vault_generic_secret

Writes and manages secrets stored in Vault's "generic" secret backend

This resource is primarily intended to be used with both v1 and v2 of Vault's "generic" secret backend. While it is also compatible, with some limitations, with other Vault endpoints that support the vault write command to create and the vault delete command to delete, see also the generic endpoint resource for a more flexible way to manage arbitrary data.

Example Usage

resource "vault_generic_secret" "example" {
  path = "secret/foo"

  data_json = <<EOT
{
  "foo":   "bar",
  "pizza": "cheese"
}
EOT
}

Argument Reference

The following arguments are supported:

Required Vault Capabilities

Use of this resource requires the create or update capability (depending on whether the resource already exists) on the given path, the delete capability if the resource is removed from configuration, and the read capability for drift detection (by default).

Drift Detection

This resource does not necessarily need to read the secret data back from Terraform on refresh. To avoid the need for read access on the given path set the disable_read argument to true. This means that Terraform will not be able to detect and repair "drift" on this resource, should the data be updated or deleted outside of Terraform.

Attributes Reference

The following attributes are exported in addition to the above:

Import

Generic secrets can be imported using the path, e.g.

$ terraform import vault_generic_secret.example secret/foo