{"id":15155655,"url":"https://github.com/0opsops/terraform-vault-secmgmt","last_synced_at":"2026-01-20T16:02:00.146Z","repository":{"id":37686999,"uuid":"497550198","full_name":"0opsops/terraform-vault-secmgmt","owner":"0opsops","description":"Terraform module to manage HashiCorp Vault Secrets!","archived":false,"fork":false,"pushed_at":"2024-06-16T13:51:58.000Z","size":5364,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-05T16:47:54.954Z","etag":null,"topics":["aws-assume-role","aws-iam-user","aws-secret-engine","hashicorp-terraform","hashicorp-vault","jwt-auth","k8s-auth","kv-secret-engine","kv-store","oidc-auth","vault-policies","vault-roles"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/0opsops/secmgmt/vault/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0opsops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-29T09:55:30.000Z","updated_at":"2024-06-16T21:02:42.000Z","dependencies_parsed_at":"2024-05-02T05:35:17.276Z","dependency_job_id":"d54d71b9-a1eb-4125-9df7-7322bfa773de","html_url":"https://github.com/0opsops/terraform-vault-secmgmt","commit_stats":{"total_commits":27,"total_committers":4,"mean_commits":6.75,"dds":0.4444444444444444,"last_synced_commit":"50317e889ae52104b7bb5b42a92bdb3b34f5446f"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/0opsops/terraform-vault-secmgmt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0opsops%2Fterraform-vault-secmgmt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0opsops%2Fterraform-vault-secmgmt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0opsops%2Fterraform-vault-secmgmt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0opsops%2Fterraform-vault-secmgmt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0opsops","download_url":"https://codeload.github.com/0opsops/terraform-vault-secmgmt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0opsops%2Fterraform-vault-secmgmt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28606290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T14:45:23.139Z","status":"ssl_error","status_checked_at":"2026-01-20T14:44:16.929Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-assume-role","aws-iam-user","aws-secret-engine","hashicorp-terraform","hashicorp-vault","jwt-auth","k8s-auth","kv-secret-engine","kv-store","oidc-auth","vault-policies","vault-roles"],"created_at":"2024-09-26T18:41:46.801Z","updated_at":"2026-01-20T16:02:00.129Z","avatar_url":"https://github.com/0opsops.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Managing HashiCorp Vault Secrets with **Terraform**\n\n## Multi Kubernetes clusters authentication and Multi AWS accounts `assumed_role` and Generating `IAM Users` for CI/CD purpose on the top of pre-existing Vault!\n## [Just like this!](https://github.com/0opsops/terraform-vault-secmgmt/tree/main/examples#senario-brief)\n\n### Auth Methods\n\n- USERPASS (UI)\n- OIDC (UI)\n- AWS\n- JWT (GitLab, GitHub)\n- KUBERNETES\n\n### Secrets Engines\n\n- KV-V2\n- AWS\n\n## THIS MODULE DOWNSIDE IS ALL SECRETS VALUES WOULD BE INSIDE `TERRAFORM.TFVARS` THAT AIN'T PRETTY GOOD AND REALLY HARD MANAGING SECRETS IN LARGE SCALE! (WELL.... WHATEVER... YOU KNOW VERY WELL WHAT YOU DOING!)\n\n________________________________________________________________\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= v1.6.5 |\n| \u003ca name=\"requirement_vault\"\u003e\u003c/a\u003e [vault](#requirement\\_vault) | \u003e= 4.2.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_vault\"\u003e\u003c/a\u003e [vault](#provider\\_vault) | \u003e= 4.2.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [vault_auth_backend.kubernetes](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |\n| [vault_auth_backend.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |\n| [vault_auth_backend.user](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |\n| [vault_auth_backend.userpass](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |\n| [vault_aws_auth_backend_sts_role.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_auth_backend_sts_role) | resource |\n| [vault_aws_auth_backend_sts_role.user](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_auth_backend_sts_role) | resource |\n| [vault_aws_secret_backend.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_secret_backend) | resource |\n| [vault_aws_secret_backend.user](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_secret_backend) | resource |\n| [vault_aws_secret_backend_role.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_secret_backend_role) | resource |\n| [vault_aws_secret_backend_role.user](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_secret_backend_role) | resource |\n| [vault_generic_endpoint.users](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint) | resource |\n| [vault_identity_group.oidc](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |\n| [vault_identity_group_alias.oidc](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_alias) | resource |\n| [vault_jwt_auth_backend.gh](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend) | resource |\n| [vault_jwt_auth_backend.oidc](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend) | resource |\n| [vault_jwt_auth_backend.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend) | resource |\n| [vault_jwt_auth_backend_role.account](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend_role) | resource |\n| [vault_jwt_auth_backend_role.actions](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend_role) | resource |\n| [vault_jwt_auth_backend_role.actions_sec](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend_role) | resource |\n| [vault_jwt_auth_backend_role.oidc](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend_role) | resource |\n| [vault_jwt_auth_backend_role.secret](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend_role) | resource |\n| [vault_kubernetes_auth_backend_config.kubernetes](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/kubernetes_auth_backend_config) | resource |\n| [vault_kubernetes_auth_backend_role.kubernetes](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/kubernetes_auth_backend_role) | resource |\n| [vault_kv_secret_v2.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/kv_secret_v2) | resource |\n| [vault_mount.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/mount) | resource |\n| [vault_policy.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_access_key\"\u003e\u003c/a\u003e [access\\_key](#input\\_access\\_key) | AWS Assumed Role access key | `string` | `\"ACCESS_KEY\"` | no |\n| \u003ca name=\"input_access_key_user\"\u003e\u003c/a\u003e [access\\_key\\_user](#input\\_access\\_key\\_user) | AWS Access Key with necessary permissions | `string` | `\"ACCESS_KEY\"` | no |\n| \u003ca name=\"input_auth_backend_role\"\u003e\u003c/a\u003e [auth\\_backend\\_role](#input\\_auth\\_backend\\_role) | Role that will be used by Vault authenticating AWS | \u003cpre\u003emap(object({\u003cbr\u003e    account_id = number\u003cbr\u003e    sts_role   = string\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key\": {\u003cbr\u003e    \"account_id\": 123456789012,\u003cbr\u003e    \"sts_role\": \"arn:aws:iam::123456789012:role/ROLE_NAME\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_auth_backend_role_user\"\u003e\u003c/a\u003e [auth\\_backend\\_role\\_user](#input\\_auth\\_backend\\_role\\_user) | If enabled, This Role that will be used by Vault authenticating and performing necessary actions | \u003cpre\u003emap(object({\u003cbr\u003e    account_id = number\u003cbr\u003e    sts_role   = string\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key\": {\u003cbr\u003e    \"account_id\": 13456789012,\u003cbr\u003e    \"sts_role\": \"value\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_aws_auth_path\"\u003e\u003c/a\u003e [aws\\_auth\\_path](#input\\_aws\\_auth\\_path) | AWS Authentication Methods path | `string` | `\"aws\"` | no |\n| \u003ca name=\"input_aws_auth_path_user\"\u003e\u003c/a\u003e [aws\\_auth\\_path\\_user](#input\\_aws\\_auth\\_path\\_user) | AWS IAM user Authentication Methods path | `string` | `\"account_b\"` | no |\n| \u003ca name=\"input_aws_secret_path\"\u003e\u003c/a\u003e [aws\\_secret\\_path](#input\\_aws\\_secret\\_path) | AWS Secret Engine path for Assumed Role | `string` | `\"aws\"` | no |\n| \u003ca name=\"input_aws_secret_path_user\"\u003e\u003c/a\u003e [aws\\_secret\\_path\\_user](#input\\_aws\\_secret\\_path\\_user) | AWS Secret engine path for IAM User | `string` | `\"account_b\"` | no |\n| \u003ca name=\"input_bound_issuer\"\u003e\u003c/a\u003e [bound\\_issuer](#input\\_bound\\_issuer) | The value against which to match the iss claim in a JWT | `string` | `\"gitlab.com\"` | no |\n| \u003ca name=\"input_create_auth_backend_role\"\u003e\u003c/a\u003e [create\\_auth\\_backend\\_role](#input\\_create\\_auth\\_backend\\_role) | Enable STS role or not for Vault | `bool` | `false` | no |\n| \u003ca name=\"input_create_auth_backend_role_user\"\u003e\u003c/a\u003e [create\\_auth\\_backend\\_role\\_user](#input\\_create\\_auth\\_backend\\_role\\_user) | Enable STS role or not on Vault | `bool` | `false` | no |\n| \u003ca name=\"input_create_aws_auth_backend\"\u003e\u003c/a\u003e [create\\_aws\\_auth\\_backend](#input\\_create\\_aws\\_auth\\_backend) | Enable AWS Auth method or not | `bool` | n/a | yes |\n| \u003ca name=\"input_create_aws_auth_backend_user\"\u003e\u003c/a\u003e [create\\_aws\\_auth\\_backend\\_user](#input\\_create\\_aws\\_auth\\_backend\\_user) | Enable AWS Auth method or not | `bool` | n/a | yes |\n| \u003ca name=\"input_create_aws_secret_backend\"\u003e\u003c/a\u003e [create\\_aws\\_secret\\_backend](#input\\_create\\_aws\\_secret\\_backend) | Enable AWS Secret Method or not for Vault | `bool` | `false` | no |\n| \u003ca name=\"input_create_aws_secret_backend_user\"\u003e\u003c/a\u003e [create\\_aws\\_secret\\_backend\\_user](#input\\_create\\_aws\\_secret\\_backend\\_user) | Vault Enable AWS Secret Method or not | `bool` | `false` | no |\n| \u003ca name=\"input_create_gh_acc_role\"\u003e\u003c/a\u003e [create\\_gh\\_acc\\_role](#input\\_create\\_gh\\_acc\\_role) | Enable Account Role for GitHub JWT Auth Method | `bool` | n/a | yes |\n| \u003ca name=\"input_create_gh_secret_role\"\u003e\u003c/a\u003e [create\\_gh\\_secret\\_role](#input\\_create\\_gh\\_secret\\_role) | For GHA, Enable Secrets JWT Auth Method Role or not | `bool` | n/a | yes |\n| \u003ca name=\"input_create_gl_acc_role\"\u003e\u003c/a\u003e [create\\_gl\\_acc\\_role](#input\\_create\\_gl\\_acc\\_role) | Enable Account Role for GitHub JWT Auth Method | `bool` | n/a | yes |\n| \u003ca name=\"input_create_gl_secret_role\"\u003e\u003c/a\u003e [create\\_gl\\_secret\\_role](#input\\_create\\_gl\\_secret\\_role) | For GitLab, Enable Secrets JWT Auth Method Role or not | `bool` | n/a | yes |\n| \u003ca name=\"input_create_k8s\"\u003e\u003c/a\u003e [create\\_k8s](#input\\_create\\_k8s) | Enable Kubernetes Auth Method or not | `bool` | n/a | yes |\n| \u003ca name=\"input_create_kv_engine\"\u003e\u003c/a\u003e [create\\_kv\\_engine](#input\\_create\\_kv\\_engine) | Enable KV version 2 secret engine | `bool` | n/a | yes |\n| \u003ca name=\"input_create_kv_v2\"\u003e\u003c/a\u003e [create\\_kv\\_v2](#input\\_create\\_kv\\_v2) | Create KV Version 2 Secrets | `bool` | n/a | yes |\n| \u003ca name=\"input_create_policy\"\u003e\u003c/a\u003e [create\\_policy](#input\\_create\\_policy) | Enable Vault policy or not | `bool` | n/a | yes |\n| \u003ca name=\"input_create_secret_backend_role\"\u003e\u003c/a\u003e [create\\_secret\\_backend\\_role](#input\\_create\\_secret\\_backend\\_role) | Enable a role on an AWS Secret Method or not for Vault | `bool` | `false` | no |\n| \u003ca name=\"input_create_secret_backend_role_user\"\u003e\u003c/a\u003e [create\\_secret\\_backend\\_role\\_user](#input\\_create\\_secret\\_backend\\_role\\_user) | Enable a role on an AWS Secret Method for Vault | `bool` | `false` | no |\n| \u003ca name=\"input_create_userpass\"\u003e\u003c/a\u003e [create\\_userpass](#input\\_create\\_userpass) | Authenticate Vault with Username/Password | `bool` | n/a | yes |\n| \u003ca name=\"input_credential_type\"\u003e\u003c/a\u003e [credential\\_type](#input\\_credential\\_type) | AWS STS Assumed Role type | `string` | `\"assumed_role\"` | no |\n| \u003ca name=\"input_credential_type_user\"\u003e\u003c/a\u003e [credential\\_type\\_user](#input\\_credential\\_type\\_user) | AWS IAM User type | `string` | `\"iam_user\"` | no |\n| \u003ca name=\"input_default_ttl_aws\"\u003e\u003c/a\u003e [default\\_ttl\\_aws](#input\\_default\\_ttl\\_aws) | Default Time To Live for Assumed role | `string` | `1800` | no |\n| \u003ca name=\"input_default_ttl_gh_jwt\"\u003e\u003c/a\u003e [default\\_ttl\\_gh\\_jwt](#input\\_default\\_ttl\\_gh\\_jwt) | Default Time To Live | `string` | `\"1h\"` | no |\n| \u003ca name=\"input_default_ttl_gl_jwt\"\u003e\u003c/a\u003e [default\\_ttl\\_gl\\_jwt](#input\\_default\\_ttl\\_gl\\_jwt) | Default Time To Live | `string` | `\"1h\"` | no |\n| \u003ca name=\"input_default_ttl_user\"\u003e\u003c/a\u003e [default\\_ttl\\_user](#input\\_default\\_ttl\\_user) | Default Time To Live for AWS temporary account | `number` | `2700` | no |\n| \u003ca name=\"input_delete_version_after\"\u003e\u003c/a\u003e [delete\\_version\\_after](#input\\_delete\\_version\\_after) | Old secrets version will be deleted after this seconds (7 days) | `number` | `604800` | no |\n| \u003ca name=\"input_enabled_gh_jwt_backend\"\u003e\u003c/a\u003e [enabled\\_gh\\_jwt\\_backend](#input\\_enabled\\_gh\\_jwt\\_backend) | Enable GitHub JWT Auth Method or not | `bool` | n/a | yes |\n| \u003ca name=\"input_enabled_gl_jwt_backend\"\u003e\u003c/a\u003e [enabled\\_gl\\_jwt\\_backend](#input\\_enabled\\_gl\\_jwt\\_backend) | Enable GitLab JWT Auth Method or not | `bool` | n/a | yes |\n| \u003ca name=\"input_enabled_oidc_backend\"\u003e\u003c/a\u003e [enabled\\_oidc\\_backend](#input\\_enabled\\_oidc\\_backend) | Enable OIDC Auth Method or not | `bool` | n/a | yes |\n| \u003ca name=\"input_gh_acc_bound_aud\"\u003e\u003c/a\u003e [gh\\_acc\\_bound\\_aud](#input\\_gh\\_acc\\_bound\\_aud) | URL of the repository owner, eg: `https://github.com/OWNER`, such as the organization that owns the repository. This is the only claim that can be customized | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_gh_acc_bound_claims\"\u003e\u003c/a\u003e [gh\\_acc\\_bound\\_claims](#input\\_gh\\_acc\\_bound\\_claims) | https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token | \u003cpre\u003emap(object({\u003cbr\u003e    role_name     = string\u003cbr\u003e    bound_claims  = optional(map(string))\u003cbr\u003e    token_ttl     = number\u003cbr\u003e    token_max_ttl = number\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key1\": {\u003cbr\u003e    \"bound_claims\": {\u003cbr\u003e      \"\": \"\"\u003cbr\u003e    },\u003cbr\u003e    \"role_name\": \"value\",\u003cbr\u003e    \"token_max_ttl\": 600,\u003cbr\u003e    \"token_ttl\": 300\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_gh_acc_bound_sub\"\u003e\u003c/a\u003e [gh\\_acc\\_bound\\_sub](#input\\_gh\\_acc\\_bound\\_sub) | Defines the subject claim that is to be validated by the cloud provider | `string` | `\"\"` | no |\n| \u003ca name=\"input_gh_acc_token_policies\"\u003e\u003c/a\u003e [gh\\_acc\\_token\\_policies](#input\\_gh\\_acc\\_token\\_policies) | Vault policy name to attach on AWS Auth Method Role | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"default\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_gh_jwt_path\"\u003e\u003c/a\u003e [gh\\_jwt\\_path](#input\\_gh\\_jwt\\_path) | GitHub JWT Authentication path | `string` | `\"jwt-gh\"` | no |\n| \u003ca name=\"input_gh_jwt_token_type\"\u003e\u003c/a\u003e [gh\\_jwt\\_token\\_type](#input\\_gh\\_jwt\\_token\\_type) | `service` token or `batch` token? Default is `service` token | `string` | `\"service\"` | no |\n| \u003ca name=\"input_gh_secret_bound_aud\"\u003e\u003c/a\u003e [gh\\_secret\\_bound\\_aud](#input\\_gh\\_secret\\_bound\\_aud) | URL of the repository owner, eg: `https://github.com/OWNER`, such as the organization that owns the repository. This is the only claim that can be customized | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_gh_secret_bound_claims\"\u003e\u003c/a\u003e [gh\\_secret\\_bound\\_claims](#input\\_gh\\_secret\\_bound\\_claims) | JWT/OIDC auth Method role for Secrets values in a Vault server | \u003cpre\u003emap(object({\u003cbr\u003e    role_name     = string\u003cbr\u003e    bound_claims  = optional(map(string))\u003cbr\u003e    token_ttl     = number\u003cbr\u003e    token_max_ttl = number\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key\": {\u003cbr\u003e    \"bound_claims\": {\u003cbr\u003e      \"\": \"\"\u003cbr\u003e    },\u003cbr\u003e    \"role_name\": \"value\",\u003cbr\u003e    \"token_max_ttl\": 7200,\u003cbr\u003e    \"token_ttl\": 3600\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_gh_secret_bound_sub\"\u003e\u003c/a\u003e [gh\\_secret\\_bound\\_sub](#input\\_gh\\_secret\\_bound\\_sub) | Defines the subject claim that is to be validated by the cloud provider | `string` | `\"\"` | no |\n| \u003ca name=\"input_gh_secret_token_policies\"\u003e\u003c/a\u003e [gh\\_secret\\_token\\_policies](#input\\_gh\\_secret\\_token\\_policies) | Secrets policy name | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"default\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_gl_acc_bound_claims\"\u003e\u003c/a\u003e [gl\\_acc\\_bound\\_claims](#input\\_gl\\_acc\\_bound\\_claims) | JWT/OIDC auth Method role for AWS Account in a Vault server | \u003cpre\u003emap(object({\u003cbr\u003e    role_name         = string\u003cbr\u003e    bound_claims      = map(string)\u003cbr\u003e    bound_claims_type = string\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key\": {\u003cbr\u003e    \"bound_claims\": {\u003cbr\u003e      \"project_id\": \"12312312\",\u003cbr\u003e      \"ref\": \"main,develop\",\u003cbr\u003e      \"ref_type\": \"branch\"\u003cbr\u003e    },\u003cbr\u003e    \"bound_claims_type\": \"glob\",\u003cbr\u003e    \"role_name\": \"ROLE_NAME\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_gl_acc_token_policies\"\u003e\u003c/a\u003e [gl\\_acc\\_token\\_policies](#input\\_gl\\_acc\\_token\\_policies) | Vault policy name to attach on AWS Auth Method Role | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"account_b\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_gl_jwt_path\"\u003e\u003c/a\u003e [gl\\_jwt\\_path](#input\\_gl\\_jwt\\_path) | GitLab JWT Authentication path | `string` | `\"jwt-gl\"` | no |\n| \u003ca name=\"input_gl_jwt_token_type\"\u003e\u003c/a\u003e [gl\\_jwt\\_token\\_type](#input\\_gl\\_jwt\\_token\\_type) | `service` token or `batch` token? Default is `service` token | `string` | `\"service\"` | no |\n| \u003ca name=\"input_gl_secret_bound_claims\"\u003e\u003c/a\u003e [gl\\_secret\\_bound\\_claims](#input\\_gl\\_secret\\_bound\\_claims) | JWT/OIDC auth Method role for Secrets values in a Vault server | \u003cpre\u003emap(object({\u003cbr\u003e    role_name    = string\u003cbr\u003e    bound_claims = map(string)\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key\": {\u003cbr\u003e    \"bound_claims\": {\u003cbr\u003e      \"project_id\": \"123123\",\u003cbr\u003e      \"ref\": \"main,develop\",\u003cbr\u003e      \"ref_type\": \"branch\"\u003cbr\u003e    },\u003cbr\u003e    \"role_name\": \"reader-role\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_gl_secret_token_policies\"\u003e\u003c/a\u003e [gl\\_secret\\_token\\_policies](#input\\_gl\\_secret\\_token\\_policies) | Secrets policy name | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"read-acc_b_creds\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_k8s_config\"\u003e\u003c/a\u003e [k8s\\_config](#input\\_k8s\\_config) | Kubernetes Auth Backend configuration | \u003cpre\u003emap(object({\u003cbr\u003e    backend            = string\u003cbr\u003e    kubernetes_host    = string\u003cbr\u003e    kubernetes_ca_cert = string\u003cbr\u003e    token_reviewer_jwt = string\u003cbr\u003e    issuer             = string\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"dev-k8s\": {\u003cbr\u003e    \"backend\": \"dev-k8s\",\u003cbr\u003e    \"issuer\": \"https://kubernetes.default.svc.cluster.local\",\u003cbr\u003e    \"kubernetes_ca_cert\": \"-----BEGIN CERTIFICATE-----\\nASDFQWERQWERASDFASDQ@#RDFADFASDF\\n-----END CERTIFICATE-----\",\u003cbr\u003e    \"kubernetes_host\": \"https://K8S_HOST_ADDR:6443\",\u003cbr\u003e    \"token_reviewer_jwt\": \"eyJhbGciOiJSUzI1NiIJASiadura56tIsImtpZCI6InRreml3.ASDFASOIDJFASDKLFLASDF\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_k8s_path\"\u003e\u003c/a\u003e [k8s\\_path](#input\\_k8s\\_path) | Kubernetes Authentication path (Support multi clusters with different paths) | \u003cpre\u003emap(object({\u003cbr\u003e    path = string\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"dev-k8s\": {\u003cbr\u003e    \"path\": \"dev-k8s\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_k8s_role\"\u003e\u003c/a\u003e [k8s\\_role](#input\\_k8s\\_role) | Kubernetes role to authenticate Vault | \u003cpre\u003emap(object({\u003cbr\u003e    role_name                        = string\u003cbr\u003e    backend                          = string\u003cbr\u003e    bound_service_account_names      = list(string)\u003cbr\u003e    bound_service_account_namespaces = list(string)\u003cbr\u003e    token_policies                   = list(string)\u003cbr\u003e    token_ttl_k8s                    = number\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"dev-k8s\": {\u003cbr\u003e    \"backend\": \"dev-k8s\",\u003cbr\u003e    \"bound_service_account_names\": [\u003cbr\u003e      \"dev-k8s\"\u003cbr\u003e    ],\u003cbr\u003e    \"bound_service_account_namespaces\": [\u003cbr\u003e      \"default\"\u003cbr\u003e    ],\u003cbr\u003e    \"role_name\": \"dev-k8s\",\u003cbr\u003e    \"token_policies\": [\u003cbr\u003e      \"default\"\u003cbr\u003e    ],\u003cbr\u003e    \"token_ttl_k8s\": 3600\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_kv_v2\"\u003e\u003c/a\u003e [kv\\_v2](#input\\_kv\\_v2) | Key/Value store | \u003cpre\u003emap(object({\u003cbr\u003e    sub_path            = string\u003cbr\u003e    disable_read        = bool\u003cbr\u003e    delete_all_versions = bool\u003cbr\u003e    data_json           = any\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key1\": {\u003cbr\u003e    \"data_json\": \"        {\\n          \\\"key1\\\": \\\"value1\\\"\\n        }\\n\",\u003cbr\u003e    \"delete_all_versions\": true,\u003cbr\u003e    \"disable_read\": false,\u003cbr\u003e    \"sub_path\": \"path1\"\u003cbr\u003e  },\u003cbr\u003e  \"key2\": {\u003cbr\u003e    \"data_json\": \"        {\\n          \\\"key2\\\": \\\"value2\\\"\\n        }\\n\",\u003cbr\u003e    \"delete_all_versions\": true,\u003cbr\u003e    \"disable_read\": false,\u003cbr\u003e    \"sub_path\": \"path2\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_kv_v2_description\"\u003e\u003c/a\u003e [kv\\_v2\\_description](#input\\_kv\\_v2\\_description) | Just a description | `string` | `\"Mount path of KV-V2 secret engine\"` | no |\n| \u003ca name=\"input_kv_v2_path\"\u003e\u003c/a\u003e [kv\\_v2\\_path](#input\\_kv\\_v2\\_path) | KV-V2 secret engine path | `string` | `\"infra\"` | no |\n| \u003ca name=\"input_max_ttl_aws\"\u003e\u003c/a\u003e [max\\_ttl\\_aws](#input\\_max\\_ttl\\_aws) | Maximum Time To Live for Assumed role | `string` | `3600` | no |\n| \u003ca name=\"input_max_ttl_gh_jwt\"\u003e\u003c/a\u003e [max\\_ttl\\_gh\\_jwt](#input\\_max\\_ttl\\_gh\\_jwt) | Maximum Time To Live | `string` | `\"2h\"` | no |\n| \u003ca name=\"input_max_ttl_gl_jwt\"\u003e\u003c/a\u003e [max\\_ttl\\_gl\\_jwt](#input\\_max\\_ttl\\_gl\\_jwt) | Maximum Time To Live | `string` | `\"2h\"` | no |\n| \u003ca name=\"input_max_ttl_user\"\u003e\u003c/a\u003e [max\\_ttl\\_user](#input\\_max\\_ttl\\_user) | Maximum Time To Live for AWS temporary account | `number` | `3600` | no |\n| \u003ca name=\"input_max_versions\"\u003e\u003c/a\u003e [max\\_versions](#input\\_max\\_versions) | Maximum versions of the secrets | `number` | `100` | no |\n| \u003ca name=\"input_oidc_alias\"\u003e\u003c/a\u003e [oidc\\_alias](#input\\_oidc\\_alias) | Name of the OIDC group alias | \u003cpre\u003emap(object({\u003cbr\u003e    group_alias_name = string\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"gmail\": {\u003cbr\u003e    \"group_alias_name\": \"gmail\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_oidc_auth_path\"\u003e\u003c/a\u003e [oidc\\_auth\\_path](#input\\_oidc\\_auth\\_path) | OIDC mount path | \u003cpre\u003emap(object({\u003cbr\u003e    oidc_path          = string\u003cbr\u003e    oidc_role          = string\u003cbr\u003e    oidc_discovery_url = string\u003cbr\u003e    oidc_client_id     = string\u003cbr\u003e    oidc_client_sec    = string\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"gmail\": {\u003cbr\u003e    \"oidc_client_id\": \"123456789012-5k3hfs5kvc1h82kjkar895ir6118io4bra8q.apps.googleusercontent.com\",\u003cbr\u003e    \"oidc_client_sec\": \"ASDFDF-xRG_MCY1Ulkr8Ke0cBU87yr_XDKR\",\u003cbr\u003e    \"oidc_discovery_url\": \"https://accounts.google.com\",\u003cbr\u003e    \"oidc_path\": \"oidc\",\u003cbr\u003e    \"oidc_role\": \"gmail\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_oidc_backend_role\"\u003e\u003c/a\u003e [oidc\\_backend\\_role](#input\\_oidc\\_backend\\_role) | OIDC role to login to Vault | \u003cpre\u003emap(object({\u003cbr\u003e    oidc_role_name        = string\u003cbr\u003e    oidc_user_claim       = string\u003cbr\u003e    oidc_token_type       = string\u003cbr\u003e    oidc_scopes           = list(string)\u003cbr\u003e    allowed_redirect_uris = list(string)\u003cbr\u003e    oidc_token_policies   = list(string)\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"gmail\": {\u003cbr\u003e    \"allowed_redirect_uris\": [\u003cbr\u003e      \"http://127.0.0.1:8250/oidc/callback\",\u003cbr\u003e      \"http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback\"\u003cbr\u003e    ],\u003cbr\u003e    \"oidc_role_name\": \"gmail\",\u003cbr\u003e    \"oidc_scopes\": [\u003cbr\u003e      \"openid\",\u003cbr\u003e      \"email\"\u003cbr\u003e    ],\u003cbr\u003e    \"oidc_token_policies\": [\u003cbr\u003e      \"reader\"\u003cbr\u003e    ],\u003cbr\u003e    \"oidc_token_type\": \"service\",\u003cbr\u003e    \"oidc_user_claim\": \"email\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_oidc_identity_group\"\u003e\u003c/a\u003e [oidc\\_identity\\_group](#input\\_oidc\\_identity\\_group) | n/a | \u003cpre\u003emap(object({\u003cbr\u003e    oidc_identity_group_name     = string\u003cbr\u003e    oidc_identity_type           = string\u003cbr\u003e    oidc_identity_group_policies = list(string)\u003cbr\u003e    tags                         = map(string)\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"gmail\": {\u003cbr\u003e    \"oidc_identity_group_name\": \"gmail\",\u003cbr\u003e    \"oidc_identity_group_policies\": [\u003cbr\u003e      \"reader\"\u003cbr\u003e    ],\u003cbr\u003e    \"oidc_identity_type\": \"external\",\u003cbr\u003e    \"tags\": {\u003cbr\u003e      \"Organization\": \"OSS\"\u003cbr\u003e    }\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | Region that Vault residing | `string` | `\"us-east-1\"` | no |\n| \u003ca name=\"input_region_user\"\u003e\u003c/a\u003e [region\\_user](#input\\_region\\_user) | Region that Vault residing | `string` | `\"us-east-1\"` | no |\n| \u003ca name=\"input_secret_backend_role\"\u003e\u003c/a\u003e [secret\\_backend\\_role](#input\\_secret\\_backend\\_role) | Create and use STS Assumed Role by Vault performing necessary actions respectively | \u003cpre\u003emap(object({\u003cbr\u003e    name      = string\u003cbr\u003e    role_arns = list(string)\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key\": {\u003cbr\u003e    \"name\": \"aws\",\u003cbr\u003e    \"role_arns\": [\u003cbr\u003e      \"arn:aws:iam::123456789012:role/ROLE_NAME\"\u003cbr\u003e    ]\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_secret_backend_role_user\"\u003e\u003c/a\u003e [secret\\_backend\\_role\\_user](#input\\_secret\\_backend\\_role\\_user) | IAM User with defined IAM permission policy respectively | \u003cpre\u003emap(object({\u003cbr\u003e    name            = string\u003cbr\u003e    policy_document = any\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key\": {\u003cbr\u003e    \"name\": \"value\",\u003cbr\u003e    \"policy_document\": {}\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_secret_key\"\u003e\u003c/a\u003e [secret\\_key](#input\\_secret\\_key) | AWS Assumed Role User secret key | `string` | `\"SECRET_KEY\"` | no |\n| \u003ca name=\"input_secret_key_user\"\u003e\u003c/a\u003e [secret\\_key\\_user](#input\\_secret\\_key\\_user) | AWS Secret Key with necessary permissions | `string` | `\"SECRET_KEY\"` | no |\n| \u003ca name=\"input_userpass_path\"\u003e\u003c/a\u003e [userpass\\_path](#input\\_userpass\\_path) | Mount path for `Userpass` auth method | `string` | `\"userpass\"` | no |\n| \u003ca name=\"input_users_path\"\u003e\u003c/a\u003e [users\\_path](#input\\_users\\_path) | The full logical path with `username` suffix | \u003cpre\u003emap(object({\u003cbr\u003e    path      = string\u003cbr\u003e    data_json = any\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"user1\": {\u003cbr\u003e    \"data_json\": \"        {\\n          \\\"policies\\\": [\\\"POLICY\\\"],\\n          \\\"password\\\": \\\"PASSWORD\\\"\\n        }\\n\",\u003cbr\u003e    \"path\": \"auth/userpass/users/USERNAME\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_vault_policy\"\u003e\u003c/a\u003e [vault\\_policy](#input\\_vault\\_policy) | Policy to read secret by path | \u003cpre\u003emap(object({\u003cbr\u003e    name   = string\u003cbr\u003e    policy = any\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"key1\": {\u003cbr\u003e    \"name\": \"reader\",\u003cbr\u003e    \"policy\": \"        ## Policy for only reading secrets in this path\\n        path \\\"tfvars/data/*\\\"\\n        {\\n            capabilities = [\\\"read\\\"]\\n        }\\n\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n\n## Outputs\n\nNo outputs.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0opsops%2Fterraform-vault-secmgmt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0opsops%2Fterraform-vault-secmgmt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0opsops%2Fterraform-vault-secmgmt/lists"}