Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine on Vault/OpenBao via the Vault API. - Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget, ttl/max_ttl in seconds, metadata) - Unit tests against a mock Vault API - End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres, and runs a real terraform apply/destroy asserting key generation works - Makefile, woodpecker CI (build/test/pre-commit), examples, README
terraform-provider-litellmvaultsecret
A Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine
(the vault-plugin-secrets-litellm
plugin) on HashiCorp Vault or OpenBao.
It lets you declare, as code, the LiteLLM secrets-engine mount, its connection
config, and the roles that scope generated virtual keys — for use from
terraform-vault.
Provider
terraform {
required_providers {
litellmvaultsecret = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
address = "https://vault.example.com" # or VAULT_ADDR
token = var.vault_token # or VAULT_TOKEN
}
Resources
litellmvaultsecret_secret_backend
Mounts the engine and writes its connection config.
| Attribute | Required | Description |
|---|---|---|
path |
yes | Mount path (e.g. litellm). Forces replacement. |
base_url |
yes | LiteLLM proxy URL the plugin calls. |
master_key |
yes | LiteLLM master key (sensitive, never read back). |
plugin |
no | Registered plugin name (default vault-plugin-secrets-litellm). |
description |
no | Mount description. |
request_timeout_seconds |
no | Plugin→LiteLLM HTTP timeout (default 30). |
litellmvaultsecret_secret_backend_role
Manages a role that constrains generated keys.
| Attribute | Required | Description |
|---|---|---|
backend |
yes | Mount path of the engine. Forces replacement. |
name |
yes | Role name. Forces replacement. |
models |
no | Allowed models (set); empty = unrestricted. |
max_budget |
no | Spending limit per key; 0 = unlimited. |
ttl |
no | Default lease TTL, in seconds. |
max_ttl |
no | Maximum lease TTL, in seconds. |
key_alias_prefix |
no | Prefix for the key alias (default vault). |
metadata |
no | Metadata attached to each key (map). |
Example
resource "litellmvaultsecret_secret_backend" "litellm" {
path = "litellm"
base_url = "http://litellm.litellm.svc:4000"
master_key = var.litellm_master_key
}
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo", "gpt-4"]
max_budget = 50
ttl = 3600
max_ttl = 86400
}
Consumers then read litellm/creds/team-a from Vault to obtain a scoped,
budgeted, lease-bound virtual key.
Import
terraform import litellmvaultsecret_secret_backend.litellm litellm
terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a
Development
make build # build the provider binary
make install # install into ~/.terraform.d/plugins for local use
make test # unit tests (race-enabled)
make lint # go vet
make fmt # gofmt
make e2e # end-to-end: real Vault + LiteLLM + plugin, terraform apply
End-to-end tests
make e2e builds the sibling vault-plugin-secrets-litellm plugin, boots Vault +
LiteLLM + Postgres in Docker, installs this provider locally, then runs a real
terraform apply that mounts the engine and creates a role, and asserts that a
working virtual key can be generated from it. Requires Docker; bind mounts use
:z for SELinux.