vault_identity_group

Creates an Identity Group for Vault. The Identity secrets engine is the identity management solution for Vault.

A group can contain multiple entities as its members. A group can also have subgroups. Policies set on the group is granted to all members of the group. During request time, when the token's entity ID is being evaluated for the policies that it has access to; along with the policies on the entity itself, policies that are inherited due to group memberships are also granted.

Example Usage

Internal Group

resource "vault_identity_group" "internal" {
  name     = "internal"
  type     = "internal"
  policies = ["dev", "test"]

  metadata = {
    version = "2"
  }
}

External Group

resource "vault_identity_group" "group" {
  name     = "external"
  type     = "external"
  policies = ["test"]

  metadata = {
    version = "1"
  }
}

Caveats

It's important to note that Vault identity groups names are case-insensitive. For example the following resources would be equivalent. Applying this configuration would result in the provider failing to create one of the identity groups, since the resources share the same name.

This sort of pattern should be avoided:

resource "vault_identity_group" "internal" {
  # this duplicates the resource below
  name     = "internal"
  type     = "internal"
  policies = ["dev", "test"]

  metadata = {
    version = "2"
  }
}

resource "vault_identity_group" "Internal" {
  # this duplicates the resource above
  name     = "Internal"
  type     = "internal"
  policies = ["dev", "test"]

  metadata = {
    version = "2"
  }
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to all arguments above, the following attributes are exported:

Import

Identity group can be imported using the id, e.g.

$ terraform import vault_identity_group.test 'fcbf1efb-2b69-4209-bed8-811e3475dad3'