Provides a resource to manage roles in an SSH secret backend SSH secret backend within Vault.
resource "vault_mount" "example" {
type = "ssh"
}
resource "vault_ssh_secret_backend_role" "foo" {
name = "my-role"
backend = vault_mount.example.path
key_type = "ca"
allow_user_certificates = true
}
resource "vault_ssh_secret_backend_role" "bar" {
name = "otp-role"
backend = vault_mount.example.path
key_type = "otp"
default_user = "default"
allowed_users = "default,baz"
cidr_list = "0.0.0.0/0"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
name
- (Required) Specifies the name of the role to create.
backend
- (Required) The path where the SSH secret backend is mounted.
key_type
- (Required) Specifies the type of credentials generated by this role. This can be either otp
, dynamic
or ca
.
allow_bare_domains
- (Optional) Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains
.
allow_host_certificates
- (Optional) Specifies if certificates are allowed to be signed for use as a 'host'.
allow_subdomains
- (Optional) Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains
.
allow_user_certificates
- (Optional) Specifies if certificates are allowed to be signed for use as a 'user'.
allow_user_key_ids
- (Optional) Specifies if users can override the key ID for a signed certificate with the key_id
field.
allowed_critical_options
- (Optional) Specifies a comma-separated list of critical options that certificates can have when signed.
allowed_domains_template
- (Optional) Specifies if allowed_domains
can be declared using
identity template policies. Non-templated domains are also permitted.
allowed_domains
- (Optional) The list of domains for which a client can request a host certificate.
cidr_list
- (Optional) The comma-separated string of CIDR blocks for which this role is applicable.
allowed_extensions
- (Optional) Specifies a comma-separated list of extensions that certificates can have when signed.
default_extensions
- (Optional) Specifies a map of extensions that certificates have when signed.
default_critical_options
- (Optional) Specifies a map of critical options that certificates have when signed.
allowed_users_template
- (Optional) Specifies if allowed_users
can be declared using identity template policies. Non-templated users are also permitted.
allowed_users
- (Optional) Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
default_user_template
- (Optional) If set, default_users
can be specified using identity template values. A non-templated user is also permitted.
default_user
- (Optional) Specifies the default username for which a credential will be generated.
key_id_format
- (Optional) Specifies a custom format for the key id of a signed certificate.
algorithm_signer
- (Optional) When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allowed_user_key_config
- (Optional) Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times.
See Configuration-Options for more info
max_ttl
- (Optional) Specifies the maximum Time To Live value.
ttl
- (Optional) Specifies the Time To Live value.
not_before_duration
- (Optional) Specifies the duration by which to backdate the ValidAfter property.
Uses duration format strings.
type
- (Required) The SSH public key type.
Supported key types are:
rsa
, ecdsa
, ec
, dsa
, ed25519
, ssh-rsa
, ssh-dss
, ssh-ed25519
,
ecdsa-sha2-nistp256
, ecdsa-sha2-nistp384
, ecdsa-sha2-nistp521
lengths
- (Required) A list of allowed key lengths as integers.
For key types that do not support setting the length a value of [0]
should be used.
Setting multiple lengths is only supported on Vault 1.10+. For prior releases length
must be set to a single element list.
Example configuration blocks that might be included in the vault_ssh_secret_backend_role
allowed_user_key_config {
type = "rsa"
lengths = [2048, 4096]
}
allowed_user_key_config {
type = "dss"
lengths = [2048, 4096]
}
No additional attributes are exposed by this resource.
SSH secret backend roles can be imported using the path
, e.g.
$ terraform import vault_ssh_secret_backend_role.foo ssh/roles/my-role