Add terraform-provider-litellmvaultsecret implementation #1

Merged
benvin merged 6 commits from benvin/initial-implementation into main 2026-07-03 14:18:58 +10:00
Owner

Why

Populate the newly-created repo with the Terraform/OpenTofu provider that manages
the LiteLLM dynamic secrets engine on Vault/OpenBao, for use from
terraform-vault.

Changes

  • Add the provider (auth via VAULT_ADDR/VAULT_TOKEN).
  • Add litellmvaultsecret_secret_backend (mounts the engine and writes its
    connection config) and litellmvaultsecret_secret_backend_role (models,
    max_budget, ttl/max_ttl in seconds, metadata).
  • Add unit tests against a mock Vault API.
  • Add an end-to-end test that builds the sibling plugin, boots Vault + LiteLLM +
    Postgres, and runs a real terraform apply/destroy asserting a working key is
    generated from the managed role.
  • Add Makefile, woodpecker CI (build/test/pre-commit), examples, and README.
## Why Populate the newly-created repo with the Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine on Vault/OpenBao, for use from `terraform-vault`. ## Changes - Add the provider (auth via `VAULT_ADDR`/`VAULT_TOKEN`). - Add `litellmvaultsecret_secret_backend` (mounts the engine and writes its connection config) and `litellmvaultsecret_secret_backend_role` (models, `max_budget`, `ttl`/`max_ttl` in seconds, `metadata`). - Add unit tests against a mock Vault API. - Add an end-to-end test that builds the sibling plugin, boots Vault + LiteLLM + Postgres, and runs a real `terraform apply`/`destroy` asserting a working key is generated from the managed role. - Add Makefile, woodpecker CI (build/test/pre-commit), examples, and README.
unkinben added 2 commits 2026-07-02 23:23:31 +10:00
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM
dynamic secrets engine on Vault/OpenBao via the Vault API.

- Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend
  (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget,
  ttl/max_ttl in seconds, metadata)
- Unit tests against a mock Vault API
- End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres,
  and runs a real terraform apply/destroy asserting key generation works
- Makefile, woodpecker CI (build/test/pre-commit), examples, README
unkinben added 1 commit 2026-07-03 12:29:40 +10:00
Rename resources to litellm_secret_* prefix
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
4e57e2dba7
Use the shorter, cleaner litellm_ resource prefix instead of
litellmvaultsecret_. The provider source stays git.unkin.net/unkin/
litellmvaultsecret; only the resource prefix (provider Metadata TypeName)
changes to litellm, declared under the local name litellm in
required_providers — the same pattern google-beta uses to ship google_*.

- Provider TypeName litellmvaultsecret -> litellm
- Resources: litellm_secret_backend, litellm_secret_backend_role
- Update examples (dirs + contents), README, and the e2e terraform config
unkinben added 1 commit 2026-07-03 12:34:53 +10:00
Add on-tag release pipeline to upload the provider to artifactapi
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
1c58360d3c
Publish the provider so it can be consumed from terraform-vault: on a tag,
package the linux_amd64 build into a versioned zip and PUT it to the artifactapi
terraform registry, mirroring terraform-provider-artifactapi's release flow.

- Add .woodpecker/release.yml (event: tag) running make package + curl upload to
  remotes/terraform-unkin/files/unkin/litellmvaultsecret/
unkinben added 1 commit 2026-07-03 13:06:43 +10:00
Use reachable artifactapi host in release upload
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
59448a5bd2
Point the on-tag upload at artifactapi.k8s.syd1.au.unkin.net instead of the
unresolvable artifactapi3 name, matching the host used elsewhere (rpmbuilder,
terragrunt env).
unkinben added 1 commit 2026-07-03 13:13:01 +10:00
Set kubernetes backend options on all woodpecker steps
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
db3d4c3956
Give every CI step explicit resource requests/limits and the default service
account (matching the pre-commit step), so the k8s woodpecker backend schedules
them with bounded resources.

- build/test/lint/package steps: 512Mi/1cpu requests, 2Gi/2cpu limits
- upload step: lighter 128Mi/100m requests, 512Mi/500m limits
benvin merged commit 30cb219d18 into main 2026-07-03 14:18:58 +10:00
Sign in to join this conversation.
No Reviewers
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/terraform-provider-litellmvaultsecret#1