Reads the subkeys for a KV-V2 secret written to Vault.
For more information on Vault's KV-V2 secret backend see here.
resource "vault_mount" "kvv2" {
path = "kvv2"
type = "kv"
options = { version = "2" }
description = "KV Version 2 secret engine mount"
}
resource "vault_kv_secret_v2" "aws_secret" {
mount = vault_mount.kvv2.path
name = "aws_secret"
data_json = jsonencode(
{
zip = "zap",
foo = "bar"
}
)
}
data "vault_kv_secret_subkeys_v2" "test" {
mount = vault_mount.kvv2.path
name = vault_kv_secret_v2.aws_secret.name
}
The following arguments are supported:
namespace
- (Optional) The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
mount
- (Required) Path where KV-V2 engine is mounted.
name
- (Required) Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/baz
the name is foo/bar/baz
.
version
- (Optional) Specifies the version to return. If not
set the latest version is returned.
depth
- (Optional) Specifies the deepest nesting level to provide in the output.
If non-zero, keys that reside at the specified depth value will be
artificially treated as leaves and will thus be null
even if further
underlying sub-keys exist.
Use of this resource requires the read
capability on the given path.
The following attributes are exported:
path
- Full path where the KV-V2 secrets are listed.
data_json
- Subkeys for the KV-V2 secret read from Vault.
data
- Subkeys for the KV-V2 secret stored as a serialized map of strings.