2.4 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
vault | Vault: vault_generic_secret resource | docs-vault-resource-generic-secret | Writes arbitrary data to a given path in Vault |
vault_generic_secret
Writes and manages arbitrary data at a given path in Vault.
This resource is primarily intended to be used with
Vault's "generic" secret backend,
but it is also compatible with any other Vault endpoint that supports
the vault write
command to create and the vault delete
command to
delete.
~> Important All data provided in the resource configuration will be written in cleartext to state and plan files generated by Terraform, and will appear in the console output when Terraform runs. Protect these artifacts accordingly. See the main provider documentation for more details.
Example Usage
resource "vault_generic_secret" "example" {
path = "secret/foo"
data_json = <<EOT
{
"foo": "bar",
"pizza": "cheese"
}
EOT
}
Argument Reference
The following arguments are supported:
-
path
- (Required) The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed withsecret/
. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support thePUT
andDELETE
methods. -
data_json
- (Required) String containing a JSON-encoded object that will be written as the secret data at the given path. -
allow_read
- (Optional) True/false. Set this to true if your vault authentication is able to read the data, this allows the resource to be compared and updated. Defaults to false.
Required Vault Capabilities
Use of this resource requires the create
or update
capability
(depending on whether the resource already exists) on the given path,
along with the delete
capbility if the resource is removed from
configuration.
This resource does not read the secret data back from Terraform
on refresh by default. This avoids the need for read
access on the given
path, but it means that Terraform is not able to detect and repair
"drift" on this resource should the data be updated or deleted outside
of Terraform. This limitation can be negated by setting allow_read
to
true
Attributes Reference
No additional attributes are exported by this resource.