Creates a dynamic role for LDAP Secret Backend for Vault.
resource "vault_ldap_secret_backend" "config" {
path = "my-custom-ldap"
binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"
bindpass = "SuperSecretPassw0rd"
url = "ldaps://localhost"
userdn = "CN=Users,DC=corp,DC=example,DC=net"
}
resource "vault_ldap_secret_backend_dynamic_role" "role" {
mount = vault_ldap_secret_backend.config.path
role_name = "alice"
creation_ldif = <<EOT
dn: cn={{.Username}},ou=users,dc=learn,dc=example
objectClass: person
objectClass: top
cn: learn
sn: {{.Password | utf16le | base64}}
memberOf: cn=dev,ou=groups,dc=learn,dc=example
userPassword: {{.Password}}
EOT
deletion_ldif = <<EOT
dn: cn={{.Username}},ou=users,dc=learn,dc=example
changetype: delete
rollback_ldif = <<EOT
dn: cn={{.Username}},ou=users,dc=learn,dc=example
changetype: delete
EOT
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
mount
- (Optional) The unique path this backend should be mounted at. Must
not begin or end with a /
. Defaults to ldap
.
role_name
- (Required) Name of the role.
creation_ldif
- (Required) A templatized LDIF string used to create a user
account. This may contain multiple LDIF entries. The creation_ldif
can also
be used to add the user account to an existing group. All LDIF entries are
performed in order. If Vault encounters an error while executing the
creation_ldif
it will stop at the first error and not execute any remaining
LDIF entries. If an error occurs and rollback_ldif
is specified, the LDIF
entries in rollback_ldif
will be executed. See rollback_ldif
for more
details. This field may optionally be provided as a base64 encoded string.
deletion_ldif
- (Required) A templatized LDIF string used to delete the
user account once its TTL has expired. This may contain multiple LDIF
entries. All LDIF entries are performed in order. If Vault encounters an
error while executing an entry in the deletion_ldif
it will attempt to
continue executing any remaining entries. This field may optionally be
provided as a base64 encoded string.
rollback_ldif
- (Optional) A templatized LDIF string used to attempt to
rollback any changes in the event that execution of the creation_ldif
results
in an error. This may contain multiple LDIF entries. All LDIF entries are
performed in order. If Vault encounters an error while executing an entry in
the rollback_ldif
it will attempt to continue executing any remaining
entries. This field may optionally be provided as a base64 encoded string.
username_template
- (Optional) A template used to generate a dynamic
username. This will be used to fill in the .Username
field within the
creation_ldif
string.
default_ttl
- (Optional) Specifies the TTL for the leases associated with this role.
max_ttl
- (Optional) Specifies the maximum TTL for the leases associated with this role.
No additional attributes are exported by this resource.
LDAP secret backend dynamic role can be imported using the full path to the role
of the form: <mount_path>/dynamic-role/<role_name>
e.g.
$ terraform import vault_ldap_secret_backend_dynamic_role.role ldap/role/dynamic-role