Reads arbitrary data from a given path in Vault.
This resource is primarily intended to be used with
Vault's "generic" secret backend,
but it is also compatible with any other Vault endpoint that supports
the vault read
command.
data "vault_generic_secret" "rundeck_auth" {
path = "secret/rundeck_auth"
}
# Rundeck Provider, for example
# For this example, in Vault there is a key named "auth_token" and the value is the token we need to keep secret.
# In general usage, replace "auth_token" with the key you wish to extract from Vault.
provider "rundeck" {
url = "http://rundeck.example.com/"
auth_token = data.vault_generic_secret.rundeck_auth.data["auth_token"]
}
For this example, consider example
as a path for a KV engine.
data "vault_generic_secret" "example_creds" {
path = "example/creds"
}
data "template_file" "example_template" {
template = file("./example.tmpl")
vars = {
username = data.vault_generic_secret.example_creds.data["username"]
password = data.vault_generic_secret.example_creds.data["password"]
}
}
The following arguments are supported:
namespace
- (Optional) The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
path
- (Required) The full logical path from which to request data.
To read data from the "generic" secret backend mounted in Vault by
default, this should be prefixed with secret/
. Reading from other backends
with this data source is possible; consult each backend's documentation
to see which endpoints support the GET
method.
version
- The version of the secret to read. This is used by the
Vault KV secrets engine - version 2 to indicate which version of the secret
to read.
with_lease_start_time
- If set to true, stores lease_start_time
in the TF state.
Note that storing the lease_start_time
in the TF state will cause a persistent drift
on every terraform plan
and will require a terraform apply
.
Use of this resource requires the read
capability on the given path.
The following attributes are exported:
data_json
- A string containing the full data payload retrieved from
Vault, serialized in JSON format.
data
- A mapping whose keys are the top-level data keys returned from
Vault and whose values are the corresponding values. This map can only
represent string data, so any non-string values returned from Vault are
serialized as JSON.
lease_id
- The lease identifier assigned by Vault, if any.
lease_duration
- The duration of the secret lease, in seconds relative
to the time the data was requested. Once this time has passed any plan
generated with this data may fail to apply.
lease_start_time
- The date and time of Terraform execution.
It is derived from the local machine's clock, and is
recorded in RFC3339 format UTC.
This can be used to approximate the absolute time represented by
lease_duration
, though users must allow for any clock drift and response
latency relative to the Vault server. _Provided only as a convenience_.
lease_renewable
- true
if the lease can be renewed using Vault's
sys/renew/{lease-id}
endpoint. Terraform does not currently support lease
renewal, and so it will request a new lease each time this data source is
refreshed.