Creates a GitHub destination to synchronize secrets in Vault. Requires Vault 1.16+. Available only for Vault Enterprise.
For more information on syncing secrets with GitHub, please refer to the Vault documentation.
resource "vault_secrets_sync_gh_destination" "gh" {
name = "gh-dest"
access_token = var.access_token
repository_owner = var.repo_owner
repository_name = "repo-name-example"
secret_name_template = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
name
- (Required) Unique name of the GitHub destination.
access_token
- (Optional) Fine-grained or personal access token.
Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN
environment
variable.
repository_owner
- (Optional) GitHub organization or username that owns the repository.
Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER
environment
variable.
repository_name
- (Optional) Name of the repository.
Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME
environment
variable.
secret_name_template
- (Optional) Template describing how to generate external secret names.
Supports a subset of the Go Template syntax.
granularity
- (Optional) Determines what level of information is synced as a distinct resource
at the destination. Supports secret-path
and secret-key
.
app_name
- (Optional) The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified.
Takes precedence over the access_token
field.
installation_id
-(Optional) The ID of the installation generated by GitHub when the app referenced by the app_name
was installed in the user’s GitHub account. Can be modified. Necessary if the app_name
field is also provided.
The following attributes are exported in addition to the above:
type
- The type of the secrets destination (gh
).GitHub Secrets sync destinations can be imported using the name
, e.g.
$ terraform import vault_secrets_sync_gh_destination.gh gh-dest