Writes and manages arbitrary data at a given path in Vault.
This resource enables configuration of arbitrary vault endpoints. It can be used when a resource type is not available for a type of endpoint, including when the endpoint is provided by a third-party plugin. This resource can be used for endpoints with dynamic behavior including write-only configuration endpoints, endpoints that return different fields when read from those that were written, and endpoints that return data when written to. This makes it more flexible than the generic secret resource for use with arbitrary endpoints.
resource "vault_auth_backend" "userpass" {
type = "userpass"
}
resource "vault_generic_endpoint" "u1" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/u1"
ignore_absent_fields = true
data_json = <<EOT
{
"policies": ["p1"],
"password": "changeme"
}
EOT
}
resource "vault_generic_endpoint" "u1_token" {
depends_on = [vault_generic_endpoint.u1]
path = "auth/userpass/login/u1"
disable_read = true
disable_delete = true
data_json = <<EOT
{
"password": "changeme"
}
EOT
}
resource "vault_generic_endpoint" "u1_entity" {
depends_on = [vault_generic_endpoint.u1_token]
disable_read = true
disable_delete = true
path = "identity/lookup/entity"
ignore_absent_fields = true
write_fields = ["id"]
data_json = <<EOT
{
"alias_name": "u1",
"alias_mount_accessor": vault_auth_backend.userpass.accessor
}
EOT
}
output "u1_id" {
value = vault_generic_endpoint.u1_entity.write_data["id"]
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
path
- (Required) The full logical path at which to write the given
data. Consult each backend's documentation to see which endpoints
support the PUT
methods and to determine whether they also support
DELETE
and GET
.
data_json
- (Required) String containing a JSON-encoded object that will be
written to the given path as the secret data.
disable_read
- (Optional) True/false. Set this to true if your vault
authentication is not able to read the data or if the endpoint does
not support the GET
method. Setting this to true
will break drift
detection. You should set this to true
for endpoints that are
write-only. Defaults to false.
disable_delete
: - (Optional) True/false. Set this to true if your
vault authentication is not able to delete the data or if the endpoint
does not support the DELETE
method. Defaults to false.
ignore_absent_fields
: - (Optional) True/false. If set to true,
ignore any fields present when the endpoint is read but that were not
in data_json
. Also, if a field that was written is not returned when
the endpoint is read, treat that field as being up to date. You should
set this to true
when writing to endpoint that, when read, returns a
different set of fields from the ones you wrote, as is common with
many configuration endpoints. Defaults to false.
write_fields
: - (Optional). A list of fields that should be returned
in write_data_json
and write_data
. If omitted, data returned by
the write operation is not available to the resource or included in
state. This helps to avoid accidental storage of sensitive values in
state. Some endpoints, such as many dynamic secrets endpoints, return
data from writing to an endpoint rather than reading it. You should
use write_fields
if you need information returned in this way.
In addition to the fields above, the following attributes are exported:
write_data_json
: - The JSON data returned by the write operation.
Only fields set in write_fields
are present in the JSON data.
write_data
: - A map whose keys are the top-level data keys
returned from Vault by the write operation and whose values are the
corresponding values. This map can only represent string data, so
any non-string values returned from Vault are serialized as JSON.
Only fields set in write_fields
are present in the JSON data.
Use of this resource requires the create
or update
capability
(depending on whether the resource already exists) on the given path. If
disable_delete
is false, the delete
capability is also required. If
disable_read
is false, the read
capability is required.
Import is not supported for this resource.