Creates an Encryption Keyring on a Transit Secret Backend for Vault.
resource "vault_mount" "transit" {
path = "transit"
type = "transit"
description = "Example description"
default_lease_ttl_seconds = 3600
max_lease_ttl_seconds = 86400
}
resource "vault_transit_secret_backend_key" "key" {
backend = vault_mount.transit.path
name = "my_key"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Required) The path the transit secret backend is mounted at, with no leading or trailing /
s.
name
- (Required) The name to identify this key within the backend. Must be unique within the backend.
type
- (Optional) Specifies the type of key to create. The currently-supported types are: aes128-gcm96
, aes256-gcm96
(default), chacha20-poly1305
, ed25519
, ecdsa-p256
, ecdsa-p384
, ecdsa-p521
, hmac
, rsa-2048
, rsa-3072
and rsa-4096
.
deletion_allowed
- (Optional) Specifies if the keyring is allowed to be deleted. Must be set to 'true' before terraform will be able to destroy keys.
derived
- (Optional) Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
convergent_encryption
- (Optional) Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived
to be set to true
.
exportable
- (Optional) Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
allow_plaintext_backup
- (Optional) Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
min_decryption_version
- (Optional) Minimum key version to use for decryption.
min_encryption_version
- (Optional) Minimum key version to use for encryption
auto_rotate_period
- (Optional) Amount of seconds the key should live before being automatically rotated.
A value of 0 disables automatic rotation for the key.
key_size
- (Optional) The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
keys
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type
of the encryption key.
aes128-gcm96
, aes256-gcm96
and chacha20-poly1305
, each key version will be a map of a single value id
which is just a hash of the key's metadata.ed25519
, ecdsa-p256
, ecdsa-p384
, ecdsa-p521
, rsa-2048
, rsa-3072
and rsa-4096
, each key version will be a map of the following:
name
- Name of keychaincreation_time
- ISO 8601 format timestamp indicating when the key version was createdpublic_key
- This is the base64-encoded public key for use outside of Vault.latest_version
- Latest key version available. This value is 1-indexed, so if latest_version
is 1
, then the key's information can be referenced from keys
by selecting element 0
min_available_version
- Minimum key version available for use. If keys have been archived by increasing min_decryption_version
, this attribute will reflect that change.
supports_encryption
- Whether or not the key supports encryption, based on key type.
supports_decryption
- Whether or not the key supports decryption, based on key type.
supports_derivation
- Whether or not the key supports derivation, based on key type.
supports_signing
- Whether or not the key supports signing, based on key type.
Transit secret backend keys can be imported using the path
, e.g.
$ terraform import vault_transit_secret_backend_key.key transit/keys/my_key