Triggers a sync operation in Vault and links a secret to an existing destination. Requires Vault 1.16+. Available only for Vault Enterprise.
For more information on associations, please refer to the Vault documentation.
resource "vault_mount" "kvv2" {
path = "kvv2"
type = "kv"
options = { version = "2" }
description = "KV Version 2 secret engine mount"
}
resource "vault_kv_secret_v2" "token" {
mount = vault_mount.kvv2.path
name = "token"
data_json = jsonencode(
{
dev = "B!gS3cr3t",
prod = "S3cureP4$$"
}
)
}
resource "vault_secrets_sync_gh_destination" "gh" {
name = "gh-dest"
access_token = var.access_token
repository_owner = var.repo_owner
repository_name = "repo-name-example"
secret_name_template = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"
}
resource "vault_secrets_sync_association" "gh_token" {
name = vault_secrets_sync_gh_destination.gh.name
type = vault_secrets_sync_gh_destination.gh.type
mount = vault_mount.kvv2.path
secret_name = vault_kv_secret_v2.token.name
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
name
- (Required) Specifies the name of the destination.
type
- (Required) Specifies the destination type.
mount
- (Required) Specifies the mount where the secret is located.
secret_name
- (Required) Specifies the name of the secret to synchronize.
The following attributes are exported in addition to the above:
sync_status
- A map of sync statuses for each subkey of the associated secret
(for ex. {kv_624bea/aws-token/dev: "SYNCED", kv_624bea/aws-token/prod: "SYNCED"}
).
subkeys
- A list of subkeys for the associated secret.
updated_at
- A map of duration strings specifying when each subkey of the associated
secret was last updated.
(for ex.
{kv_624bea/aws-token/dev: "2024-03-21T12:42:02.558533-07:00",
kv_624bea/aws-token/prod: "2024-03-21T12:42:02.558533-07:00"}
).