vault_generic_endpoint

Writes and manages arbitrary data at a given path in Vault.

This resource enables configuration of arbitrary vault endpoints. It can be used when a resource type is not available for a type of endpoint, including when the endpoint is provided by a third-party plugin. This resource can be used for endpoints with dynamic behavior including write-only configuration endpoints, endpoints that return different fields when read from those that were written, and endpoints that return data when written to. This makes it more flexible than the generic secret resource for use with arbitrary endpoints.

Example Usage

resource "vault_auth_backend" "userpass" {
  type = "userpass"
}

resource "vault_generic_endpoint" "u1" {
  depends_on           = [vault_auth_backend.userpass]
  path                 = "auth/userpass/users/u1"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "policies": ["p1"],
  "password": "changeme"
}
EOT
}

resource "vault_generic_endpoint" "u1_token" {
  depends_on     = [vault_generic_endpoint.u1]
  path           = "auth/userpass/login/u1"
  disable_read   = true
  disable_delete = true

  data_json = <<EOT
{
  "password": "changeme"
}
EOT
}

resource "vault_generic_endpoint" "u1_entity" {
  depends_on           = [vault_generic_endpoint.u1_token]
  disable_read         = true
  disable_delete       = true
  path                 = "identity/lookup/entity"
  ignore_absent_fields = true
  write_fields         = ["id"]

  data_json = <<EOT
{
  "alias_name": "u1",
  "alias_mount_accessor": vault_auth_backend.userpass.accessor
}
EOT
}

output "u1_id" {
  value = vault_generic_endpoint.u1_entity.write_data["id"]
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to the fields above, the following attributes are exported:

Required Vault Capabilities

Use of this resource requires the create or update capability (depending on whether the resource already exists) on the given path. If disable_delete is false, the delete capability is also required. If disable_read is false, the read capability is required.

Import

Import is not supported for this resource.