Add terraform-provider-litellmvaultsecret implementation
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine on Vault/OpenBao via the Vault API. - Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget, ttl/max_ttl in seconds, metadata) - Unit tests against a mock Vault API - End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres, and runs a real terraform apply/destroy asserting key generation works - Makefile, woodpecker CI (build/test/pre-commit), examples, README
This commit is contained in:
@@ -0,0 +1,104 @@
|
||||
# terraform-provider-litellmvaultsecret
|
||||
|
||||
A Terraform/OpenTofu provider that manages the **LiteLLM dynamic secrets engine**
|
||||
(the [`vault-plugin-secrets-litellm`](https://git.unkin.net/unkin/vault-plugin-secrets-litellm)
|
||||
plugin) on HashiCorp Vault or OpenBao.
|
||||
|
||||
It lets you declare, as code, the LiteLLM secrets-engine mount, its connection
|
||||
config, and the roles that scope generated virtual keys — for use from
|
||||
`terraform-vault`.
|
||||
|
||||
## Provider
|
||||
|
||||
```hcl
|
||||
terraform {
|
||||
required_providers {
|
||||
litellmvaultsecret = {
|
||||
source = "git.unkin.net/unkin/litellmvaultsecret"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "litellmvaultsecret" {
|
||||
address = "https://vault.example.com" # or VAULT_ADDR
|
||||
token = var.vault_token # or VAULT_TOKEN
|
||||
}
|
||||
```
|
||||
|
||||
## Resources
|
||||
|
||||
### `litellmvaultsecret_secret_backend`
|
||||
|
||||
Mounts the engine and writes its connection config.
|
||||
|
||||
| Attribute | Required | Description |
|
||||
| ------------------------- | -------- | ---------------------------------------------------- |
|
||||
| `path` | yes | Mount path (e.g. `litellm`). Forces replacement. |
|
||||
| `base_url` | yes | LiteLLM proxy URL the plugin calls. |
|
||||
| `master_key` | yes | LiteLLM master key (sensitive, never read back). |
|
||||
| `plugin` | no | Registered plugin name (default `vault-plugin-secrets-litellm`). |
|
||||
| `description` | no | Mount description. |
|
||||
| `request_timeout_seconds` | no | Plugin→LiteLLM HTTP timeout (default 30). |
|
||||
|
||||
### `litellmvaultsecret_secret_backend_role`
|
||||
|
||||
Manages a role that constrains generated keys.
|
||||
|
||||
| Attribute | Required | Description |
|
||||
| ------------------ | -------- | ---------------------------------------------- |
|
||||
| `backend` | yes | Mount path of the engine. Forces replacement. |
|
||||
| `name` | yes | Role name. Forces replacement. |
|
||||
| `models` | no | Allowed models (set); empty = unrestricted. |
|
||||
| `max_budget` | no | Spending limit per key; 0 = unlimited. |
|
||||
| `ttl` | no | Default lease TTL, in **seconds**. |
|
||||
| `max_ttl` | no | Maximum lease TTL, in **seconds**. |
|
||||
| `key_alias_prefix` | no | Prefix for the key alias (default `vault`). |
|
||||
| `metadata` | no | Metadata attached to each key (map). |
|
||||
|
||||
## Example
|
||||
|
||||
```hcl
|
||||
resource "litellmvaultsecret_secret_backend" "litellm" {
|
||||
path = "litellm"
|
||||
base_url = "http://litellm.litellm.svc:4000"
|
||||
master_key = var.litellm_master_key
|
||||
}
|
||||
|
||||
resource "litellmvaultsecret_secret_backend_role" "team_a" {
|
||||
backend = litellmvaultsecret_secret_backend.litellm.path
|
||||
name = "team-a"
|
||||
models = ["gpt-3.5-turbo", "gpt-4"]
|
||||
max_budget = 50
|
||||
ttl = 3600
|
||||
max_ttl = 86400
|
||||
}
|
||||
```
|
||||
|
||||
Consumers then read `litellm/creds/team-a` from Vault to obtain a scoped,
|
||||
budgeted, lease-bound virtual key.
|
||||
|
||||
## Import
|
||||
|
||||
```sh
|
||||
terraform import litellmvaultsecret_secret_backend.litellm litellm
|
||||
terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a
|
||||
```
|
||||
|
||||
## Development
|
||||
|
||||
```sh
|
||||
make build # build the provider binary
|
||||
make install # install into ~/.terraform.d/plugins for local use
|
||||
make test # unit tests (race-enabled)
|
||||
make lint # go vet
|
||||
make fmt # gofmt
|
||||
make e2e # end-to-end: real Vault + LiteLLM + plugin, terraform apply
|
||||
```
|
||||
|
||||
### End-to-end tests
|
||||
|
||||
`make e2e` builds the sibling `vault-plugin-secrets-litellm` plugin, boots Vault +
|
||||
LiteLLM + Postgres in Docker, installs this provider locally, then runs a real
|
||||
`terraform apply` that mounts the engine and creates a role, and asserts that a
|
||||
working virtual key can be generated from it. Requires Docker; bind mounts use
|
||||
`:z` for SELinux.
|
||||
Reference in New Issue
Block a user