Creates an Azure Secret Backend Role for Vault.
The Azure secrets engine dynamically generates Azure service principals and role assignments. Vault roles can be mapped to one or more Azure roles, providing a simple, flexible way to manage the permissions granted to generated service principals.
resource "vault_azure_secret_backend" "azure" {
subscription_id = var.subscription_id
tenant_id = var.tenant_id
client_secret = var.client_secret
client_id = var.client_id
}
resource "vault_azure_secret_backend_role" "generated_role" {
backend = vault_azure_secret_backend.azure.path
role = "generated_role"
sign_in_audience = "AzureADMyOrg"
tags = ["team:engineering","environment:development"]
ttl = 300
max_ttl = 600
azure_roles {
role_name = "Reader"
scope = "/subscriptions/${var.subscription_id}/resourceGroups/azure-vault-group"
}
}
resource "vault_azure_secret_backend_role" "existing_object_id" {
backend = vault_azure_secret_backend.azure.path
role = "existing_object_id"
application_object_id = "11111111-2222-3333-4444-44444444444"
ttl = 300
max_ttl = 600
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
role
- (Required) Name of the Azure role
backend
- (Optional) Path to the mounted Azure auth backendazure_groups
- (Optional) List of Azure groups to be assigned to the generated service principal.azure_roles
- (Optional) List of Azure roles to be assigned to the generated service principal.application_object_id
- (Optional) Application Object ID for an existing service principal that will
be used instead of creating dynamic service principals. If present, azure_roles
and permanently_delete
will be ignored.permanently_delete
- (Optional) Indicates whether the applications and service principals created by Vault will be permanently
deleted when the corresponding leases expire. Defaults to false
. For Vault v1.12+.ttl
– (Optional) Specifies the default TTL for service principals generated using this role.
Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.max_ttl
– (Optional) Specifies the maximum TTL for service principals generated using this role. Accepts time
suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.sign_in_audience
- (Optional) Specifies the security principal types that are allowed to sign in to the application.
Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.tags
- (Optional) - A list of Azure tags to attach to an application. Requires Vault 1.16+.No additional attributes are exported by this resource.