Add terraform-provider-litellmvaultsecret implementation

Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM
dynamic secrets engine on Vault/OpenBao via the Vault API.

- Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend
  (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget,
  ttl/max_ttl in seconds, metadata)
- Unit tests against a mock Vault API
- End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres,
  and runs a real terraform apply/destroy asserting key generation works
- Makefile, woodpecker CI (build/test/pre-commit), examples, README
This commit is contained in:
2026-07-02 23:23:13 +10:00
commit 8ca6c39c66
24 changed files with 2004 additions and 0 deletions
@@ -0,0 +1,24 @@
terraform {
required_providers {
litellmvaultsecret = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
# address and token fall back to VAULT_ADDR / VAULT_TOKEN
address = "https://vault.example.com"
}
resource "litellmvaultsecret_secret_backend" "litellm" {
path = "litellm"
description = "LiteLLM dynamic virtual keys"
base_url = "http://litellm.litellm.svc:4000"
master_key = var.litellm_master_key
}
variable "litellm_master_key" {
type = string
sensitive = true
}
@@ -0,0 +1,14 @@
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo", "gpt-4"]
max_budget = 50
ttl = 3600 # seconds (1h)
max_ttl = 86400 # seconds (24h)
metadata = {
team = "a"
env = "prod"
}
}