Creates a role for the MongoDB Atlas Secret Engine for Vault.
resource "vault_mount" "mongo" {
path = "%s"
type = "mongodbatlas"
description = "MongoDB Atlas secret engine mount"
}
resource "vault_mongodbatlas_secret_backend" "config" {
mount = vault_mount.mongo.path
private_key = "privateKey"
public_key = "publicKey"
}
resource "vault_mongodbatlas_secret_role" "role" {
mount = vault_mount.mongo.path
name = "tf-test-role"
organization_id = "7cf5a45a9ccf6400e60981b7"
project_id = "5cf5a45a9ccf6400e60981b6"
roles = ["ORG_READ_ONLY"]
ip_addresses = "192.168.1.5, 192.168.1.6"
cidr_blocks = "192.168.1.3/35"
project_roles = ["GROUP_READ_ONLY"]
ttl = "60"
max_ttl = "120"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
mount
- (Required) Path where the MongoDB Atlas Secrets Engine is mounted.
name
- (Required) The name of the role.
organization_id
- (Optional) Unique identifier for the organization to which the target API Key belongs.
Required if project_id
is not set.
project_id
- (Optional) Unique identifier for the project to which the target API Key belongs.
Required if organization_id
is not set.
roles
- (Required) List of roles that the API Key needs to have. Possible values are ORG_OWNER
, ORG_MEMBER
, ORG_GROUP_CREATOR
, ORG_BILLING_ADMIN
and ORG_READ_ONLY
.
ip_addresses
- (Optional) IP address to be added to the whitelist for the API key.
cidr_blocks
- (Optional) Whitelist entry in CIDR notation to be added for the API key.
project_roles
- (Optional) Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER
, GROUP_DATA_ACCESS_ADMIN
, GROUP_DATA_ACCESS_READ_ONLY
, GROUP_DATA_ACCESS_READ_WRITE
, GROUP_OWNER
and GROUP_READ_ONLY
.
ttl
- (Optional) Duration in seconds after which the issued credential should expire.
max_ttl
- (Optional) The maximum allowed lifetime of credentials issued using this role.
No additional attributes are exported by this resource.
The MongoDB Atlas secret role can be imported using the full path to the role
of the form: <mount_path>/roles/<role_name>
e.g.
$ terraform import vault_mongodbatlas_secret_role.example mongodbatlas/roles/example-role