconfigs.vault.upbound.io
 spec:
   group: vault.upbound.io
diff --git a/package/crds/vault.upbound.io_providerconfigusages.yaml b/package/crds/vault.upbound.io_providerconfigusages.yaml
index d5a473bf..dd8d70e3 100644
--- a/package/crds/vault.upbound.io_providerconfigusages.yaml
+++ b/package/crds/vault.upbound.io_providerconfigusages.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: providerconfigusages.vault.upbound.io
 spec:
   group: vault.upbound.io
diff --git a/package/crds/vault.upbound.io_storeconfigs.yaml b/package/crds/vault.upbound.io_storeconfigs.yaml
index b42fd087..f3cf1365 100644
--- a/package/crds/vault.upbound.io_storeconfigs.yaml
+++ b/package/crds/vault.upbound.io_storeconfigs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: storeconfigs.vault.upbound.io
 spec:
   group: vault.upbound.io
diff --git a/package/crds/vault.vault.upbound.io_audits.yaml b/package/crds/vault.vault.upbound.io_audits.yaml
index 43d8930d..e42dd6cc 100644
--- a/package/crds/vault.vault.upbound.io_audits.yaml
+++ b/package/crds/vault.vault.upbound.io_audits.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: audits.vault.vault.upbound.io
 spec:
   group: vault.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Audit is the Schema for the Audits API. <no value>
+        description: Audit is the Schema for the Audits API. Writes audit backends
+          for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,44 +68,110 @@ spec:
               forProvider:
                 properties:
                   description:
-                    description: Human-friendly description of the audit device.
+                    description: Human-friendly description of the audit device. Human-friendly
+                      description of the audit device.
                     type: string
                   local:
                     description: Specifies if the audit device is a local only. Local
                       audit devices are not replicated nor (if a secondary) removed
-                      by replication.
+                      by replication. Specifies if the audit device is a local only.
+                      Local audit devices are not replicated nor (if a secondary)
+                      removed by replication.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   options:
                     additionalProperties:
                       type: string
                     description: Configuration options to pass to the audit device
-                      itself.
+                      itself. Configuration options to pass to the audit device itself.
                     type: object
                   path:
-                    description: Path in which to enable the audit device.
+                    description: The path to mount the audit device. This defaults
+                      to the type. Path in which to enable the audit device.
                     type: string
                   type:
-                    description: Type of the audit device, such as 'file'.
+                    description: Type of the audit device, such as 'file'. Type of
+                      the audit device, such as 'file'.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  description:
+                    description: Human-friendly description of the audit device. Human-friendly
+                      description of the audit device.
+                    type: string
+                  local:
+                    description: Specifies if the audit device is a local only. Local
+                      audit devices are not replicated nor (if a secondary) removed
+                      by replication. Specifies if the audit device is a local only.
+                      Local audit devices are not replicated nor (if a secondary)
+                      removed by replication.
+                    type: boolean
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  options:
+                    additionalProperties:
+                      type: string
+                    description: Configuration options to pass to the audit device
+                      itself. Configuration options to pass to the audit device itself.
+                    type: object
+                  path:
+                    description: The path to mount the audit device. This defaults
+                      to the type. Path in which to enable the audit device.
+                    type: string
+                  type:
+                    description: Type of the audit device, such as 'file'. Type of
+                      the audit device, such as 'file'.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -279,38 +345,51 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: options is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.options)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.options)
+                || has(self.initProvider.options)'
             - message: type is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.type)
+                || has(self.initProvider.type)'
           status:
             description: AuditStatus defines the observed state of Audit.
             properties:
               atProvider:
                 properties:
                   description:
-                    description: Human-friendly description of the audit device.
+                    description: Human-friendly description of the audit device. Human-friendly
+                      description of the audit device.
                     type: string
                   id:
                     type: string
                   local:
                     description: Specifies if the audit device is a local only. Local
                       audit devices are not replicated nor (if a secondary) removed
-                      by replication.
+                      by replication. Specifies if the audit device is a local only.
+                      Local audit devices are not replicated nor (if a secondary)
+                      removed by replication.
                     type: boolean
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   options:
                     additionalProperties:
                       type: string
                     description: Configuration options to pass to the audit device
-                      itself.
+                      itself. Configuration options to pass to the audit device itself.
                     type: object
                   path:
-                    description: Path in which to enable the audit device.
+                    description: The path to mount the audit device. This defaults
+                      to the type. Path in which to enable the audit device.
                     type: string
                   type:
-                    description: Type of the audit device, such as 'file'.
+                    description: Type of the audit device, such as 'file'. Type of
+                      the audit device, such as 'file'.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/vault.vault.upbound.io_mounts.yaml b/package/crds/vault.vault.upbound.io_mounts.yaml
index 75b88b35..d5b79208 100644
--- a/package/crds/vault.vault.upbound.io_mounts.yaml
+++ b/package/crds/vault.vault.upbound.io_mounts.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: mounts.vault.vault.upbound.io
 spec:
   group: vault.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Mount is the Schema for the Mounts API. <no value>
+        description: Mount is the Schema for the Mounts API. Managing the mounting
+          of secret backends in Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,77 +68,198 @@ spec:
               forProvider:
                 properties:
                   allowedManagedKeys:
-                    description: List of managed key registry entry names that the
-                      mount in question is allowed to access
+                    description: Set of managed key registry entry names that the
+                      mount in question is allowed to access List of managed key registry
+                      entry names that the mount in question is allowed to access
                     items:
                       type: string
                     type: array
                   auditNonHmacRequestKeys:
                     description: Specifies the list of keys that will not be HMAC'd
-                      by audit devices in the request data object.
+                      by audit devices in the request data object. Specifies the list
+                      of keys that will not be HMAC'd by audit devices in the request
+                      data object.
                     items:
                       type: string
                     type: array
                   auditNonHmacResponseKeys:
                     description: Specifies the list of keys that will not be HMAC'd
-                      by audit devices in the response data object.
+                      by audit devices in the response data object. Specifies the
+                      list of keys that will not be HMAC'd by audit devices in the
+                      response data object.
                     items:
                       type: string
                     type: array
                   defaultLeaseTtlSeconds:
                     description: Default lease duration for tokens and secrets in
-                      seconds
+                      seconds Default lease duration for tokens and secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount
+                    description: Human-friendly description of the mount Human-friendly
+                      description of the mount
                     type: string
                   externalEntropyAccess:
-                    description: Enable the secrets engine to access Vault's external
+                    description: Boolean flag that can be explicitly set to true to
+                      enable the secrets engine to access Vault's external entropy
+                      source Enable the secrets engine to access Vault's external
                       entropy source
                     type: boolean
                   local:
-                    description: Local mount flag that can be explicitly set to true
-                      to enforce local mount in HA environment
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
                     type: boolean
                   maxLeaseTtlSeconds:
                     description: Maximum possible lease duration for tokens and secrets
+                      in seconds Maximum possible lease duration for tokens and secrets
                       in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   options:
                     additionalProperties:
                       type: string
                     description: Specifies mount type specific options that are passed
-                      to the backend
+                      to the backend Specifies mount type specific options that are
+                      passed to the backend
                     type: object
                   path:
-                    description: Where the secret backend will be mounted
+                    description: Where the secret backend will be mounted Where the
+                      secret backend will be mounted
                     type: string
                   sealWrap:
-                    description: Enable seal wrapping for the mount, causing values
-                      stored by the mount to be wrapped by the seal's encryption capability
+                    description: Boolean flag that can be explicitly set to true to
+                      enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
+                      Enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
                     type: boolean
                   type:
-                    description: Type of the backend, such as 'aws'
+                    description: Type of the backend, such as "aws" Type of the backend,
+                      such as 'aws'
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  allowedManagedKeys:
+                    description: Set of managed key registry entry names that the
+                      mount in question is allowed to access List of managed key registry
+                      entry names that the mount in question is allowed to access
+                    items:
+                      type: string
+                    type: array
+                  auditNonHmacRequestKeys:
+                    description: Specifies the list of keys that will not be HMAC'd
+                      by audit devices in the request data object. Specifies the list
+                      of keys that will not be HMAC'd by audit devices in the request
+                      data object.
+                    items:
+                      type: string
+                    type: array
+                  auditNonHmacResponseKeys:
+                    description: Specifies the list of keys that will not be HMAC'd
+                      by audit devices in the response data object. Specifies the
+                      list of keys that will not be HMAC'd by audit devices in the
+                      response data object.
+                    items:
+                      type: string
+                    type: array
+                  defaultLeaseTtlSeconds:
+                    description: Default lease duration for tokens and secrets in
+                      seconds Default lease duration for tokens and secrets in seconds
+                    type: number
+                  description:
+                    description: Human-friendly description of the mount Human-friendly
+                      description of the mount
+                    type: string
+                  externalEntropyAccess:
+                    description: Boolean flag that can be explicitly set to true to
+                      enable the secrets engine to access Vault's external entropy
+                      source Enable the secrets engine to access Vault's external
+                      entropy source
+                    type: boolean
+                  local:
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
+                    type: boolean
+                  maxLeaseTtlSeconds:
+                    description: Maximum possible lease duration for tokens and secrets
+                      in seconds Maximum possible lease duration for tokens and secrets
+                      in seconds
+                    type: number
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  options:
+                    additionalProperties:
+                      type: string
+                    description: Specifies mount type specific options that are passed
+                      to the backend Specifies mount type specific options that are
+                      passed to the backend
+                    type: object
+                  path:
+                    description: Where the secret backend will be mounted Where the
+                      secret backend will be mounted
+                    type: string
+                  sealWrap:
+                    description: Boolean flag that can be explicitly set to true to
+                      enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
+                      Enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
+                    type: boolean
+                  type:
+                    description: Type of the backend, such as "aws" Type of the backend,
+                      such as 'aws'
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -312,74 +433,98 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
             - message: type is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.type)
+                || has(self.initProvider.type)'
           status:
             description: MountStatus defines the observed state of Mount.
             properties:
               atProvider:
                 properties:
                   accessor:
-                    description: Accessor of the mount
+                    description: The accessor for this mount. Accessor of the mount
                     type: string
                   allowedManagedKeys:
-                    description: List of managed key registry entry names that the
-                      mount in question is allowed to access
+                    description: Set of managed key registry entry names that the
+                      mount in question is allowed to access List of managed key registry
+                      entry names that the mount in question is allowed to access
                     items:
                       type: string
                     type: array
                   auditNonHmacRequestKeys:
                     description: Specifies the list of keys that will not be HMAC'd
-                      by audit devices in the request data object.
+                      by audit devices in the request data object. Specifies the list
+                      of keys that will not be HMAC'd by audit devices in the request
+                      data object.
                     items:
                       type: string
                     type: array
                   auditNonHmacResponseKeys:
                     description: Specifies the list of keys that will not be HMAC'd
-                      by audit devices in the response data object.
+                      by audit devices in the response data object. Specifies the
+                      list of keys that will not be HMAC'd by audit devices in the
+                      response data object.
                     items:
                       type: string
                     type: array
                   defaultLeaseTtlSeconds:
                     description: Default lease duration for tokens and secrets in
-                      seconds
+                      seconds Default lease duration for tokens and secrets in seconds
                     type: number
                   description:
-                    description: Human-friendly description of the mount
+                    description: Human-friendly description of the mount Human-friendly
+                      description of the mount
                     type: string
                   externalEntropyAccess:
-                    description: Enable the secrets engine to access Vault's external
+                    description: Boolean flag that can be explicitly set to true to
+                      enable the secrets engine to access Vault's external entropy
+                      source Enable the secrets engine to access Vault's external
                       entropy source
                     type: boolean
                   id:
                     type: string
                   local:
-                    description: Local mount flag that can be explicitly set to true
-                      to enforce local mount in HA environment
+                    description: Boolean flag that can be explicitly set to true to
+                      enforce local mount in HA environment Local mount flag that
+                      can be explicitly set to true to enforce local mount in HA environment
                     type: boolean
                   maxLeaseTtlSeconds:
                     description: Maximum possible lease duration for tokens and secrets
+                      in seconds Maximum possible lease duration for tokens and secrets
                       in seconds
                     type: number
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   options:
                     additionalProperties:
                       type: string
                     description: Specifies mount type specific options that are passed
-                      to the backend
+                      to the backend Specifies mount type specific options that are
+                      passed to the backend
                     type: object
                   path:
-                    description: Where the secret backend will be mounted
+                    description: Where the secret backend will be mounted Where the
+                      secret backend will be mounted
                     type: string
                   sealWrap:
-                    description: Enable seal wrapping for the mount, causing values
-                      stored by the mount to be wrapped by the seal's encryption capability
+                    description: Boolean flag that can be explicitly set to true to
+                      enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
+                      Enable seal wrapping for the mount, causing values stored by
+                      the mount to be wrapped by the seal's encryption capability
                     type: boolean
                   type:
-                    description: Type of the backend, such as 'aws'
+                    description: Type of the backend, such as "aws" Type of the backend,
+                      such as 'aws'
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/vault.vault.upbound.io_namespaces.yaml b/package/crds/vault.vault.upbound.io_namespaces.yaml
index 6a05ce53..35cd0eb7 100644
--- a/package/crds/vault.vault.upbound.io_namespaces.yaml
+++ b/package/crds/vault.vault.upbound.io_namespaces.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: namespaces.vault.vault.upbound.io
 spec:
   group: vault.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Namespace is the Schema for the Namespaces API. <no value>
+        description: Namespace is the Schema for the Namespaces API. Writes namespaces
+          for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,30 +68,78 @@ spec:
               forProvider:
                 properties:
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   path:
-                    description: Namespace path.
+                    description: The path of the namespace. Must not have a trailing
+                      / Namespace path.
                     type: string
                   pathFq:
-                    description: The fully qualified namespace path.
+                    description: The fully qualified path to the namespace. Useful
+                      when provisioning resources in a child namespace. The fully
+                      qualified namespace path.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  path:
+                    description: The path of the namespace. Must not have a trailing
+                      / Namespace path.
+                    type: string
+                  pathFq:
+                    description: The fully qualified path to the namespace. Useful
+                      when provisioning resources in a child namespace. The fully
+                      qualified namespace path.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -265,25 +313,35 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: path is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.path)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.path)
+                || has(self.initProvider.path)'
           status:
             description: NamespaceStatus defines the observed state of Namespace.
             properties:
               atProvider:
                 properties:
                   id:
+                    description: ID of the namespace.
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   namespaceId:
-                    description: Namespace ID.
+                    description: ID of the namespace. Namespace ID.
                     type: string
                   path:
-                    description: Namespace path.
+                    description: The path of the namespace. Must not have a trailing
+                      / Namespace path.
                     type: string
                   pathFq:
-                    description: The fully qualified namespace path.
+                    description: The fully qualified path to the namespace. Useful
+                      when provisioning resources in a child namespace. The fully
+                      qualified namespace path.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/vault.vault.upbound.io_policies.yaml b/package/crds/vault.vault.upbound.io_policies.yaml
index 29ee7c6c..571c71d6 100644
--- a/package/crds/vault.vault.upbound.io_policies.yaml
+++ b/package/crds/vault.vault.upbound.io_policies.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: policies.vault.vault.upbound.io
 spec:
   group: vault.vault.upbound.io
@@ -35,7 +34,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Policy is the Schema for the Policys API. <no value>
+        description: Policy is the Schema for the Policys API. Writes arbitrary policies
+          for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +57,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,30 +68,72 @@ spec:
               forProvider:
                 properties:
                   name:
-                    description: Name of the policy
+                    description: The name of the policy Name of the policy
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policy:
-                    description: The policy document
+                    description: String containing a Vault policy The policy document
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  name:
+                    description: The name of the policy Name of the policy
+                    type: string
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  policy:
+                    description: String containing a Vault policy The policy document
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -265,9 +307,13 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: name is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.name)
+                || has(self.initProvider.name)'
             - message: policy is a required parameter
-              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
+              rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies
+                || ''Update'' in self.managementPolicies) || has(self.forProvider.policy)
+                || has(self.initProvider.policy)'
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
@@ -276,13 +322,17 @@ spec:
                   id:
                     type: string
                   name:
-                    description: Name of the policy
+                    description: The name of the policy Name of the policy
                     type: string
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   policy:
-                    description: The policy document
+                    description: String containing a Vault policy The policy document
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/vault.vault.upbound.io_tokens.yaml b/package/crds/vault.vault.upbound.io_tokens.yaml
index 855bc479..edca81fd 100644
--- a/package/crds/vault.vault.upbound.io_tokens.yaml
+++ b/package/crds/vault.vault.upbound.io_tokens.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: tokens.vault.vault.upbound.io
 spec:
   group: vault.vault.upbound.io
@@ -35,7 +34,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Token is the Schema for the Tokens API. <no value>
+        description: Token is the Schema for the Tokens API. Writes token for Vault
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -57,7 +56,7 @@ spec:
                 description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
                   or "Orphan" the external resource. This field is planned to be deprecated
-                  in favor of the ManagementPolicy field in a future release. Currently,
+                  in favor of the ManagementPolicies field in a future release. Currently,
                   both could be set independently and non-default values would be
                   honored if the feature flag is enabled. See the design doc for more
                   information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
@@ -68,70 +67,174 @@ spec:
               forProvider:
                 properties:
                   displayName:
-                    description: The display name of the token.
+                    description: String containing the token display name The display
+                      name of the token.
                     type: string
                   explicitMaxTtl:
-                    description: The explicit max TTL of the token.
+                    description: The explicit max TTL of this token The explicit max
+                      TTL of the token.
                     type: string
                   metadata:
                     additionalProperties:
                       type: string
-                    description: Metadata to be associated with the token.
+                    description: Metadata to be set on this token Metadata to be associated
+                      with the token.
                     type: object
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   noDefaultPolicy:
-                    description: Flag to disable the default policy.
+                    description: Flag to not attach the default policy to this token
+                      Flag to disable the default policy.
                     type: boolean
                   noParent:
-                    description: Flag to create a token without parent.
+                    description: Flag to create a token without parent Flag to create
+                      a token without parent.
                     type: boolean
                   numUses:
-                    description: The number of allowed uses of the token.
+                    description: The number of allowed uses of this token The number
+                      of allowed uses of the token.
                     type: number
                   period:
-                    description: The period of the token.
+                    description: The period of this token The period of the token.
                     type: string
                   policies:
-                    description: List of policies.
+                    description: List of policies to attach to this token List of
+                      policies.
                     items:
                       type: string
                     type: array
                   renewIncrement:
-                    description: The renew increment.
+                    description: The renew increment The renew increment.
                     type: number
                   renewMinLease:
-                    description: The minimum lease to renew token.
+                    description: The minimal lease to renew this token The minimum
+                      lease to renew token.
                     type: number
                   renewable:
-                    description: Flag to allow the token to be renewed
+                    description: Flag to allow to renew this token Flag to allow the
+                      token to be renewed
                     type: boolean
                   roleName:
-                    description: The token role name.
+                    description: The token role name The token role name.
                     type: string
                   ttl:
-                    description: The TTL period of the token.
+                    description: The TTL period of this token The TTL period of the
+                      token.
                     type: string
                   wrappingTtl:
-                    description: The TTL period of the wrapped token.
+                    description: The TTL period of this token The TTL period of the
+                      wrapped token.
                     type: string
                 type: object
-              managementPolicy:
-                default: FullControl
+              initProvider:
+                description: THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. InitProvider
+                  holds the same fields as ForProvider, with the exception of Identifier
+                  and other resource reference fields. The fields that are in InitProvider
+                  are merged into ForProvider when the resource is created. The same
+                  fields are also added to the terraform ignore_changes hook, to avoid
+                  updating them after creation. This is useful for fields that are
+                  required on creation, but we do not desire to update them after
+                  creation, for example because of an external controller is managing
+                  them, like an autoscaler.
+                properties:
+                  displayName:
+                    description: String containing the token display name The display
+                      name of the token.
+                    type: string
+                  explicitMaxTtl:
+                    description: The explicit max TTL of this token The explicit max
+                      TTL of the token.
+                    type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Metadata to be set on this token Metadata to be associated
+                      with the token.
+                    type: object
+                  namespace:
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
+                    type: string
+                  noDefaultPolicy:
+                    description: Flag to not attach the default policy to this token
+                      Flag to disable the default policy.
+                    type: boolean
+                  noParent:
+                    description: Flag to create a token without parent Flag to create
+                      a token without parent.
+                    type: boolean
+                  numUses:
+                    description: The number of allowed uses of this token The number
+                      of allowed uses of the token.
+                    type: number
+                  period:
+                    description: The period of this token The period of the token.
+                    type: string
+                  policies:
+                    description: List of policies to attach to this token List of
+                      policies.
+                    items:
+                      type: string
+                    type: array
+                  renewIncrement:
+                    description: The renew increment The renew increment.
+                    type: number
+                  renewMinLease:
+                    description: The minimal lease to renew this token The minimum
+                      lease to renew token.
+                    type: number
+                  renewable:
+                    description: Flag to allow to renew this token Flag to allow the
+                      token to be renewed
+                    type: boolean
+                  roleName:
+                    description: The token role name The token role name.
+                    type: string
+                  ttl:
+                    description: The TTL period of this token The TTL period of the
+                      token.
+                    type: string
+                  wrappingTtl:
+                    description: The TTL period of this token The TTL period of the
+                      wrapped token.
+                    type: string
+                type: object
+              managementPolicies:
+                default:
+                - '*'
                 description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
                   It is not honored unless the relevant Crossplane feature flag is
-                  enabled, and may be changed or removed without notice. ManagementPolicy
-                  specifies the level of control Crossplane has over the managed external
-                  resource. This field is planned to replace the DeletionPolicy field
-                  in a future release. Currently, both could be set independently
-                  and non-default values would be honored if the feature flag is enabled.
-                  See the design doc for more information: /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
-                enum:
-                - FullControl
-                - ObserveOnly
-                - OrphanOnDelete
-                type: string
+                  enabled, and may be changed or removed without notice. ManagementPolicies
+                  specify the array of actions Crossplane is allowed to take on the
+                  managed and external resources. This field is planned to replace
+                  the DeletionPolicy field in a future release. Currently, both could
+                  be set independently and non-default values would be honored if
+                  the feature flag is enabled. If both are custom, the DeletionPolicy
+                  field will be ignored. See the design doc for more information:
+                  /~https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+                  and this one: /~https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md'
+                items:
+                  description: A ManagementAction represents an action that the Crossplane
+                    controllers can take on an external resource.
+                  enum:
+                  - Observe
+                  - Create
+                  - Update
+                  - Delete
+                  - LateInitialize
+                  - '*'
+                  type: string
+                type: array
               providerConfigRef:
                 default:
                   name: default
@@ -309,61 +412,78 @@ spec:
               atProvider:
                 properties:
                   displayName:
-                    description: The display name of the token.
+                    description: String containing the token display name The display
+                      name of the token.
                     type: string
                   explicitMaxTtl:
-                    description: The explicit max TTL of the token.
+                    description: The explicit max TTL of this token The explicit max
+                      TTL of the token.
                     type: string
                   id:
                     type: string
                   leaseDuration:
-                    description: The token lease duration.
+                    description: String containing the token lease duration if present
+                      in state file The token lease duration.
                     type: number
                   leaseStarted:
-                    description: The token lease started on.
+                    description: String containing the token lease started time if
+                      present in state file The token lease started on.
                     type: string
                   metadata:
                     additionalProperties:
                       type: string
-                    description: Metadata to be associated with the token.
+                    description: Metadata to be set on this token Metadata to be associated
+                      with the token.
                     type: object
                   namespace:
-                    description: Target namespace. (requires Enterprise)
+                    description: The namespace to provision the resource in. The value
+                      should not contain leading or trailing forward slashes. The
+                      namespace is always relative to the provider's configured namespace.
+                      Available only for Vault Enterprise. Target namespace. (requires
+                      Enterprise)
                     type: string
                   noDefaultPolicy:
-                    description: Flag to disable the default policy.
+                    description: Flag to not attach the default policy to this token
+                      Flag to disable the default policy.
                     type: boolean
                   noParent:
-                    description: Flag to create a token without parent.
+                    description: Flag to create a token without parent Flag to create
+                      a token without parent.
                     type: boolean
                   numUses:
-                    description: The number of allowed uses of the token.
+                    description: The number of allowed uses of this token The number
+                      of allowed uses of the token.
                     type: number
                   period:
-                    description: The period of the token.
+                    description: The period of this token The period of the token.
                     type: string
                   policies:
-                    description: List of policies.
+                    description: List of policies to attach to this token List of
+                      policies.
                     items:
                       type: string
                     type: array
                   renewIncrement:
-                    description: The renew increment.
+                    description: The renew increment The renew increment.
                     type: number
                   renewMinLease:
-                    description: The minimum lease to renew token.
+                    description: The minimal lease to renew this token The minimum
+                      lease to renew token.
                     type: number
                   renewable:
-                    description: Flag to allow the token to be renewed
+                    description: Flag to allow to renew this token Flag to allow the
+                      token to be renewed
                     type: boolean
                   roleName:
-                    description: The token role name.
+                    description: The token role name The token role name.
                     type: string
                   ttl:
-                    description: The TTL period of the token.
+                    description: The TTL period of this token The TTL period of the
+                      token.
                     type: string
                   wrappingTtl:
-                    description: The TTL period of the wrapped token.
+                    description: The TTL period of this token The TTL period of the
+                      wrapped token.
                     type: string
                 type: object
               conditions: