Creates an AWS destination to synchronize secrets in Vault. Requires Vault 1.16+. Available only for Vault Enterprise.
For more information on syncing secrets with AWS, please refer to the Vault documentation.
resource "vault_secrets_sync_aws_destination" "aws" {
name = "aws-dest"
access_key_id = var.access_key_id
secret_access_key = var.secret_access_key
region = "us-east-1"
role_arn = "role-arn"
external_id = "external-id"
secret_name_template = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"
custom_tags = {
"foo" = "bar"
}
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
name
- (Required) Unique name of the AWS destination.
access_key_id
- (Optional) Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID
environment
variable.
secret_access_key
- (Optional) Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY
environment
variable.
region
- (Optional) Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the AWS_REGION
environment
variable.
custom_tags
- (Optional) Custom tags to set on the secret managed at the destination.
secret_name_template
- (Optional) Template describing how to generate external secret names.
Supports a subset of the Go Template syntax.
granularity
- (Optional) Determines what level of information is synced as a distinct resource
at the destination. Supports secret-path
and secret-key
.
role_arn
- (Optional) Specifies a role to assume when connecting to AWS. When assuming a role,
Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
exist for Vault to be able to assume this role. The role can be in a different account.
The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
It is possible to provide both an access key pair and a role to assume.
external_id
- (Optional) Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the role_arn
field is empty.
The following attributes are exported in addition to the above:
type
- The type of the secrets destination (aws-sm
).AWS Secrets sync destinations can be imported using the name
, e.g.
$ terraform import vault_secrets_sync_aws_destination.aws aws-dest