vault_managed_keys

A resource that manages the lifecycle of all Managed Keys in Vault.

Note this feature is available only with Vault Enterprise.

Example Usage

resource "vault_managed_keys" "keys" {

  aws {
    name       = "aws-key-1"
    access_key = var.aws_access_key
    secret_key = var.aws_secret_key
    key_bits   = "2048"
    key_type   = "RSA"
    kms_key    = "alias/vault_aws_key_1"
  }

  aws {
    name       = "aws-key-2"
    access_key = var.aws_access_key
    secret_key = var.aws_secret_key
    key_bits   = "4096"
    key_type   = "RSA"
    kms_key    = "alias/vault_aws_key_2"
  }
}

resource "vault_mount" "pki" {
  path                      = "pki"
  type                      = "pki"
  description               = "Example mount for managed keys"
  default_lease_ttl_seconds = 3600
  max_lease_ttl_seconds     = 36000
  allowed_managed_keys      = [
    tolist(vault_managed_keys.keys.aws)[0].name,
    tolist(vault_managed_keys.keys.aws)[1].name
  ]
}

Caveats

This single resource handles the lifecycle of _all_ the managed keys that must be created in Vault. There can only be one such resource in the TF state, and if there are already provisioned managed keys in Vault, we recommend using terraform import instead.

Argument Reference

The following arguments are supported:

Common Parameters

AWS Parameters

Azure Parameters

Note this provider is available only with Vault Enterprise Plus (HSMs).

PKCS Parameters

Note this provider is available only with Vault Enterprise Plus (HSMs).

Import

Mounts can be imported using the id of default, e.g.

$ terraform import vault_managed_keys.keys default