Create and manage Vault Enterprise Secret Sync.
- This module currently only supports AWS Secrets Manager destination. Other secret sync destinations will be supported in the future.
- All the vault secret associations must be removed before the secret sync destination can be removed. Vault will return this error message if secret associations still exist:
store cannot be deleted because it is still managing secrets.
Create Vault Secret Sync destination and secret association:
module "vault_secretsync" {
source = "SPHTech-Platform/secret-sync/vault"
version = "~> 0.1.0"
name = "vault-ss"
associate_secrets = {
foo = {
mount = "mount_foo"
secret_name = ["foo_secret"]
}
hello = {
mount = "mount_hello"
secret_name = [
"hello_secret_1",
"hello_secret_2",
]
}
}
}Remove some vault secrets from association by adding the attribute unassociate_secrets:
module "vault_secretsync" {
source = "SPHTech-Platform/secret-sync/vault"
version = "~> 0.1.0"
name = "vault-ss"
# Removing secret in this section does not remove the secret association
associate_secrets = {
foo = {
mount = "mount_foo"
secret_name = ["foo_secret"]
}
}
# Add the secret information here to remove the secret association
unassociate_secrets = {
hello = {
mount = "mount_hello"
secret_name = [
"hello_secret_1",
"hello_secret_2",
]
}
}
}Remove all vault secrets from association by adding the attribute delete_all_secret_associations = true:
module "vault_secretsync" {
source = "SPHTech-Platform/secret-sync/vault"
version = "~> 0.1.0"
name = "vault-ss"
associate_secrets = {
foo = {
mount = "mount_foo"
secret_name = ["foo_secret"]
}
hello = {
mount = "mount_hello"
secret_name = [
"hello_secret_1",
"hello_secret_2",
]
}
}
delete_all_secret_associations = true
}Remove vault secret sync destination by adding delete_sync_destination = true (NOTE: all secret associations must be removed before this can be done i.e. delete_all_secret_associations = true):
module "vault_secretsync" {
source = "SPHTech-Platform/secret-sync/vault"
version = "~> 0.1.0"
name = "vault-ss"
associate_secrets = {
foo = {
mount = "mount_foo"
secret_name = ["foo_secret"]
}
hello = {
mount = "mount_hello"
secret_name = [
"hello_secret_1",
"hello_secret_2",
]
}
}
delete_all_secret_associations = true
delete_sync_destination = true| Name | Version |
|---|---|
| terraform | >= 1.5 |
| aws | >= 4.67.0 |
| null | >= 3.2.2 |
| random | >= 3.6.0 |
| time | >= 0.9.0 |
| vault | >= 3.23.0 |
| Name | Version |
|---|---|
| aws | 5.29.0 |
| null | 3.2.2 |
| random | 3.6.0 |
| time | 0.10.0 |
| vault | 3.23.0 |
| Name | Source | Version |
|---|---|---|
| iam_group_secretsync | terraform-aws-modules/iam/aws//modules/iam-group-with-policies | ~> 5.32.0 |
| iam_user_secretsync | terraform-aws-modules/iam/aws//modules/iam-user | ~> 5.32.0 |
| Name | Type |
|---|---|
| aws_iam_access_key.vault_secretsync | resource |
| null_resource.rotate_access_key | resource |
| random_id.this | resource |
| time_rotating.iam_user_secretsync_access_key | resource |
| time_sleep.wait_for_destination_sync | resource |
| vault_generic_endpoint.create_association_sync | resource |
| vault_generic_endpoint.create_destination_sync | resource |
| vault_generic_endpoint.remove_all_association_sync | resource |
| vault_generic_endpoint.remove_some_association_sync | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.vault_ent_secrets_manager_access | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| associate_secrets | Map of vault kv to create secret sync association | map( |
{} |
no |
| delete_all_secret_associations | Delete the secret associations | bool |
false |
no |
| delete_sync_destination | Delete the sync destination. Secret associations must be removed beforehand. | bool |
false |
no |
| name | Prefix name for the destination | string |
n/a | yes |
| region | AWS region | string |
"ap-southeast-1" |
no |
| unassociate_secrets | Map of vault kv to remove secret sync association | map( |
{} |
no |
No outputs.