Lists KV-V2 secrets at a given path in Vault.
For more information on Vault's KV-V2 secret backend see here.
resource "vault_mount" "kvv2" {
path = "kvv2"
type = "kv"
options = { version = "2" }
description = "KV Version 2 secret engine mount"
}
resource "vault_kv_secret_v2" "aws_secret" {
mount = vault_mount.kvv2.path
name = "aws_secret"
data_json = jsonencode(
{
zip = "zap"
}
)
}
resource "vault_kv_secret_v2" "azure_secret" {
mount = vault_mount.kvv2.path
name = "azure_secret"
data_json = jsonencode(
{
foo = "bar"
}
)
}
resource "vault_kv_secret_v2" "nested_secret" {
mount = vault_mount.kvv2.path
name = "${vault_kv_secret_v2.azure_secret.name}/dev"
data_json = jsonencode(
{
password = "test"
}
)
}
data "vault_kv_secrets_list_v2" "secrets" {
mount = vault_mount.kvv2.path
depends_on = [vault_kv_secret_v2.aws_secret, vault_kv_secret_v2.azure_secret]
}
data "vault_kv_secrets_list_v2" "nested_secrets" {
mount = vault_mount.kvv2.path
name = vault_kv_secret_v2.test_2.name
depends_on = [vault_kv_secret_v2.nested_secret]
}
The following arguments are supported:
namespace
- (Optional) The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
mount
- (Required) Path where KV-V2 engine is mounted.
name
- (Optional) Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/baz
the name is foo/bar/baz
.
Use of this resource requires the read
capability on the given path.
The following attributes are exported:
path
- Full path where the KV-V2 secrets are listed.
names
- List of all secret names listed under the given path.