vault_raft_snapshot_agent_config

Creates a Raft Snapshot Agent Configuration for Vault. This configures Vault to take regular snapshots of its Raft storage backend and store them in a configurable location.

Note this feature is available only with Vault Enterprise.

Example Usage

Local Storage

resource "vault_raft_snapshot_agent_config" "local_backups" {
  name             = "local"
  interval_seconds = 86400 # 24h
  retain           = 7
  path_prefix      = "/opt/vault/snapshots/"
  storage_type     = "local"

  # Storage Type Configuration
  local_max_space = 10000000
}

AWS S3

variable aws_access_key_id {}
variable aws_secret_access_key {}

data "aws_region" "current" {}

resource "vault_raft_snapshot_agent_config" "s3_backups" {
  name             = "s3"
  interval_seconds = 86400 # 24h
  retain           = 7
  path_prefix      = "/path/in/bucket"
  storage_type     = "aws-s3"

  # Storage Type Configuration
  aws_s3_bucket         = "my-bucket"
  aws_s3_region         = data.aws_region.current.name
  aws_access_key_id     = var.aws_access_key_id
  aws_secret_access_key = var.aws_secret_access_key
  aws_s3_enable_kms     = true
}

Azure BLOB

variable "azure_account_name" {}
variable "azure_account_key" {}

resource "vault_raft_snapshot_agent_config" "azure_backups" {
  name             = "azure_backup"
  interval_seconds = 86400 # 24h
  retain           = 7
  path_prefix      = "/"
  storage_type     = "azure-blob"

  # Storage Type Configuration
  azure_container_name = "vault-blob"
  azure_account_name   = var.azure_account_name
  azure_account_key    = var.azure_account_key
}

Argument Reference

The following arguments are supported:

storage_type=local

storage_type=aws-s3

storage_type=google-gcs

{
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
  "client_email": "service-account-email",
  "client_id": "client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

storage_type=azure-blob

Attributes Reference

No additional attributes are exported by this resource.

Import

Raft Snapshot Agent Configurations can be imported using the name, e.g.

$ terraform import vault_raft_snapshot_agent_config.local local