vault_identity_group_alias

Creates an Identity Group Alias for Vault. The Identity secrets engine is the identity management solution for Vault.

Group aliases allows entity membership in external groups to be managed semi-automatically. External group serves as a mapping to a group that is outside of the identity store. External groups can have one (and only one) alias. This alias should map to a notion of group that is outside of the identity store. For example, groups in LDAP, and teams in GitHub. A username in LDAP, belonging to a group in LDAP, can get its entity ID added as a member of a group in Vault automatically during logins and token renewals. This works only if the group in Vault is an external group and has an alias that maps to the group in LDAP. If the user is removed from the group in LDAP, that change gets reflected in Vault only upon the subsequent login or renewal operation.

Example Usage

resource "vault_identity_group" "group" {
  name     = "test"
  type     = "external"
  policies = ["test"]
}

resource "vault_auth_backend" "github" {
  type = "github"
  path = "github"
}

resource "vault_identity_group_alias" "group-alias" {
  name           = "Github_Team_Slug"
  mount_accessor = vault_auth_backend.github.accessor
  canonical_id   = vault_identity_group.group.id
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to all arguments above, the following attributes are exported:

Import

The group alias can be imported with the group alias id, for example:

$ terraform import vault_identity_group_alias.group-alias id

Group aliases can also be imported using the UUID of the alias record, e.g.

terraform import vault_identity_group_alias.alias_name 63104e20-88e4-11eb-8d04-cf7ac9d60157