Reads dynamic role credentials from an LDAP secret backend in Vault
resource "vault_ldap_secret_backend" "test" {
binddn = "..."
bindpass = "..."
url = "..."
}
resource "vault_ldap_secret_backend_dynamic_role" "role" {
mount = vault_ldap_secret_backend.test.path
role_name = "%s"
creation_ldif = <<EOT
dn: cn={{.Username}},ou=users,dc=example,dc=org
objectClass: person
objectClass: top
cn: learn
sn: {{.Password | utf16le | base64}}
userPassword: {{.Password}}
EOT
deletion_ldif = <<EOT
dn: cn={{.Username}},ou=users,dc=example,dc=org
changetype: delete
EOT
rollback_ldif = <<EOT
dn: cn={{.Username}},ou=users,dc=example,dc=org
changetype: delete
EOT
default_ttl = "60s"
max_ttl = "60s"
}
data "vault_ldap_dynamic_credentials" "creds" {
mount = vault_ldap_secret_backend.test.path
role_name = vault_ldap_secret_backend_dynamic_role.role.role_name
}
The following arguments are supported:
namespace
- (Optional) The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
mount
- (Required) The path to the LDAP secret backend to
read credentials from, with no leading or trailing /
s.
role_name
- (Required) The name of the LDAP secret backend dynamic role to read
credentials from, with no leading or trailing /
s.
In addition to the arguments above, the following attributes are exported:
lease_id
- The lease identifier assigned by Vault.
lease_duration
- The duration of the secret lease, in seconds relative
to the time the data was requested.
lease_renewable
- True if the duration of this lease can be extended
through renewal.
distinguished_names
- List of the distinguished names (DN) created. Each name in this list
corresponds to each action taken within the creation_ldif statements.
This does not de-duplicate entries, so this will have one entry for each
LDIF statement within creation_ldif.
password
- The password for the dynamic role.
username
- The username of the generated account.