terraform/website/source/docs/providers/vault/r/generic_secret.html.md

75 lines
2.4 KiB
Markdown
Raw Normal View History

---
layout: "vault"
page_title: "Vault: vault_generic_secret resource"
sidebar_current: "docs-vault-resource-generic-secret"
description: |-
Writes arbitrary data to a given path in Vault
---
# vault\_generic\_secret
Writes and manages arbitrary data at a given path in Vault.
This resource is primarily intended to be used with
[Vault's "generic" secret backend](https://www.vaultproject.io/docs/secrets/generic/index.html),
but it is also compatible with any other Vault endpoint that supports
the `vault write` command to create and the `vault delete` command to
delete.
~> **Important** All data provided in the resource configuration will be
written in cleartext to state and plan files generated by Terraform, and
will appear in the console output when Terraform runs. Protect these
artifacts accordingly. See
[the main provider documentation](../index.html)
for more details.
## Example Usage
```hcl
resource "vault_generic_secret" "example" {
path = "secret/foo"
data_json = <<EOT
{
"foo": "bar",
"pizza": "cheese"
}
EOT
}
```
## Argument Reference
The following arguments are supported:
* `path` - (Required) The full logical path at which to write the given
data. To write data into the "generic" secret backend mounted in Vault by
default, this should be prefixed with `secret/`. Writing to other backends
with this resource is possible; consult each backend's documentation to
see which endpoints support the `PUT` and `DELETE` methods.
* `data_json` - (Required) String containing a JSON-encoded object that
will be written as the secret data at the given path.
2017-02-08 13:37:37 +01:00
* `allow_read` - (Optional) True/false. Set this to true if your vault
authentication is able to read the data, this allows the resource to be
compared and updated. Defaults to false.
## Required Vault Capabilities
Use of this resource requires the `create` or `update` capability
(depending on whether the resource already exists) on the given path,
along with the `delete` capbility if the resource is removed from
configuration.
This resource does not *read* the secret data back from Terraform
2017-02-08 13:37:37 +01:00
on refresh by default. This avoids the need for `read` access on the given
path, but it means that Terraform is not able to detect and repair
"drift" on this resource should the data be updated or deleted outside
2017-02-08 13:37:37 +01:00
of Terraform. This limitation can be negated by setting `allow_read` to
true
## Attributes Reference
No additional attributes are exported by this resource.