» vault_generic_secret

Writes and manages secrets stored in Vault's "generic" secret backend

This resource is primarily intended to be used with both v1 and v2 of Vault's "generic" secret backend. While it is also compatible, with some limitations, with other Vault endpoints that support the vault write command to create and the vault delete command to delete, see also the generic endpoint resource for a more flexible way to manage arbitrary data.

Important All data provided in the resource configuration will be written in cleartext to state and plan files generated by Terraform, and will appear in the console output when Terraform runs. Protect these artifacts accordingly. See the main provider documentation for more details.

» Example Usage

resource "vault_generic_secret" "example" {
  path = "secret/foo"

  data_json = <<EOT
{
  "foo":   "bar",
  "pizza": "cheese"
}
EOT
}

» Argument Reference

The following arguments are supported:

path - (Required) The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.
data_json - (Required) String containing a JSON-encoded object that will be written as the secret data at the given path.
allow_read - (Optional, Deprecated) True/false. Set this to true if your vault authentication is able to read the data, this allows the resource to be compared and updated. Defaults to false.
disable_read - (Optional) True/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.

» Required Vault Capabilities

Use of this resource requires the create or update capability (depending on whether the resource already exists) on the given path, along with the delete capbility if the resource is removed from configuration.

This resource does not read the secret data back from Terraform on refresh by default. This avoids the need for read access on the given path, but it means that Terraform is not able to detect and repair "drift" on this resource should the data be updated or deleted outside of Terraform. This limitation can be negated by setting allow_read to true

» Attributes Reference

The following attributes are exported in addition to the above:

data - A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.

» Import

Generic secrets can be imported using the path, e.g.

$ terraform import vault_generic_secret.example secret/foo