» vault_ssh_secret_backend_role

Provides a resource to manage roles in an SSH secret backend SSH secret backend within Vault.

» Example Usage

resource "vault_mount" "example" {
  type = "ssh"
}

resource "vault_ssh_secret_backend_role" "foo" {
    name                    = "my-role"
    backend                 = "${vault_mount.example.path}"
    key_type                = "ca"
    allow_user_certificates = true
}

resource "vault_ssh_secret_backend_role" "bar" {
    name          = "otp-role"
    backend       = "${vault_mount.example.path}"
    key_type      = "otp"
    default_user  = "default"
    allowed_users = "default,baz"
    cidr_list     = "0.0.0.0/0"
}

» Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the role to create.

  • backend - (Required) The path where the SSH secret backend is mounted.

  • key_type - (Required) Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.

  • allow_bare_domains - (Optional) Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.

  • allow_host_certificates - (Optional) Specifies if certificates are allowed to be signed for use as a 'host'.

  • allow_subdomains - (Optional) Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.

  • allow_user_certificates - (Optional) Specifies if certificates are allowed to be signed for use as a 'user'.

  • allow_user_key_ids - (Optional) Specifies if users can override the key ID for a signed certificate with the key_id field.

  • allowed_critical_options - (Optional) Specifies a comma-separated list of critical options that certificates can have when signed.

  • allowed_domains - (Optional) The list of domains for which a client can request a host certificate.

  • cidr_list - (Optional) The comma-separated string of CIDR blocks for which this role is applicable.

  • allowed_extensions - (Optional) Specifies a comma-separated list of extensions that certificates can have when signed.

  • default_extensions - (Optional) Specifies a map of extensions that certificates have when signed.

  • default_critical_options - (Optional) Specifies a map of critical options that certificates have when signed.

  • allowed_users - (Optional) Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.

  • default_user - (Optional) Specifies the default username for which a credential will be generated.

  • key_id_format - (Optional) Specifies a custom format for the key id of a signed certificate.

  • allowed_user_key_lengths - (Optional) Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.

  • max_ttl - (Optional) Specifies the Time To Live value.

  • ttl - (Optional) Specifies the maximum Time To Live value.

» Attributes Reference

No additional attributes are exposed by this resource.

» Import

SSH secret backend roles can be imported using the path, e.g.

$ terraform import vault_ssh_secret_backend_role.foo ssh/roles/my-role