unkinben 8ca6c39c66 Add terraform-provider-litellmvaultsecret implementation
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM
dynamic secrets engine on Vault/OpenBao via the Vault API.

- Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend
  (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget,
  ttl/max_ttl in seconds, metadata)
- Unit tests against a mock Vault API
- End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres,
  and runs a real terraform apply/destroy asserting key generation works
- Makefile, woodpecker CI (build/test/pre-commit), examples, README
2026-07-02 23:23:13 +10:00

terraform-provider-litellmvaultsecret

A Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine (the vault-plugin-secrets-litellm plugin) on HashiCorp Vault or OpenBao.

It lets you declare, as code, the LiteLLM secrets-engine mount, its connection config, and the roles that scope generated virtual keys — for use from terraform-vault.

Provider

terraform {
  required_providers {
    litellmvaultsecret = {
      source = "git.unkin.net/unkin/litellmvaultsecret"
    }
  }
}

provider "litellmvaultsecret" {
  address = "https://vault.example.com" # or VAULT_ADDR
  token   = var.vault_token             # or VAULT_TOKEN
}

Resources

litellmvaultsecret_secret_backend

Mounts the engine and writes its connection config.

Attribute Required Description
path yes Mount path (e.g. litellm). Forces replacement.
base_url yes LiteLLM proxy URL the plugin calls.
master_key yes LiteLLM master key (sensitive, never read back).
plugin no Registered plugin name (default vault-plugin-secrets-litellm).
description no Mount description.
request_timeout_seconds no Plugin→LiteLLM HTTP timeout (default 30).

litellmvaultsecret_secret_backend_role

Manages a role that constrains generated keys.

Attribute Required Description
backend yes Mount path of the engine. Forces replacement.
name yes Role name. Forces replacement.
models no Allowed models (set); empty = unrestricted.
max_budget no Spending limit per key; 0 = unlimited.
ttl no Default lease TTL, in seconds.
max_ttl no Maximum lease TTL, in seconds.
key_alias_prefix no Prefix for the key alias (default vault).
metadata no Metadata attached to each key (map).

Example

resource "litellmvaultsecret_secret_backend" "litellm" {
  path       = "litellm"
  base_url   = "http://litellm.litellm.svc:4000"
  master_key = var.litellm_master_key
}

resource "litellmvaultsecret_secret_backend_role" "team_a" {
  backend    = litellmvaultsecret_secret_backend.litellm.path
  name       = "team-a"
  models     = ["gpt-3.5-turbo", "gpt-4"]
  max_budget = 50
  ttl        = 3600
  max_ttl    = 86400
}

Consumers then read litellm/creds/team-a from Vault to obtain a scoped, budgeted, lease-bound virtual key.

Import

terraform import litellmvaultsecret_secret_backend.litellm litellm
terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a

Development

make build   # build the provider binary
make install # install into ~/.terraform.d/plugins for local use
make test    # unit tests (race-enabled)
make lint    # go vet
make fmt     # gofmt
make e2e     # end-to-end: real Vault + LiteLLM + plugin, terraform apply

End-to-end tests

make e2e builds the sibling vault-plugin-secrets-litellm plugin, boots Vault + LiteLLM + Postgres in Docker, installs this provider locally, then runs a real terraform apply that mounts the engine and creates a role, and asserts that a working virtual key can be generated from it. Requires Docker; bind mounts use :z for SELinux.

S
Description
Terraform provider for the Vault/OpenBao LiteLLM dynamic secrets engine (litellmvaultsecret)
Readme 56 KiB