8ca6c39c66
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine on Vault/OpenBao via the Vault API. - Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget, ttl/max_ttl in seconds, metadata) - Unit tests against a mock Vault API - End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres, and runs a real terraform apply/destroy asserting key generation works - Makefile, woodpecker CI (build/test/pre-commit), examples, README
105 lines
3.8 KiB
Markdown
105 lines
3.8 KiB
Markdown
# terraform-provider-litellmvaultsecret
|
|
|
|
A Terraform/OpenTofu provider that manages the **LiteLLM dynamic secrets engine**
|
|
(the [`vault-plugin-secrets-litellm`](https://git.unkin.net/unkin/vault-plugin-secrets-litellm)
|
|
plugin) on HashiCorp Vault or OpenBao.
|
|
|
|
It lets you declare, as code, the LiteLLM secrets-engine mount, its connection
|
|
config, and the roles that scope generated virtual keys — for use from
|
|
`terraform-vault`.
|
|
|
|
## Provider
|
|
|
|
```hcl
|
|
terraform {
|
|
required_providers {
|
|
litellmvaultsecret = {
|
|
source = "git.unkin.net/unkin/litellmvaultsecret"
|
|
}
|
|
}
|
|
}
|
|
|
|
provider "litellmvaultsecret" {
|
|
address = "https://vault.example.com" # or VAULT_ADDR
|
|
token = var.vault_token # or VAULT_TOKEN
|
|
}
|
|
```
|
|
|
|
## Resources
|
|
|
|
### `litellmvaultsecret_secret_backend`
|
|
|
|
Mounts the engine and writes its connection config.
|
|
|
|
| Attribute | Required | Description |
|
|
| ------------------------- | -------- | ---------------------------------------------------- |
|
|
| `path` | yes | Mount path (e.g. `litellm`). Forces replacement. |
|
|
| `base_url` | yes | LiteLLM proxy URL the plugin calls. |
|
|
| `master_key` | yes | LiteLLM master key (sensitive, never read back). |
|
|
| `plugin` | no | Registered plugin name (default `vault-plugin-secrets-litellm`). |
|
|
| `description` | no | Mount description. |
|
|
| `request_timeout_seconds` | no | Plugin→LiteLLM HTTP timeout (default 30). |
|
|
|
|
### `litellmvaultsecret_secret_backend_role`
|
|
|
|
Manages a role that constrains generated keys.
|
|
|
|
| Attribute | Required | Description |
|
|
| ------------------ | -------- | ---------------------------------------------- |
|
|
| `backend` | yes | Mount path of the engine. Forces replacement. |
|
|
| `name` | yes | Role name. Forces replacement. |
|
|
| `models` | no | Allowed models (set); empty = unrestricted. |
|
|
| `max_budget` | no | Spending limit per key; 0 = unlimited. |
|
|
| `ttl` | no | Default lease TTL, in **seconds**. |
|
|
| `max_ttl` | no | Maximum lease TTL, in **seconds**. |
|
|
| `key_alias_prefix` | no | Prefix for the key alias (default `vault`). |
|
|
| `metadata` | no | Metadata attached to each key (map). |
|
|
|
|
## Example
|
|
|
|
```hcl
|
|
resource "litellmvaultsecret_secret_backend" "litellm" {
|
|
path = "litellm"
|
|
base_url = "http://litellm.litellm.svc:4000"
|
|
master_key = var.litellm_master_key
|
|
}
|
|
|
|
resource "litellmvaultsecret_secret_backend_role" "team_a" {
|
|
backend = litellmvaultsecret_secret_backend.litellm.path
|
|
name = "team-a"
|
|
models = ["gpt-3.5-turbo", "gpt-4"]
|
|
max_budget = 50
|
|
ttl = 3600
|
|
max_ttl = 86400
|
|
}
|
|
```
|
|
|
|
Consumers then read `litellm/creds/team-a` from Vault to obtain a scoped,
|
|
budgeted, lease-bound virtual key.
|
|
|
|
## Import
|
|
|
|
```sh
|
|
terraform import litellmvaultsecret_secret_backend.litellm litellm
|
|
terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a
|
|
```
|
|
|
|
## Development
|
|
|
|
```sh
|
|
make build # build the provider binary
|
|
make install # install into ~/.terraform.d/plugins for local use
|
|
make test # unit tests (race-enabled)
|
|
make lint # go vet
|
|
make fmt # gofmt
|
|
make e2e # end-to-end: real Vault + LiteLLM + plugin, terraform apply
|
|
```
|
|
|
|
### End-to-end tests
|
|
|
|
`make e2e` builds the sibling `vault-plugin-secrets-litellm` plugin, boots Vault +
|
|
LiteLLM + Postgres in Docker, installs this provider locally, then runs a real
|
|
`terraform apply` that mounts the engine and creates a role, and asserts that a
|
|
working virtual key can be generated from it. Requires Docker; bind mounts use
|
|
`:z` for SELinux.
|