Creates a Raft Snapshot Agent Configuration for Vault. This configures Vault to take regular snapshots of its Raft storage backend and store them in a configurable location.
Note this feature is available only with Vault Enterprise.
resource "vault_raft_snapshot_agent_config" "local_backups" {
name = "local"
interval_seconds = 86400 # 24h
retain = 7
path_prefix = "/opt/vault/snapshots/"
storage_type = "local"
# Storage Type Configuration
local_max_space = 10000000
}
variable aws_access_key_id {}
variable aws_secret_access_key {}
data "aws_region" "current" {}
resource "vault_raft_snapshot_agent_config" "s3_backups" {
name = "s3"
interval_seconds = 86400 # 24h
retain = 7
path_prefix = "/path/in/bucket"
storage_type = "aws-s3"
# Storage Type Configuration
aws_s3_bucket = "my-bucket"
aws_s3_region = data.aws_region.current.name
aws_access_key_id = var.aws_access_key_id
aws_secret_access_key = var.aws_secret_access_key
aws_s3_enable_kms = true
}
variable "azure_account_name" {}
variable "azure_account_key" {}
resource "vault_raft_snapshot_agent_config" "azure_backups" {
name = "azure_backup"
interval_seconds = 86400 # 24h
retain = 7
path_prefix = "/"
storage_type = "azure-blob"
# Storage Type Configuration
azure_container_name = "vault-blob"
azure_account_name = var.azure_account_name
azure_account_key = var.azure_account_key
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
name
<required>
– Name of the configuration to modify.
interval_seconds
<required>
- Time (in seconds) between snapshots.
retain
- How many snapshots are to be kept; when writing a
snapshot, if there are more snapshots already stored than this number, the
oldest ones will be deleted.
path_prefix
<required>
- For storage_type = "local"
, the directory to
write the snapshots in. For cloud storage types, the bucket prefix to use.
Types azure-s3
and google-gcs
require a trailing /
(slash).
Types local
and aws-s3
the trailing /
is optional.
file_prefix
- Within the directory or bucket
prefix given by path_prefix
, the file or object name of snapshot files
will start with this string.
storage_type
<required>
- One of "local", "azure-blob", "aws-s3",
or "google-gcs". The remaining parameters described below are all specific to
the selected storage_type
and prefixed accordingly.
local_max_space
- For storage_type = local
, the maximum
space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough
space left in this allowance.aws_s3_bucket
<required>
- S3 bucket to write snapshots to.
aws_s3_region
<required>
- AWS region bucket is in.
aws_access_key_id
- AWS access key ID.
aws_secret_access_key
- AWS secret access key.
aws_session_token
- AWS session token.
aws_s3_endpoint
- AWS endpoint. This is typically only set when
using a non-AWS S3 implementation like Minio.
aws_s3_disable_tls
- Disable TLS for the S3 endpoint. This
should only be used for testing purposes, typically in conjunction with
aws_s3_endpoint
.
aws_s3_force_path_style
- Use the endpoint/bucket URL style
instead of bucket.endpoint. May be needed when setting aws_s3_endpoint
.
aws_s3_enable_kms
- Use KMS to encrypt bucket contents.
aws_s3_server_side_encryption
- Use AES256 to encrypt bucket contents.
aws_s3_kms_key
- Use named KMS key, when aws_s3_enable_kms = true
google_gcs_bucket
<required>
- GCS bucket to write snapshots to.
google_service_account_key
- Google service account key in JSON format.
The raw value looks like this:
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
"client_email": "service-account-email",
"client_id": "client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}
google_endpoint
- GCS endpoint. This is typically only set when
using a non-Google GCS implementation like fake-gcs-server.
google_disable_tls
- Disable TLS for the GCS endpoint. This
should only be used for testing purposes, typically in conjunction with
google_endpoint
.
azure_container_name
<required>
- Azure container name to write
snapshots to.
azure_account_name
- Azure account name.
azure_account_key
- Azure account key.
azure_blob_environment
- Azure blob environment.
azure_endpoint
- Azure blob storage endpoint. This is typically
only set when using a non-Azure implementation like Azurite.
No additional attributes are exported by this resource.
Raft Snapshot Agent Configurations can be imported using the name
, e.g.
$ terraform import vault_raft_snapshot_agent_config.local local