Files
terraform-provider-litellmv…/README.md
unkinben 8ca6c39c66 Add terraform-provider-litellmvaultsecret implementation
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM
dynamic secrets engine on Vault/OpenBao via the Vault API.

- Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend
  (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget,
  ttl/max_ttl in seconds, metadata)
- Unit tests against a mock Vault API
- End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres,
  and runs a real terraform apply/destroy asserting key generation works
- Makefile, woodpecker CI (build/test/pre-commit), examples, README
2026-07-02 23:23:13 +10:00

105 lines
3.8 KiB
Markdown

# terraform-provider-litellmvaultsecret
A Terraform/OpenTofu provider that manages the **LiteLLM dynamic secrets engine**
(the [`vault-plugin-secrets-litellm`](https://git.unkin.net/unkin/vault-plugin-secrets-litellm)
plugin) on HashiCorp Vault or OpenBao.
It lets you declare, as code, the LiteLLM secrets-engine mount, its connection
config, and the roles that scope generated virtual keys — for use from
`terraform-vault`.
## Provider
```hcl
terraform {
required_providers {
litellmvaultsecret = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
address = "https://vault.example.com" # or VAULT_ADDR
token = var.vault_token # or VAULT_TOKEN
}
```
## Resources
### `litellmvaultsecret_secret_backend`
Mounts the engine and writes its connection config.
| Attribute | Required | Description |
| ------------------------- | -------- | ---------------------------------------------------- |
| `path` | yes | Mount path (e.g. `litellm`). Forces replacement. |
| `base_url` | yes | LiteLLM proxy URL the plugin calls. |
| `master_key` | yes | LiteLLM master key (sensitive, never read back). |
| `plugin` | no | Registered plugin name (default `vault-plugin-secrets-litellm`). |
| `description` | no | Mount description. |
| `request_timeout_seconds` | no | Plugin→LiteLLM HTTP timeout (default 30). |
### `litellmvaultsecret_secret_backend_role`
Manages a role that constrains generated keys.
| Attribute | Required | Description |
| ------------------ | -------- | ---------------------------------------------- |
| `backend` | yes | Mount path of the engine. Forces replacement. |
| `name` | yes | Role name. Forces replacement. |
| `models` | no | Allowed models (set); empty = unrestricted. |
| `max_budget` | no | Spending limit per key; 0 = unlimited. |
| `ttl` | no | Default lease TTL, in **seconds**. |
| `max_ttl` | no | Maximum lease TTL, in **seconds**. |
| `key_alias_prefix` | no | Prefix for the key alias (default `vault`). |
| `metadata` | no | Metadata attached to each key (map). |
## Example
```hcl
resource "litellmvaultsecret_secret_backend" "litellm" {
path = "litellm"
base_url = "http://litellm.litellm.svc:4000"
master_key = var.litellm_master_key
}
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo", "gpt-4"]
max_budget = 50
ttl = 3600
max_ttl = 86400
}
```
Consumers then read `litellm/creds/team-a` from Vault to obtain a scoped,
budgeted, lease-bound virtual key.
## Import
```sh
terraform import litellmvaultsecret_secret_backend.litellm litellm
terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a
```
## Development
```sh
make build # build the provider binary
make install # install into ~/.terraform.d/plugins for local use
make test # unit tests (race-enabled)
make lint # go vet
make fmt # gofmt
make e2e # end-to-end: real Vault + LiteLLM + plugin, terraform apply
```
### End-to-end tests
`make e2e` builds the sibling `vault-plugin-secrets-litellm` plugin, boots Vault +
LiteLLM + Postgres in Docker, installs this provider locally, then runs a real
`terraform apply` that mounts the engine and creates a role, and asserts that a
working virtual key can be generated from it. Requires Docker; bind mounts use
`:z` for SELinux.