### Simple Namespace Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/index.html.markdown Example demonstrating the creation of a namespace, a mount within that namespace, and a generic secret. ```hcl provider vault{} resource "vault_namespace" "secret" { path = "secret_ns" } resource "vault_mount" "secret" { namespace = vault_namespace.secret.path path = "secrets" type = "kv" options = { version = "1" } } resource "vault_generic_secret" "secret" { namespace = vault_mount.secret.namespace path = "${vault_mount.secret.path}/secret" data_json = jsonencode( { "ns" = "secret" } ) } ``` -------------------------------- ### Basic Listener Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/kmip_secret_listener.html.md Example HCL configuration for setting up a basic KMIP Secret listener. ```APIDOC ## Basic Listener Example ### Description This example demonstrates how to configure a basic KMIP Secret listener using the `vault_kmip_secret_backend`, `vault_kmip_secret_ca`, and `vault_kmip_secret_listener` resources. ### Method Not Applicable (Resource Configuration) ### Endpoint Not Applicable (Resource Configuration) ### Parameters See `vault_kmip_secret_listener` resource documentation for detailed parameters. ### Request Example ```hcl resource "vault_kmip_secret_backend" "default" { path = "kmip" description = "Vault KMIP backend" } resource "vault_kmip_secret_ca" "example" { path = vault_kmip_secret_backend.default.path name = "example-ca" key_type = "ec" key_bits = 256 } resource "vault_kmip_secret_listener" "example" { path = vault_kmip_secret_backend.default.path name = "example-listener" ca = vault_kmip_secret_ca.example.name address = "0.0.0.0:5696" server_hostnames = ["kmip.example.com"] } ``` ### Response #### Success Response (200) None (Resource Configuration) #### Response Example None (Resource Configuration) ``` -------------------------------- ### Basic OS Secret Backend Configuration Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend.html.md This example demonstrates a basic configuration for the OS Secret backend, assuming the mount already exists. It's a minimal setup for enabling the OS Secrets Engine. ```hcl resource "vault_mount" "os" { path = "os" type = "vault-plugin-secrets-os" } resource "vault_os_secret_backend" "os" { mount = vault_mount.os.path } ``` -------------------------------- ### Example Usage: Register Plugin And Configure Host Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend_host.html.md This example demonstrates how to register the OS plugin, configure the OS secrets engine mount, and then set up a host configuration. ```APIDOC ## Example Usage: Register Plugin And Configure Host ```hcl resource "vault_plugin" "os" { type = "secret" name = "vault-plugin-secrets-os" version = "v0.1.0+ent" } resource "vault_mount" "os" { path = "os" type = vault_plugin.os.name } resource "vault_os_secret_backend" "os" { mount = vault_mount.os.path } resource "vault_os_secret_backend_host" "example" { mount = vault_os_secret_backend.os.mount name = "web-server-01" address = "192.168.1.100" port = 22 } ``` ``` -------------------------------- ### Example Usage: Host with SSH Host Key Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend_host.html.md This example demonstrates configuring a host with its SSH host key for enhanced security. ```APIDOC ## Example Usage: Host with SSH Host Key ```hcl resource "vault_mount" "os" { path = "os" type = "vault-plugin-secrets-os" } resource "vault_os_secret_backend" "os" { mount = vault_mount.os.path } resource "vault_os_secret_backend_host" "secure" { mount = vault_os_secret_backend.os.mount name = "secure-host" address = "192.168.1.200" port = 22 ssh_host_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC..." } ``` ``` -------------------------------- ### Example Usage: Basic Host Configuration Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend_host.html.md A basic example of configuring a host for the OS secrets engine without advanced settings. ```APIDOC ## Example Usage: Basic Host Configuration ```hcl resource "vault_mount" "os" { path = "os" type = "vault-plugin-secrets-os" } resource "vault_os_secret_backend" "os" { mount = vault_mount.os.path } resource "vault_os_secret_backend_host" "example" { mount = vault_os_secret_backend.os.mount name = "web-server-01" address = "192.168.1.100" port = 22 } ``` ``` -------------------------------- ### Example Usage: Advanced Host Configuration Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend_host.html.md This example shows an advanced host configuration including rotation schedules and custom metadata. ```APIDOC ## Example Usage: Advanced Host Configuration ```hcl resource "vault_mount" "os" { path = "os" type = "vault-plugin-secrets-os" } resource "vault_os_secret_backend" "os" { mount = vault_mount.os.path } resource "vault_os_secret_backend_host" "production" { mount = vault_os_secret_backend.os.mount name = "prod-db-01" address = "10.0.1.50" port = 2222 rotation_schedule = "0 2 * * *" rotation_window = 3600 custom_metadata = { environment = "production" team = "database" criticality = "high" } } ``` ``` -------------------------------- ### Initialize and Apply Basic Namespace Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/eval/namespace-enhancements/README.md Initializes Terraform and applies a basic example for provisioning KV secrets in multiple Vault namespaces. Ensure VAULT_TOKEN and VAULT_ADDR environment variables are set. ```shell pushd eval/namespace-enhancements/examples/basic/. terraform init terraform apply terraform output -json popd ``` -------------------------------- ### Example Usage of vault_kv_subkeys_v2 Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/kv_subkeys_v2.html.md This example demonstrates how to configure a KV-V2 mount, write a secret to it, and then use the vault_kv_subkeys_v2 data source to read the subkeys of that secret. ```hcl resource "vault_mount" "kvv2" { path = "kvv2" type = "kv" options = { version = "2" } description = "KV Version 2 secret engine mount" } resource "vault_kv_secret_v2" "aws_secret" { mount = vault_mount.kvv2.path name = "aws_secret" data_json = jsonencode( { zip = "zap", foo = "bar" } ) } data "vault_kv_secret_subkeys_v2" "test" { mount = vault_mount.kvv2.path name = vault_kv_secret_v2.aws_secret.name } ``` -------------------------------- ### Example Usage of vault_pki_secret_backend_cert_metadata Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/pki_secret_backend_cert_metadata.html.md This example demonstrates how to configure Vault resources and then use the vault_pki_secret_backend_cert_metadata data source to read certificate metadata. Ensure the 'vault_mount' and 'vault_pki_secret_backend_cert' resources are configured correctly before using this data source. ```hcl resource "vault_mount" "pki" { path = "pki" type = "pki" description = "PKI secret engine mount" } resource "vault_pki_secret_backend_root_cert" "root" { backend = vault_mount.pki.path type = "internal" common_name = "example" ttl = "86400" issuer_name = "example" } resource "vault_pki_secret_backend_role" "test" { backend = vault_pki_secret_backend_root_cert.test.backend name = "test" allowed_domains = ["test.my.domain"] allow_subdomains = true max_ttl = "3600" key_usage = ["DigitalSignature", "KeyAgreement", "KeyEncipherment"] no_store_metadata = false } resource "vault_pki_secret_backend_cert" "test" { backend = vault_pki_secret_backend_role.test.backend name = vault_pki_secret_backend_role.test.name common_name = "cert.test.my.domain" ttl = "720h" min_seconds_remaining = 60 cert_metadata = "dGVzdCBtZXRhZGF0YQ==" } data "vault_pki_secret_backend_cert_metadata" "test" { path = vault_mount.test-root.path serial = vault_pki_secret_backend_cert.test.serial_number } ``` -------------------------------- ### Example Usage of vault_pki_secret_backend_key Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/pki_secret_backend_key.html.md This example demonstrates how to configure a PKI secret engine mount and then use the vault_pki_secret_backend_key data source to read key data. Ensure the backend path and key reference are correctly specified. ```hcl resource "vault_mount" "pki" { path = "pki" type = "pki" description = "PKI secret engine mount" } resource "vault_pki_secret_backend_key" "key" { backend = vault_mount.pki.path type = "internal" key_name = "example" key_type = "rsa" key_bits = "4096" } data "vault_pki_secret_backend_key" "example" { backend = vault_mount.key.path key_ref = vault_pki_secret_backend_key.key.key_id } ``` -------------------------------- ### Example Usage of vault_cf_auth_login Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/ephemeral-resources/cf_auth_login.md This example demonstrates how to configure the CloudFoundry auth backend, set up its configuration and role, and then use the ephemeral vault_cf_auth_login resource to obtain a short-lived client token. It also shows how to use this token with an aliased Vault provider. ```hcl resource "vault_auth_backend" "cf" { type = "cf" path = "cf" } resource "vault_cf_auth_backend_config" "config" { mount = vault_auth_backend.cf.path identity_ca_certificates = [trimspace(file(var.ca_cert_file))] cf_api_addr = var.cf_api_addr cf_username = var.cf_username cf_password_wo = var.cf_password cf_password_wo_version = 1 } resource "vault_cf_auth_backend_role" "role" { mount = vault_auth_backend.cf.path name = "my-role" disable_ip_matching = true token_policies = ["default"] depends_on = [vault_cf_auth_backend_config.config] } ephemeral "vault_cf_auth_login" "login" { mount = vault_auth_backend.cf.path mount_id = vault_auth_backend.cf.id role = vault_cf_auth_backend_role.role.name cf_instance_cert = var.cf_instance_cert signing_time = var.signing_time signature = var.signature } # Use the ephemeral token with an aliased provider provider "vault" { alias = "cf_auth" token = ephemeral.vault_cf_auth_login.login.client_token } ``` -------------------------------- ### Basic Key Rotation Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/keymgmt_key_rotate.html.md This example demonstrates how to configure a Key Management secrets engine mount, define an encryption key, and then rotate that key using the vault_keymgmt_key_rotate resource. Ensure the mount and key are correctly defined before attempting rotation. ```hcl resource "vault_mount" "keymgmt" { path = "keymgmt" type = "keymgmt" } resource "vault_keymgmt_key" "encryption_key" { mount = vault_mount.keymgmt.path name = "rotation-example" type = "aes256-gcm96" } resource "vault_keymgmt_key_rotate" "rotate" { mount = vault_mount.keymgmt.path name = vault_keymgmt_key.encryption_key.name } ``` -------------------------------- ### Example Usage of vault_quota_config Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/quota_config.md This example demonstrates how to configure global rate limit settings, including enabling audit logging and response headers for a specific namespace. ```hcl resource "vault_quota_config" "global" { namespace = "ns_admin" enable_rate_limit_audit_logging = true enable_rate_limit_response_headers = true } ``` -------------------------------- ### Example Usage of vault_secrets_sync_github_apps Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/secrets_sync_github_apps.html.md This example demonstrates how to configure the vault_secrets_sync_github_apps resource to create a GitHub App for secrets synchronization. Ensure that the `app_id` and `private_key_file` variables are properly defined. ```hcl resource "vault_secrets_sync_github_apps" "github-apps" { name = "gh-apps" app_id = var.app_id private_key = file(var.privatekey_file) } ``` -------------------------------- ### Example Usage of vault_pki_secret_backend_config_scep Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/pki_secret_backend_config_scep.html.md This example demonstrates how to use the vault_pki_secret_backend_config_scep data source to read SCEP configuration. It first defines a PKI secret engine mount and then uses the data source to retrieve its SCEP configuration. ```hcl resource "vault_mount" "pki" { path = "pki" type = "pki" description = "PKI secret engine mount" } data "vault_pki_secret_backend_config_scep" "scep_config" { backend = vault_mount.pki.path } ``` -------------------------------- ### Example Usage of vault_pki_secret_backend_config_acme Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/pki_secret_backend_config_acme.html.md This example demonstrates how to configure the ACME settings for a PKI secret backend. It includes the creation of a PKI mount and a cluster configuration before setting up the ACME configuration. ```hcl resource "vault_mount" "pki" { path = "pki" type = "pki" default_lease_ttl_seconds = 3600 max_lease_ttl_seconds = 86400 } resource "vault_pki_secret_backend_config_cluster" "pki_config_cluster" { backend = vault_mount.pki.path path = "http://127.0.0.1:8200/v1/pki" aia_path = "http://127.0.0.1:8200/v1/pki" } resource "vault_pki_secret_backend_config_acme" "example" { backend = vault_mount.pki.path enabled = true allowed_issuers = ["*"] allowed_roles = ["*"] allow_role_ext_key_usage = false default_directory_policy = "sign-verbatim" dns_resolver = "" eab_policy = "not-required" } ``` -------------------------------- ### Example Usage of vault_pki_secret_backend_issuer Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/pki_secret_backend_issuer.html.md This example demonstrates how to configure a PKI secret backend, create a root certificate, and then use the vault_pki_secret_backend_issuer data source to read issuer information. ```hcl resource "vault_mount" "pki" { path = "pki" type = "pki" description = "PKI secret engine mount" } resource "vault_pki_secret_backend_root_cert" "root" { backend = vault_mount.pki.path type = "internal" common_name = "example" ttl = "86400" issuer_name = "example" } data "vault_pki_secret_backend_issuer" "example" { backend = vault_pki_secret_backend_root_cert.root.path issuer_ref = vault_pki_secret_backend_root_cert.root.issuer_id } ``` -------------------------------- ### Example Usage with Identifiers Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/pki_external_ca_secret_backend_order.html.md This example demonstrates how to create a PKI External CA secret backend mount, an ACME account, a role, and then an order using domain identifiers. Ensure the `vault_mount`, `vault_pki_external_ca_secret_backend_acme_account`, and `vault_pki_external_ca_secret_backend_role` resources are configured before creating the order. ```hcl resource "vault_mount" "pki-external-ca" { path = "pki-external-ca" type = "pki-external-ca" } resource "vault_pki_external_ca_secret_backend_acme_account" "example" { mount = vault_mount.pki-external-ca.path name = "my-acme-account" directory_url = "https://acme-v02.api.letsencrypt.org/directory" email_contacts = [ "admin@example.com" ] } resource "vault_pki_external_ca_secret_backend_role" "example" { mount = vault_mount.pki-external-ca.path name = "example-role" acme_account_name = vault_pki_external_ca_secret_backend_acme_account.example.name allowed_domains = ["example.com"] allowed_domain_options = ["bare_domains", "subdomains"] } resource "vault_pki_external_ca_secret_backend_order" "example" { mount = vault_mount.pki-external-ca.path role_name = vault_pki_external_ca_secret_backend_role.example.name identifiers = [ "www.example.com", "api.example.com" ] } ``` -------------------------------- ### Example Usage of vault_pki_secret_backend_issuers Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/pki_secret_backend_issuers.html.md This example demonstrates how to configure a PKI secret engine, generate a root certificate, and then use the `vault_pki_secret_backend_issuers` data source to list the issuers associated with that backend. Ensure the `vault_mount` and `vault_pki_secret_backend_root_cert` resources are configured before using this data source. ```hcl resource "vault_mount" "pki" { path = "pki" type = "pki" description = "PKI secret engine mount" } resource "vault_pki_secret_backend_root_cert" "root" { backend = vault_mount.pki.path type = "internal" common_name = "example" ttl = "86400" issuer_name = "example" } data "vault_pki_secret_backend_issuers" "test" { backend = vault_pki_secret_backend_root_cert.root.backend } ``` -------------------------------- ### Example Usage Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/pki_external_ca_secret_backend_acme_account.html.md Basic configuration for the vault_pki_external_ca_secret_backend_acme_account resource. ```APIDOC ## Example Usage ```hcl resource "vault_mount" "pki-external-ca" { path = "pki-external-ca" type = "pki-external-ca" } resource "vault_pki_external_ca_secret_backend_acme_account" "example" { mount = vault_mount.pki-external-ca.path name = "my-acme-account" directory_url = "https://acme-v02.api.letsencrypt.org/directory" email_contacts = [ "admin@example.com" ] key_type = "ec-256" } ``` ``` -------------------------------- ### Example Usage of vault_azure_access_credentials Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/azure_access_credentials.html.md This example demonstrates how to use the vault_azure_access_credentials data source to fetch Azure credentials and then configure the Azure provider with them. It includes options for validating credentials and setting validation parameters. ```hcl data "vault_azure_access_credentials" "creds" { role = "my-role" validate_creds = true num_sequential_successes = 8 num_seconds_between_tests = 1 max_cred_validation_seconds = 300 } provider "azure" { client_id = data.vault_azure_access_credentials.creds.client_id client_secret = data.vault_azure_access_credentials.creds.client_secret } ``` -------------------------------- ### Example Usage of vault_aws_auth_backend_role_tag Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/aws_auth_backend_role_tag.html.md This example demonstrates how to configure an AWS auth backend, define a role, and then read role tag information using the vault_aws_auth_backend_role_tag resource. Ensure the backend and role are correctly configured before applying. ```hcl resource "vault_auth_backend" "aws" { path = "%s" type = "aws" } resource "vault_aws_auth_backend_role" "role" { backend = vault_auth_backend.aws.path role = "%s" auth_type = "ec2" bound_account_id = "123456789012" policies = ["dev", "prod", "qa", "test"] role_tag = "VaultRoleTag" } resource "vault_aws_auth_backend_role_tag" "test" { backend = vault_auth_backend.aws.path role = vault_aws_auth_backend_role.role.role policies = ["prod", "dev", "test"] max_ttl = "1h" instance_id = "i-1234567" } ``` -------------------------------- ### Example Usage of vault_ldap_static_credentials Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/ldap_static_role_credentials.html.md This example demonstrates how to configure an LDAP secret backend, define a static role, and then use the vault_ldap_static_credentials data source to read credentials for that role. Ensure the backend and role are properly configured before using the data source. ```hcl resource "vault_ldap_secret_backend" "test" { binddn = "..." bindpass = "..." url = "..." } resource "vault_ldap_secret_backend_static_role" "role" { mount = vault_ldap_secret_backend.test.path username = "alice" role_name = "alice" rotation_period = 60 } data "vault_ldap_static_credentials" "creds" { mount = vault_ldap_secret_backend.test.path role_name = vault_ldap_secret_backend_static_role.role.role_name } ``` -------------------------------- ### Example Usage of vault_transit_sign Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/transit_sign.html.md This data source can be used to generate a signature using a Vault Transit key. Ensure the 'path' and 'key' arguments are correctly configured for your Vault setup. ```hcl data "vault_transit_sign" "test" { path = "transit" key = "test" input = "aGVsbG8gd29ybGQ=" } ``` -------------------------------- ### Basic Transformation Configuration Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/transform_transformation.html.md This example demonstrates how to create a basic transformation resource, specifying its path, name, type, template, tweak source, and allowed roles. Ensure the 'transform' secrets engine is mounted first. ```hcl resource "vault_mount" "example" { path = "transform" type = "transform" } resource "vault_transform_transformation" "example" { path = vault_mount.example.path name = "ccn-fpe" type = "fpe" template = "ccn" tweak_source = "internal" allowed_roles = ["payments"] } ``` -------------------------------- ### Example Usage of vault_kv_secrets_list Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/kv_secrets_list.html.md This example demonstrates how to use the vault_kv_secrets_list data source to list secrets. It first sets up a KV Version 1 mount and then creates two example secrets before listing them. ```hcl resource "vault_mount" "kvv1" { path = "kvv1" type = "kv" options = { version = "1" } description = "KV Version 1 secret engine mount" } resource "vault_kv_secret" "aws_secret" { path = "${vault_mount.kvv1.path}/aws-secret" data_json = jsonencode( { zip = "zap" } ) } resource "vault_kv_secret" "azure_secret" { path = "${vault_mount.kvv1.path}/azure-secret" data_json = jsonencode( { foo = "bar" } ) } data "vault_kv_secrets_list" "secrets" { path = vault_mount.kvv1.path depends_on = [vault_kv_secret.aws_secret, vault_kv_secret.azure_secret] } ``` -------------------------------- ### Terraform Import Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/raft_snapshot_agent_config.html.md Example of how to import an existing Raft Snapshot Agent Configuration into Terraform. ```bash $ terraform import vault_raft_snapshot_agent_config.local local ``` -------------------------------- ### Register Plugin and Configure Account Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend_account.html.md This example demonstrates registering the OS Secrets Engine plugin, mounting it, configuring a host, and then creating an account with an initial password. The `password_wo` field is write-only and set during creation. ```hcl resource "vault_plugin" "os" { type = "secret" name = "vault-plugin-secrets-os" version = "v0.1.0+ent" } resource "vault_mount" "os" { path = "os" type = vault_plugin.os.name } resource "vault_os_secret_backend" "os" { mount = vault_mount.os.path } resource "vault_os_secret_backend_host" "server" { mount = vault_os_secret_backend.os.mount name = "web-server" address = "192.168.1.100" port = 22 } resource "vault_os_secret_backend_account" "admin" { mount = vault_os_secret_backend.os.mount host = vault_os_secret_backend_host.server.name name = "admin-account" username = "admin" password_wo = "initial-secure-password-123" } ``` -------------------------------- ### Configure SPIFFE Auth Backend Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/spiffe_auth_backend_config.html.md This example shows how to configure the SPIFFE auth backend, including setting the mount path and tune options. Ensure the mount path is correctly defined for subsequent configurations. ```hcl resource "vault_auth_backend" "spiffe_mount" { type = "spiffe" path = "spiffe" tune { passthrough_request_headers = ["Authorization"] } } ``` -------------------------------- ### Example Usage of vault_pki_secret_backend_keys Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/pki_secret_backend_keys.html.md This example demonstrates how to configure a PKI secret backend, create a root certificate, and then use the vault_pki_secret_backend_keys data source to retrieve information about the keys associated with that backend. Ensure the 'vault_mount' and 'vault_pki_secret_backend_root_cert' resources are defined before using this data source. ```hcl resource "vault_mount" "pki" { path = "pki" type = "pki" description = "PKI secret engine mount" } resource "vault_pki_secret_backend_root_cert" "root" { backend = vault_mount.pki.path type = "internal" common_name = "example" ttl = "86400" key_name = "example" } data "vault_pki_secret_backend_keys" "example" { backend = vault_pki_secret_backend_root_cert.root.backend } ``` -------------------------------- ### Destroy Basic Namespace Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/eval/namespace-enhancements/README.md Destroys the resources provisioned by the basic Vault namespace enhancement example. ```shell pushd eval/namespace-enhancements/examples/basic/. terraform destroy popd ``` -------------------------------- ### Listener with Advanced TLS Configuration Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/kmip_secret_listener.html.md Example HCL configuration for a KMIP Secret listener with advanced TLS settings. ```APIDOC ## Listener with Advanced TLS Configuration Example ### Description This example shows an advanced configuration for a KMIP Secret listener, including multiple CAs, specific TLS versions, and cipher suites. ### Method Not Applicable (Resource Configuration) ### Endpoint Not Applicable (Resource Configuration) ### Parameters See `vault_kmip_secret_listener` resource documentation for detailed parameters. ### Request Example ```hcl resource "vault_kmip_secret_backend" "default" { path = "kmip" description = "Vault KMIP backend" } resource "vault_kmip_secret_ca" "primary" { path = vault_kmip_secret_backend.default.path name = "primary-ca" key_type = "rsa" key_bits = 4096 } resource "vault_kmip_secret_ca" "secondary" { path = vault_kmip_secret_backend.default.path name = "secondary-ca" key_type = "ec" key_bits = 256 } resource "vault_kmip_secret_listener" "advanced" { path = vault_kmip_secret_backend.default.path name = "advanced-listener" ca = vault_kmip_secret_ca.primary.name address = "0.0.0.0:5696" additional_client_cas = [vault_kmip_secret_ca.secondary.name] also_use_legacy_ca = true server_ips = ["192.168.1.100", "10.0.0.50"] server_hostnames = ["kmip.example.com", "kmip-backup.example.com"] tls_min_version = "tls13" tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" } ``` ### Response #### Success Response (200) None (Resource Configuration) #### Response Example None (Resource Configuration) ``` -------------------------------- ### Example Usage of vault_alicloud_auth_backend_role Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/alicloud_auth_backend_role.md Demonstrates how to create an AliCloud auth backend and a role associated with it. Ensure the vault_auth_backend resource is configured before creating the role. ```hcl resource "vault_auth_backend" "alicloud" { type = "alicloud" path = "alicloud" } resource "vault_alicloud_auth_backend_role" "alicloud" { backend = vault_auth_backend.alicloud.path role = "example" arn = "acs:ram:123456:tf:role/foobar" } ``` -------------------------------- ### Example Usage of vault_ssh_secret_backend_ca Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/ssh_secret_backend_ca.html.md This example demonstrates how to configure the vault_ssh_secret_backend_ca resource. It requires a vault_mount resource of type 'ssh' to be defined first. ```hcl resource "vault_mount" "example" { type = "ssh" } resource "vault_ssh_secret_backend_ca" "foo" { backend = vault_mount.example.path } ``` -------------------------------- ### Advanced Host Configuration Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend_host.html.md This example demonstrates advanced host configuration, including setting a rotation schedule, rotation window, and custom metadata. Use this for hosts requiring specific rotation policies or additional tracking information. ```hcl resource "vault_mount" "os" { path = "os" type = "vault-plugin-secrets-os" } resource "vault_os_secret_backend" "os" { mount = vault_mount.os.path } resource "vault_os_secret_backend_host" "production" { mount = vault_os_secret_backend.os.mount name = "prod-db-01" address = "10.0.1.50" port = 2222 rotation_schedule = "0 2 * * *" rotation_window = 3600 custom_metadata = { environment = "production" team = "database" criticality = "high" } } ``` -------------------------------- ### Example Usage of vault_kv_secret_backend_v2 Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/kv_secret_backend_v2.html.md Demonstrates how to configure a KV-V2 secret engine mount and then set its backend-level configurations using the vault_kv_secret_backend_v2 resource. Ensure the vault_mount resource is defined first. ```hcl resource "vault_mount" "kvv2" { path = "kvv2" type = "kv" options = { version = "2" } description = "KV Version 2 secret engine mount" } resource "vault_kv_secret_backend_v2" "example" { mount = vault_mount.kvv2.path max_versions = 5 delete_version_after = 12600 cas_required = true } ``` -------------------------------- ### Example Usage of vault_terraform_cloud_secret_creds Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/terraform_cloud_secret_creds.html.md This example demonstrates how to configure the Terraform Cloud backend, define a role, and then generate credentials using the vault_terraform_cloud_secret_creds resource. ```hcl resource "vault_terraform_cloud_secret_backend" "test" { backend = "terraform" description = "Manages the Terraform Cloud backend" token = "V0idfhi2iksSDU234ucdbi2nidsi..." } resource "vault_terraform_cloud_secret_role" "example" { backend = vault_terraform_cloud_secret_backend.test.backend name = "test-role" organization = "example-organization-name" team_id = "team-ieF4isC..." } resource "vault_terraform_cloud_secret_creds" "token" { backend = vault_terraform_cloud_secret_backend.test.backend role = vault_terraform_cloud_secret_role.example.name } ``` -------------------------------- ### Vault Transform Encode Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/transform_encode.html.md This example demonstrates how to configure Vault resources for transformations and then use the vault_transform_encode data source to encode data. ```hcl resource "vault_mount" "transform" { path = "transform" type = "transform" } resource "vault_transform_transformation" "ccn-fpe" { path = vault_mount.transform.path name = "ccn-fpe" type = "fpe" template = "builtin/creditcardnumber" tweak_source = "internal" allowed_roles = ["payments"] } resource "vault_transform_role" "payments" { path = vault_transform_transformation.ccn-fpe.path name = "payments" transformations = ["ccn-fpe"] } data "vault_transform_encode" "test" { path = vault_transform_role.payments.path role_name = "payments" batch_input = [{"value":"1111-2222-3333-4444"}] } ``` -------------------------------- ### Example Usage of vault_transform_decode Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/transform_decode.html.md This example demonstrates how to configure Vault resources for transformations and roles, and then use the vault_transform_decode data source to decode a value. ```hcl resource "vault_mount" "transform" { path = "transform" type = "transform" } resource "vault_transform_transformation" "ccn-fpe" { path = vault_mount.transform.path name = "ccn-fpe" type = "fpe" template = "builtin/creditcardnumber" tweak_source = "internal" allowed_roles = ["payments"] } resource "vault_transform_role" "payments" { path = vault_transform_transformation.ccn-fpe.path name = "payments" transformations = ["ccn-fpe"] } data "vault_transform_decode" "test" { path = vault_transform_role.payments.path role_name = "payments" value = "9300-3376-4943-8903" } ``` -------------------------------- ### Google Cloud Storage Service Account Key Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/raft_snapshot_agent_config.html.md Example of a Google service account key in JSON format for GCS bucket authentication. ```json { "type": "service_account", "project_id": "project-id", "private_key_id": "key-id", "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----", "client_email": "service-account-email", "client_id": "client-id", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" } ``` -------------------------------- ### Example Usage of vault_gcp_secret_impersonated_account Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/gcp_secret_impersonated_account.html.md This example demonstrates how to create a GCP impersonated account using the Vault provider. It requires a google_service_account and a vault_gcp_secret_backend to be configured first. ```hcl resource "google_service_account" "this" { account_id = "my-awesome-account" } resource "vault_gcp_secret_backend" "gcp" { path = "gcp" credentials = "${file("credentials.json")}" } resource "vault_gcp_secret_impersonated_account" "impersonated_account" { backend = vault_gcp_secret_backend.gcp.path impersonated_account = "this" service_account_email = google_service_account.this.email token_scopes = ["https://www.googleapis.com/auth/cloud-platform"] } ``` -------------------------------- ### Configure SAML Auth Backend and Role Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/saml_auth_backend_role.html.md Example of setting up a SAML auth backend and then defining a role for it. Ensure the SAML auth backend is configured before creating roles. ```hcl resource "vault_saml_auth_backend" "example" { path = "saml" idp_metadata_url = "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata" entity_id = "https://my.vault/v1/auth/saml" acs_urls = ["https://my.vault.primary/v1/auth/saml/callback"] default_role = "default-role" } resource "vault_saml_auth_backend_role" "example" { path = vault_saml_auth_backend.example.path name = "my-role" groups_attribute = "groups" bound_attributes = { group = "admin" } bound_subjects = ["*example.com"] token_policies = ["writer"] token_ttl = 86400 } ``` -------------------------------- ### Reading a Secret with Lease Start Time Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/ephemeral-resources/generic_secret.html.md Demonstrates how to include the lease start time when reading an ephemeral secret. Set `with_lease_start_time` to `true` to capture this information. ```hcl ephemeral "vault_generic_secret" "example" { path = "secret/data/app" with_lease_start_time = true } # Access lease information output "lease_start" { value = ephemeral.vault_generic_secret.example.lease_start_time } ``` -------------------------------- ### Create OIDC Client and Read Credentials Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/d/identity_oidc_client_creds.html.md This example demonstrates how to create an OIDC client using the `vault_identity_oidc_client` resource and then read its credentials using the `vault_identity_oidc_client_creds` data source. Ensure sensitive data is protected as it may be written to the state file and console output. ```hcl resource "vault_identity_oidc_client" "app" { name = "application" redirect_uris = [ "http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback", "http://127.0.0.1:8251/callback", "http://127.0.0.1:8080/callback" ] id_token_ttl = 2400 access_token_ttl = 7200 } data "vault_identity_oidc_client_creds" "creds" { name = vault_identity_oidc_client.app.name } ``` -------------------------------- ### Vault PKI Secret Backend Intermediate Set Signed Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/pki_secret_backend_intermediate_set_signed.html.md This example demonstrates how to configure the vault_pki_secret_backend_intermediate_set_signed resource. It assumes prior configuration of vault_mount and vault_pki_secret_backend_root_sign_intermediate resources. ```hcl resource "vault_mount" "root" { path = "pki-root" type = "pki" description = "root" default_lease_ttl_seconds = 8640000 max_lease_ttl_seconds = 8640000 } resource "vault_mount" "intermediate" { path = "pki-int" type = vault_mount.root.type description = "intermediate" default_lease_ttl_seconds = 86400 max_lease_ttl_seconds = 86400 } resource "vault_pki_secret_backend_root_cert" "example" { backend = vault_mount.root.path type = "internal" common_name = "RootOrg Root CA" ttl = 86400 format = "pem" private_key_format = "der" key_type = "rsa" key_bits = 4096 exclude_cn_from_sans = true ou = "Organizational Unit" organization = "RootOrg" country = "US" locality = "San Francisco" province = "CA" } resource "vault_pki_secret_backend_intermediate_cert_request" "example" { backend = vault_mount.intermediate.path type = vault_pki_secret_backend_root_cert.example.type common_name = "SubOrg Intermediate CA" } resource "vault_pki_secret_backend_root_sign_intermediate" "example" { backend = vault_mount.root.path csr = vault_pki_secret_backend_intermediate_cert_request.example.csr common_name = "SubOrg Intermediate CA" exclude_cn_from_sans = true ou = "SubUnit" organization = "SubOrg" country = "US" locality = "San Francisco" province = "CA" revoke = true } resource "vault_pki_secret_backend_intermediate_set_signed" "example" { backend = vault_mount.intermediate.path certificate = vault_pki_secret_backend_root_sign_intermediate.example.certificate } ``` -------------------------------- ### Register Plugin and Configure Host Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend_host.html.md This example demonstrates registering the OS secrets engine plugin and then configuring a host. It requires Vault 2.0.0 or later and the external OS plugin to be registered. ```hcl resource "vault_plugin" "os" { type = "secret" name = "vault-plugin-secrets-os" version = "v0.1.0+ent" } resource "vault_mount" "os" { path = "os" type = vault_plugin.os.name } resource "vault_os_secret_backend" "os" { mount = vault_mount.os.path } resource "vault_os_secret_backend_host" "example" { mount = vault_os_secret_backend.os.mount name = "web-server-01" address = "192.168.1.100" port = 22 } ``` -------------------------------- ### Example Usage of vault_keymgmt_replicate_key Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/keymgmt_replicate_key.html.md This example demonstrates how to configure a key management mount, create a multi-region key, set up an AWS KMS provider, distribute the key, and then replicate it across regions. Ensure Vault Enterprise and a configured AWS KMS provider are prerequisites. ```hcl resource "vault_mount" "keymgmt" { path = "keymgmt" type = "keymgmt" } resource "vault_keymgmt_key" "key" { mount = vault_mount.keymgmt.path name = "multi-region-key" type = "aes256-gcm96" replica_regions = ["us-east-1", "eu-west-1"] } resource "vault_keymgmt_aws_kms" "aws" { mount = vault_mount.keymgmt.path name = "aws-kms" key_collection = "us-west-2" credentials_wo = { access_key = var.aws_access_key_id secret_key = var.aws_secret_access_key } credentials_wo_version = 1 } resource "vault_keymgmt_distribute_key" "dist" { mount = vault_mount.keymgmt.path kms_name = vault_keymgmt_aws_kms.aws.name key_name = vault_keymgmt_key.key.name purpose = ["encrypt", "decrypt"] } resource "vault_keymgmt_replicate_key" "replicate" { mount = vault_mount.keymgmt.path kms_name = vault_keymgmt_aws_kms.aws.name key_name = vault_keymgmt_key.key.name depends_on = [vault_keymgmt_distribute_key.dist] } ``` -------------------------------- ### Example: Resetting Admin Account Password Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/os_secret_backend_account.html.md This example shows a practical application of the Vault CLI command to reset the password for a specific admin account on a web-server host. ```bash # Reset password for the admin account on web-server host vault write os/hosts/web-server/accounts/admin-account/reset password="new-secure-password" ``` -------------------------------- ### KV Version 2 Example Source: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/ephemeral-resources/generic_secret.html.md Shows how to read a KV version 2 secret and access its data. This example uses vault_kv_secret_v2 to manage the secret and then reads it ephemerally. ```hcl resource "vault_mount" "kvv2" { path = "kvv2" type = "kv" options = { version = "2" } } resource "vault_kv_secret_v2" "example" { mount = vault_mount.kvv2.path name = "creds" data_json = jsonencode({ api_key = "my-api-key" region = "us-west-2" }) } ephemeral "vault_generic_secret" "example" { path = "${vault_mount.kvv2.path}/data/${vault_kv_secret_v2.example.name}" } # Access the ephemeral secret data output "api_key" { value = ephemeral.vault_generic_secret.example.data["api_key"] sensitive = true } ```