Skip to content

redredgroovy/terraform-provider-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
vault
vault
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.go
main.go
 
 
version.go
version.go
 
 

Repository files navigation

terraform-provider-vault

Terraform provider for reading secrets from Hashicorp Vault

This provider allows you to retrieve secrets from a Vault instance and access them as variables within your Terraform configurations. It can provide convenient access to sensitive material, including:

  • AWS credentials
  • SSH keys
  • SSL certificate keys

Important Security Notice

This provider currently stores unencrypted secrets as plaintext in your .tfstate files! Do not use this module unless you have taken steps to ensure your .tfstate files are encrypted or otherwise secured. This provider should be considered unsafe until a solution has been found for terraform:#516.

Usage

Provider configuration

This module implements a vault provider.

provider "vault" {
    address = "https://vault:8200"
    app_id = "..."
    user_id = "..."
    token = "..."
}
Arguments

The Vault provider currently supports token, app-id, userpass, and ldap authentication.

  • address - (required) URL to the Vault API
  • token - Explicit token for token authentication
  • app_id - Application ID for app-id authentication
  • user_id - User ID for app-id authentication
  • user - Username for userpass authentication
  • pass - Password for userpass authentication
  • ldapuser - Username for ldap authentication
  • ldappass - Password for ldap authentication

Resource configuration

This module implements a vault_secret resource.

resource "vault_secret" "aws" {
    path = "/secret/aws/credentials"
}
Arguments
  • path - The path to the secret store for this resource

The contents of path will be stored as a map in the data variable of the resource.

Example

provider "vault" {
    address = "https://vault:8200"
    app_id = "eea928cc-2e83-4db7-8ad2-b90b7bd43542"
    user_id = "${file("~/.user-id")}"
}

resource "vault_secret" "aws" {
    path = "/secret/aws/credentials"
}

# Assuming a Vault entry with the following fields:
#   access_key
#   secret_key
provider "aws" {
    access_key = "${vault_secret.aws.data.access_key}"
    secret_key = "${vault_secret.aws.data.secret_key}"
}

resource "vault_secret" "cert" {
    path = "/secret/certs/www"
}

# Assuming a Vault entry with the following fields:
#   cert
#   key
resource "aws_iam_server_certificate" "www" {
    name = "www"
    certificate_body = "${vault_secret.www.data.cert}"
    private_key = "${vault_secret.www.data.key}"
}

Author

Derek Moore

About

Terraform provider for reading secrets from Hashicorp Vault

Resources

Readme

License

MPL-2.0 license
Activity

Stars

43 stars

Watchers

3 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages