The Vault cluster resource allows you to manage an HCP Vault cluster.
resource "hcp_hvn" "example" {
hvn_id = "hvn"
cloud_provider = "aws"
region = "us-west-2"
cidr_block = "172.25.16.0/20"
}
resource "hcp_vault_cluster" "example" {
cluster_id = "vault-cluster"
hvn_id = hcp_hvn.example.hvn_id
tier = "standard_large"
metrics_config {
datadog_api_key = "test_datadog"
datadog_region = "us1"
}
audit_log_config {
datadog_api_key = "test_datadog"
datadog_region = "us1"
}
lifecycle {
prevent_destroy = true
}
}
cluster_id
(String) The ID of the HCP Vault cluster.hvn_id
(String) The ID of the HVN this HCP Vault cluster is associated to.audit_log_config
(Block List, Max: 1) The audit logs configuration for export. (https://developer.hashicorp.com/vault/tutorials/cloud-monitoring/vault-metrics-guide#metrics-streaming-configuration) (see below for nested schema)ip_allowlist
(Block List, Max: 50) Allowed IPV4 address ranges (CIDRs) for inbound traffic. Each entry must be a unique CIDR. Maximum 50 CIDRS supported at this time. (see below for nested schema)major_version_upgrade_config
(Block List, Max: 1) The Major Version Upgrade configuration. (see below for nested schema)metrics_config
(Block List, Max: 1) The metrics configuration for export. (https://developer.hashicorp.com/vault/tutorials/cloud-monitoring/vault-metrics-guide#metrics-streaming-configuration) (see below for nested schema)min_vault_version
(String) The minimum Vault version to use when creating the cluster. If not specified, it is defaulted to the version that is currently recommended by HCP.paths_filter
(List of String) The performance replication paths filter. Applies to performance replication secondaries only and operates in "deny" mode only.primary_link
(String) The self_link
of the HCP Vault Plus tier cluster which is the primary in the performance replication setup with this HCP Vault Plus tier cluster. If not specified, it is a standalone Plus tier HCP Vault cluster.project_id
(String) The ID of the HCP project where the Vault cluster is located.
If not specified, the project specified in the HCP Provider config block will be used, if configured.
If a project is not configured in the HCP Provider config block, the oldest project in the organization will be used.proxy_endpoint
(String) Denotes that the cluster has a proxy endpoint. Valid options are ENABLED
, DISABLED
. Defaults to DISABLED
.public_endpoint
(Boolean) Denotes that the cluster has a public endpoint. Defaults to false.tier
(String) Tier of the HCP Vault cluster. Valid options for tiers - dev
, starter_small
, standard_small
, standard_medium
, standard_large
, plus_small
, plus_medium
, plus_large
. See pricing information. Changing a cluster's size or tier is only available to admins. See Scale a cluster.timeouts
(Block, Optional) (see below for nested schema)cloud_provider
(String) The provider where the HCP Vault cluster is located.created_at
(String) The time that the Vault cluster was created.id
(String) The ID of this resource.namespace
(String) The name of the customer namespace this HCP Vault cluster is located in.organization_id
(String) The ID of the organization this HCP Vault cluster is located in.region
(String) The region where the HCP Vault cluster is located.self_link
(String) A unique URL identifying the Vault cluster.state
(String) The state of the Vault cluster.vault_private_endpoint_url
(String) The private URL for the Vault cluster.vault_proxy_endpoint_url
(String) The proxy URL for the Vault cluster. This will be empty if proxy_endpoint
is DISABLED
.vault_public_endpoint_url
(String) The public URL for the Vault cluster. This will be empty if public_endpoint
is false
.vault_version
(String) The Vault version of the cluster.audit_log_config
Optional:
cloudwatch_access_key_id
(String) CloudWatch access key ID for streaming audit logscloudwatch_region
(String) CloudWatch region for streaming audit logscloudwatch_secret_access_key
(String, Sensitive) CloudWatch secret access key for streaming audit logsdatadog_api_key
(String, Sensitive) Datadog api key for streaming audit logsdatadog_region
(String) Datadog region for streaming audit logselasticsearch_endpoint
(String) ElasticSearch endpoint for streaming audit logselasticsearch_password
(String, Sensitive) ElasticSearch password for streaming audit logselasticsearch_user
(String) ElasticSearch user for streaming audit logsgrafana_endpoint
(String) Grafana endpoint for streaming audit logsgrafana_password
(String, Sensitive) Grafana password for streaming audit logsgrafana_user
(String) Grafana user for streaming audit logshttp_basic_password
(String, Sensitive) HTTP basic authentication password for streaming audit logs, one of the two available authentication methods, can be specified only if http_basic_user is also providedhttp_basic_user
(String) HTTP basic authentication username for streaming audit logs, one of the two available authentication methods, can be specified only if http_basic_password is also providedhttp_bearer_token
(String, Sensitive) HTTP bearer authentication token for streaming audit logs, one of the two available authentication methods, can be specified only if http_basic_user and http_basic_password are not providedhttp_codec
(String) HTTP codec for streaming audit logs, allowed values are JSON and NDJSONhttp_compression
(Boolean) HTTP compression flag for streaming audit logshttp_headers
(Map of String) HTTP headers for streaming audit logshttp_method
(String) HTTP payload method for streaming audit logs, , allowed values are PATCH, POST, or PUThttp_payload_prefix
(String) HTTP payload prefix for streaming audit logshttp_payload_suffix
(String) HTTP payload suffix for streaming audit logshttp_uri
(String) HTTP URI for streaming audit logsnewrelic_account_id
(String) NewRelic Account ID for streaming audit logsnewrelic_license_key
(String, Sensitive) NewRelic license key for streaming audit logsnewrelic_region
(String) NewRelic region for streaming audit logs, allowed values are "US" and "EU"splunk_hecendpoint
(String) Splunk endpoint for streaming audit logssplunk_token
(String, Sensitive) Splunk token for streaming audit logsRead-Only:
cloudwatch_group_name
(String) CloudWatch group name of the target log stream for audit logscloudwatch_stream_name
(String) CloudWatch stream name for the target log stream for audit logselasticsearch_dataset
(String) ElasticSearch dataset for streaming audit logsip_allowlist
Required:
address
(String) IP address range in CIDR notation.Optional:
description
(String) Description to help identify source (maximum 255 chars).major_version_upgrade_config
Required:
upgrade_type
(String) The major upgrade type for the cluster. Valid options for upgrade type - AUTOMATIC
, SCHEDULED
, MANUAL
Optional:
maintenance_window_day
(String) The maintenance day of the week for scheduled upgrades. Valid options for maintenance window day - MONDAY
, TUESDAY
, WEDNESDAY
, THURSDAY
, FRIDAY
, SATURDAY
, SUNDAY
maintenance_window_time
(String) The maintenance time frame for scheduled upgrades. Valid options for maintenance window time - WINDOW_12AM_4AM
, WINDOW_6AM_10AM
, WINDOW_12PM_4PM
, WINDOW_6PM_10PM
metrics_config
Optional:
cloudwatch_access_key_id
(String) CloudWatch access key ID for streaming metricscloudwatch_region
(String) CloudWatch region for streaming metricscloudwatch_secret_access_key
(String, Sensitive) CloudWatch secret access key for streaming metricsdatadog_api_key
(String, Sensitive) Datadog api key for streaming metricsdatadog_region
(String) Datadog region for streaming metricselasticsearch_endpoint
(String) ElasticSearch endpoint for streaming metricselasticsearch_password
(String, Sensitive) ElasticSearch password for streaming metricselasticsearch_user
(String) ElasticSearch user for streaming metricsgrafana_endpoint
(String) Grafana endpoint for streaming metricsgrafana_password
(String, Sensitive) Grafana password for streaming metricsgrafana_user
(String) Grafana user for streaming metricshttp_basic_password
(String) HTTP basic authentication password for streaming metrics, one of the two available authentication methods, can be specified only if http_basic_user is also specifiedhttp_basic_user
(String) HTTP basic authentication username for streaming metrics, one of the two available authentication methods, can be specified only if http_basic_password is also specifiedhttp_bearer_token
(String, Sensitive) HTTP bearer authentication token for streaming metrics, one of the two available authentication methods, can be specified only if http_basic_user and http_basic_password are not providedhttp_codec
(String) HTTP codec for streaming metrics, allowed values are JSON and NDJSONhttp_compression
(Boolean) HTTP compression flag for streaming metricshttp_headers
(Map of String) HTTP headers for streaming metricshttp_method
(String) HTTP payload method for streaming metrics, allowed values are PATCH, POST, or PUThttp_payload_prefix
(String) HTTP payload prefix for streaming metricshttp_payload_suffix
(String) HTTP payload suffix for streaming metricshttp_uri
(String) HTTP URI for streaming metricsnewrelic_account_id
(String) NewRelic Account ID for streaming metricsnewrelic_license_key
(String, Sensitive) NewRelic license key for streaming metricsnewrelic_region
(String) NewRelic region for streaming metrics, allowed values are "US" and "EU"splunk_hecendpoint
(String) Splunk endpoint for streaming metricssplunk_token
(String, Sensitive) Splunk token for streaming metricsRead-Only:
cloudwatch_namespace
(String) CloudWatch namespace for streaming metricselasticsearch_dataset
(String) ElasticSearch dataset for streaming metricstimeouts
Optional:
create
(String)default
(String)delete
(String)update
(String)Import is supported using the following syntax:
# Using an explicit project ID, the import ID is:
# {project_id}:{cluster_id}
terraform import hcp_vault_cluster.example f709ec73-55d4-46d8-897d-816ebba28778:vault-cluster
# Using the provider-default project ID, the import ID is:
# {cluster_id}
terraform import hcp_vault_cluster.example vault-cluster
Refer to the following tutorials for additional usage examples: