Manages an AppRole auth backend SecretID in a Vault server. See the Vault documentation for more information.
resource "vault_auth_backend" "approle" {
type = "approle"
}
resource "vault_approle_auth_backend_role" "example" {
backend = vault_auth_backend.approle.path
role_name = "test-role"
token_policies = ["default", "dev", "prod"]
}
resource "vault_approle_auth_backend_role_secret_id" "id" {
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.example.role_name
metadata = jsonencode(
{
"hello" = "world"
}
)
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
role_name
- (Required) The name of the role to create the SecretID for.
metadata
- (Optional) A JSON-encoded string containing metadata in
key-value pairs to be set on tokens issued with this SecretID.
cidr_list
- (Optional) If set, specifies blocks of IP addresses which can
perform the login operation using this SecretID.
secret_id
- (Optional) The SecretID to be created. If set, uses "Push"
mode. Defaults to Vault auto-generating SecretIDs.
wrapping_ttl
- (Optional) If set, the SecretID response will be
response-wrapped
and available for the duration specified. Only a single unwrapping of the
token is allowed.
with_wrapped_accessor
- (Optional) Set to true
to use the wrapped secret-id accessor as the resource ID.
If false
(default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or
invalidated through unwrapping.
In addition to the fields above, the following attributes are exported:
accessor
- The unique ID for this SecretID that can be safely logged.
wrapping_accessor
- The unique ID for the response-wrapped SecretID that can
be safely logged.
wrapping_token
- The token used to retrieve a response-wrapped SecretID.