Creates a Azure Key Vault destination to synchronize secrets in Vault. Requires Vault 1.16+. Available only for Vault Enterprise.
For more information on syncing secrets with Azure Key Vault, please refer to the Vault documentation.
resource "vault_secrets_sync_azure_destination" "az" {
name = "az-dest"
key_vault_uri = var.key_vault_uri
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
secret_name_template = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"
custom_tags = {
"foo" = "bar"
}
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
name
- (Required) Unique name of the Azure destination.
key_vault_uri
- (Optional) URI of an existing Azure Key Vault instance.
Can be omitted and directly provided to Vault using the KEY_VAULT_URI
environment
variable.
tenant_id
- (Optional) ID of the target Azure tenant.
Can be omitted and directly provided to Vault using the AZURE_TENANT_ID
environment
variable.
client_id
- (Optional) Client ID of an Azure app registration.
Can be omitted and directly provided to Vault using the AZURE_CLIENT_ID
environment
variable.
client_secret
- (Optional) Client Secret of an Azure app registration.
Can be omitted and directly provided to Vault using the AZURE_CLIENT_SECRET
environment
variable.
cloud
- (Optional) Specifies a cloud for the client. The default is Azure Public Cloud.
custom_tags
- (Optional) Custom tags to set on the secret managed at the destination.
secret_name_template
- (Optional) Template describing how to generate external secret names.
Supports a subset of the Go Template syntax.
granularity
- (Optional) Determines what level of information is synced as a distinct resource
at the destination. Supports secret-path
and secret-key
.
The following attributes are exported in addition to the above:
type
- The type of the secrets destination (azure-kv
).Azure Secrets sync destinations can be imported using the name
, e.g.
$ terraform import vault_secrets_sync_azure_destination.az az-dest