» vault_generic_endpoint

Writes and manages arbitrary data at a given path in Vault.

This resource enables configuration of arbitrary vault endpoints. It can be used when a resource type is not available for a type of endpoint, including when the endpoint is provided by a third-party plugin. This resource can be used for endpoints with dynamic behavior including write-only configuration endpoints, endpoints that return different fields when read from those that were written, and endpoints that return data when written to. This makes it more flexible than the generic secret resource for use with arbitrary endpoints.

Important All data provided in the resource configuration will be written in cleartext to state and plan files generated by Terraform, and will appear in the console output when Terraform runs. Protect these artifacts accordingly. See the main provider documentation for more details.

» Example Usage

resource "vault_auth_backend" "userpass" {
  type = "userpass"
}

resource "vault_generic_endpoint" "u1" {
  depends_on           = ["vault_auth_backend.userpass"]
  path                 = "auth/userpass/users/u1"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "policies": ["p1"],
  "password": "changeme"
}
EOT
}

resource "vault_generic_endpoint" "u1_token" {
  depends_on     = ["vault_generic_endpoint.u1"]
  path           = "auth/userpass/login/u1"
  disable_read   = true
  disable_delete = true

  data_json = <<EOT
{
  "password": "changeme"
}
EOT
}

resource "vault_generic_endpoint" "u1_entity" {
  depends_on           = ["vault_generic_endpoint.u1_token"]
  disable_read         = true
  disable_delete       = true
  path                 = "identity/lookup/entity"
  ignore_absent_fields = true
  write_fields         = ["id"]

  data_json = <<EOT
{
  "alias_name": "u1",
  "alias_mount_accessor": "${vault_auth_backend.userpass.accessor}"
}
EOT
}

output "u1_id" {
  value = "${vault_generic_endpoint.u1_entity.write_data["id"]}"
}

» Argument Reference

The following arguments are supported:

path - (Required) The full logical path at which to write the given data. Consult each backend's documentation to see which endpoints support the PUT methods and to determine whether they also support DELETE and GET.
data_json - (Required) String containing a JSON-encoded object that will be written to the given path as the secret data.
disable_read - (Optional) True/false. Set this to true if your vault authentication is not able to read the data or if the endpoint does not support the GET method. Setting this to true will break drift detection. You should set this to true for endpoints that are write-only. Defaults to false.
disable_delete: - (Optional) True/false. Set this to true if your vault authentication is not able to delete the data or if the endpoint does not support the DELETE method. Defaults to false.
ignore_absent_fields: - (Optional) True/false. If set to true, ignore any fields present when the endpoint is read but that were not in data_json. Also, if a field that was written is not returned when the endpoint is read, treat that field as being up to date. You should set this to true when writing to endpoint that, when read, returns a different set of fields from the ones you wrote, as is common with many configuration endpoints. Defaults to false.
write_fields: - (Optional). A list of fields that should be returned in write_data_json and write_data. If omitted, data returned by the write operation is not available to the resource or included in state. This helps to avoid accidental storage of sensitive values in state. Some endpoints, such as many dynamic secrets endpoints, return data from writing to an endpoint rather than reading it. You should use write_fields if you need information returned in this way.

» Attributes Reference

In addition to the fields above, the following attributes are exported:

write_data_json: - The JSON data returned by the write operation. Only fields set in write_fields are present in the JSON data.
write_data: - A map whose keys are the top-level data keys returned from Vault by the write operation and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON. Only fields set in write_fields are present in the JSON data.

» Required Vault Capabilities

Use of this resource requires the create or update capability (depending on whether the resource already exists) on the given path. If disable_delete is false, the delete capbility is also required. If disable_delete is false, the read capbility is required.

» Import

Import is not supported for this resource.