Writes and manages secrets stored in Vault's "generic" secret backend
This resource is primarily intended to be used with both v1 and v2 of
Vault's "generic" secret backend.
While it is also compatible, with some limitations, with other Vault
endpoints that support the vault write
command to create and the
vault delete
command to delete, see also
the generic endpoint resource for a more
flexible way to manage arbitrary data.
resource "vault_generic_secret" "example" {
path = "secret/foo"
data_json = <<EOT
{
"foo": "bar",
"pizza": "cheese"
}
EOT
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
path
- (Required) The full logical path at which to write the given data.
To write data into the "generic" secret backend mounted in Vault by default,
this should be prefixed with secret/
. Writing to other backends with this
resource is possible; consult each backend's documentation to see which
endpoints support the PUT
and DELETE
methods.
data_json
- (Required) String containing a JSON-encoded object that will be
written as the secret data at the given path.
disable_read
- (Optional) true/false. Set this to true if your vault
authentication is not able to read the data. Setting this to true
will
break drift detection. Defaults to false.
delete_all_versions
- (Optional) true/false. Only applicable for kv-v2 stores.
If set to true
, permanently deletes all versions for
the specified key. The default behavior is to only delete the latest version of the
secret.
Use of this resource requires the create
or update
capability
(depending on whether the resource already exists) on the given path,
the delete
capability if the resource is removed from configuration,
and the read
capability for drift detection (by default).
This resource does not necessarily need to read the secret data back from
Terraform on refresh. To avoid the need for read
access on the given path
set the disable_read
argument to true
. This means that Terraform will not
be able to detect and repair "drift" on this resource,
should the data be updated or deleted outside of Terraform.
The following attributes are exported in addition to the above:
data
- A mapping whose keys are the top-level data keys returned from
Vault and whose values are the corresponding values. This map can only
represent string data, so any non-string values returned from Vault are
serialized as JSON.Generic secrets can be imported using the path
, e.g.
$ terraform import vault_generic_secret.example secret/foo