Creates an Active Directory Secret Backend for Vault. Active Directory secret backend rotates existing Active Directory service account passwords based on the TTL of the role.
resource "vault_ad_secret_backend" "config" {
backend = "ad"
binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"
bindpass = "SuperSecretPassw0rd"
url = "ldaps://ad"
insecure_tls = "true"
userdn = "CN=Users,DC=corp,DC=example,DC=net"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Optional) The unique path this backend should be mounted at. Must
not begin or end with a /
. Defaults to ad
.
disable_remount
- (Optional) If set, opts out of mount migration on path updates.
See here for more info on Mount Migration
anonymous_group_search
- (Optional) Use anonymous binds when performing LDAP group searches
(if true the initial credentials will still be used for the initial connection test).
binddn
- (Required) Distinguished name of object to bind when performing user and group search.
bindpass
- (Required) Password to use along with binddn when performing user search.
case_sensitive_names
- (Optional) If set, user and group names assigned to policies within the
backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate
- (Optional) CA certificate to use when verifying LDAP server certificate, must be
x509 PEM encoded.
client_tls_cert
- (Optional) Client certificate to provide to the LDAP server, must be x509 PEM encoded.
client_tls_key
- (Optional) Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
default_lease_ttl_seconds
- (Optional) Default lease duration for secrets in seconds.
deny_null_bind
- (Optional) Denies an unauthenticated LDAP bind request if the user's password is empty;
defaults to true.
description
- (Optional) Human-friendly description of the mount for the Active Directory backend.
discoverdn
- (Optional) Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr
- (Optional) LDAP attribute to follow on objects returned by cn
or memberOf
, etc. Defaults to cn
.
groupdn
- (Optional) LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter
- (Optional) Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls
- (Optional) Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to false
.
last_rotation_tolerance
- (Optional) The number of seconds after a Vault rotation where, if Active Directory
shows a later rotation, it should be considered out-of-band
local
- (Optional) Mark the secrets engine as local-only. Local engines are not replicated or removed by
replication.Tolerance duration to use when checking the last rotation time.
max_lease_ttl_seconds
- (Optional) Maximum possible lease duration for secrets in seconds.
max_ttl
- (Optional) In seconds, the maximum password time-to-live.
password_policy
- (Optional) Name of the password policy to use to generate passwords.
request_timeout
- (Optional) Timeout, in seconds, for the connection when making requests against the server
before returning back an error.
starttls
- (Optional) Issue a StartTLS command after establishing unencrypted connection.
tls_max_version
- (Optional) Maximum TLS version to use. Accepted values are tls10
, tls11
,
tls12
or tls13
. Defaults to tls12
.
tls_min_version
- (Optional) Minimum TLS version to use. Accepted values are tls10
, tls11
,
tls12
or tls13
. Defaults to tls12
.
ttl
- (Optional) In seconds, the default password time-to-live.
upndomain
- (Optional) Enables userPrincipalDomain login with [username]@UPNDomain.
url
- (Required) LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1
.
use_pre111_group_cn_behavior
- (Optional) In Vault 1.1.1 a fix for handling group CN values of
different cases unfortunately introduced a regression that could cause previously defined groups
to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for
matching group CNs will be used. This is only needed in some upgrade scenarios for backwards
compatibility. It is enabled by default if the config is upgraded but disabled by default on
new configurations.
use_token_groups
- (Optional) If true, use the Active Directory tokenGroups constructed attribute of the
user to find the group memberships. This will find all security groups including nested ones.
userattr
- (Optional) Attribute used when searching users. Defaults to cn
.
userdn
- (Optional) LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
No additional attributes are exported by this resource.
AD secret backend can be imported using the backend
, e.g.
$ terraform import vault_ad_secret_backend.ad ad