Manages a V3 Application Credential resource within OpenStack Keystone.
Application credential below will have only one swiftoperator
role.
resource "openstack_identity_application_credential_v3" "swift" {
name = "swift"
description = "Swift technical application credential"
secret = "supersecret"
roles = ["swiftoperator"]
expires_at = "2019-02-13T12:12:12Z"
}
Application credential below will inherit all the current user's roles.
resource "openstack_identity_application_credential_v3" "unrestricted" {
name = "unrestricted"
description = "Unrestricted application credential"
unrestricted = true
}
output "application_credential_secret" {
value = openstack_identity_application_credential_v3.unrestricted.secret
}
resource "openstack_identity_application_credential_v3" "monitoring" {
name = "monitoring"
expires_at = "2019-02-13T12:12:12Z"
access_rules {
path = "/v2.0/metrics"
service = "monitoring"
method = "GET"
}
access_rules {
path = "/v2.0/metrics"
service = "monitoring"
method = "PUT"
}
}
The following arguments are supported:
region
- (Optional) The region in which to obtain the V3 Keystone client.
If omitted, the region
argument of the provider is used. Changing this
creates a new application credential.
name
- (Required) A name of the application credential. Changing this
creates a new application credential.
description
- (Optional) A description of the application credential.
Changing this creates a new application credential.
unrestricted
- (Optional) A flag indicating whether the application
credential may be used for creation or destruction of other application
credentials or trusts. Changing this creates a new application credential.
secret
- (Optional) The secret for the application credential. If omitted,
it will be generated by the server. Changing this creates a new application
credential.
roles
- (Optional) A collection of one or more role names, which this
application credential has to be associated with its project. If omitted,
all the current user's roles within the scoped project will be inherited by
a new application credential. Changing this creates a new application
credential.
access_rules
- (Optional) A collection of one or more access rules, which
this application credential allows to follow. The structure is described
below. Changing this creates a new application credential.
expires_at
- (Optional) The expiration time of the application credential
in the RFC3339 timestamp format (e.g. 2019-03-09T12:58:49Z
). If omitted,
an application credential will never expire. Changing this creates a new
application credential.
The access_rules
block supports:
id
- (Computed) The ID of the existing access rule. The access rule ID of
another application credential can be provided.
path
- (Optional) The API path that the application credential is permitted
to access. May use named wildcards such as {tag} or the unnamed wildcard
* to match against any string in the path up to a /, or the recursive
wildcard ** to include / in the matched path.
service
- (Optional) The service type identifier for the service that the
application credential is granted to access. Must be a service type that is
listed in the service catalog and not a code name for a service. E.g.
identity, compute, volumev3, image, network,
object-store, sharev2, dns, key-manager, monitoring, etc.
method
- (Optional) The request method that the application credential is
permitted to use for a given API endpoint. Allowed values: POST
, GET
,
HEAD
, PATCH
, PUT
and DELETE
.
The following attributes are exported:
region
- See Argument Reference above.name
- See Argument Reference above.description
- See Argument Reference above.unrestricted
- See Argument Reference above.secret
- See Argument Reference above.roles
- See Argument Reference above.access_rules
- See Argument Reference above.expires_at
- See Argument Reference above.project_id
- The ID of the project the application credential was created
for and that authentication requests using this application credential will
be scoped to.Application Credentials can be imported using the id
, e.g.
$ terraform import openstack_identity_application_credential_v3.application_credential_1 c17304b7-0953-4738-abb0-67005882b0a0