Creates a GCP destination to synchronize secrets in Vault. Requires Vault 1.16+. Available only for Vault Enterprise.
For more information on syncing secrets with GCP, please refer to the Vault documentation.
resource "vault_secrets_sync_gcp_destination" "gcp" {
name = "gcp-dest"
project_id = "gcp-project-id"
credentials = file(var.credentials_file)
secret_name_template = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"
custom_tags = {
"foo" = "bar"
}
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
name
- (Required) Unique name of the GCP destination.
credentials
- (Optional) JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS
environment
variable.
custom_tags
- (Optional) Custom tags to set on the secret managed at the destination.
secret_name_template
- (Optional) Template describing how to generate external secret names.
Supports a subset of the Go Template syntax.
granularity
- (Optional) Determines what level of information is synced as a distinct resource
at the destination. Supports secret-path
and secret-key
.
project_id
- (Optional) The target project to manage secrets in. If set,
overrides the project ID derived from the service account JSON credentials or application
default credentials. The service account must be authorized
to perform Secret Manager actions in the target project.
The following attributes are exported in addition to the above:
type
- The type of the secrets destination (gcp-sm
).GCP Secrets sync destinations can be imported using the name
, e.g.
$ terraform import vault_secrets_sync_gcp_destination.gcp gcp-dest