terraform/website/source/docs/providers/vault/r/generic_secret.html.md

2.4 KiB

layout page_title sidebar_current description
vault Vault: vault_generic_secret resource docs-vault-resource-generic-secret Writes arbitrary data to a given path in Vault

vault_generic_secret

Writes and manages arbitrary data at a given path in Vault.

This resource is primarily intended to be used with Vault's "generic" secret backend, but it is also compatible with any other Vault endpoint that supports the vault write command to create and the vault delete command to delete.

~> Important All data provided in the resource configuration will be written in cleartext to state and plan files generated by Terraform, and will appear in the console output when Terraform runs. Protect these artifacts accordingly. See the main provider documentation for more details.

Example Usage

resource "vault_generic_secret" "example" {
  path = "secret/foo"

  data_json = <<EOT
{
  "foo":   "bar",
  "pizza": "cheese"
}
EOT
}

Argument Reference

The following arguments are supported:

  • path - (Required) The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.

  • data_json - (Required) String containing a JSON-encoded object that will be written as the secret data at the given path.

  • allow_read - (Optional) True/false. Set this to true if your vault authentication is able to read the data, this allows the resource to be compared and updated. Defaults to false.

Required Vault Capabilities

Use of this resource requires the create or update capability (depending on whether the resource already exists) on the given path, along with the delete capbility if the resource is removed from configuration.

This resource does not read the secret data back from Terraform on refresh by default. This avoids the need for read access on the given path, but it means that Terraform is not able to detect and repair "drift" on this resource should the data be updated or deleted outside of Terraform. This limitation can be negated by setting allow_read to true

Attributes Reference

No additional attributes are exported by this resource.