SecretHub is a secrets management tool that works for every engineer. Securely provision passwords and keys throughout your entire stack with just a few lines of code.
The SecretHub Terraform Provider lets you manage your secrets using Terraform. It is officially supported and actively maintained by SecretHub, but community contributions are very welcome.
terraform {
required_providers {
secrethub = {
source = "secrethub/secrethub"
version = ">= 1.2.0"
}
}
}
resource "secrethub_secret" "db_password" {
path = "my-org/my-repo/db/password"
generate {
length = 22
charsets = ["alphanumeric"]
}
}
resource "secrethub_secret" "db_username" {
path = "my-org/my-repo/db/username"
value = "db-user"
}
resource "aws_db_instance" "default" {
allocated_storage = 10
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = secrethub_secret.db_username.value
password = secrethub_secret.db_password.value
parameter_group_name = "default.mysql5.7"
}Have a look at the reference docs for more information on the supported resources and data sources.
Manually install the secrethub provider by downloading the binary for your platform and moving it to ~/.terraform/plugins or %APPDATA%\terraform.d\plugins on Windows.
Afterwards you can run the following example with Terraform.
provider "secrethub" {}
resource "secrethub_secret" "db_password" {
path = "my-org/my-repo/db/password"
generate {
length = 22
charsets = ["alphanumeric"]
}
}
resource "secrethub_secret" "db_username" {
path = "my-org/my-repo/db/username"
value = "db-user"
}
resource "aws_db_instance" "default" {
allocated_storage = 10
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = secrethub_secret.db_username.value
password = secrethub_secret.db_password.value
parameter_group_name = "default.mysql5.7"
}Have a look at the reference docs for more information on the supported resources and data sources.
Check out the step-by-step integration guide to get started.
A detailed use case is described in the original announcement. There are also some examples in this repo.
If you need help, send us a message on the #terraform channel on 
Get the source code:
git clone https://github.com/secrethub/terraform-provider-secrethub
Build it using:
make build
To run the acceptance tests, the following environment variables need to be set up.
SECRETHUB_CREDENTIAL- a SecretHub credential.SECRETHUB_TF_ACC_NAMESPACE- a namespace registered on SecretHub. Make sureSECRETHUB_CREDENTIALhas admin access.SECRETHUB_TF_ACC_REPOSITORY- a repository withinSECRETHUB_TF_ACC_NAMESPACEto be used in the acceptance tests. Make sureSECRETHUB_CREDENTIALhas admin access.SECRETHUB_TF_ACC_SECOND_ACCOUNT_NAME- an account other than the authenticated account, that is a member of the repository. It will be used to test access rules.
Only for the AWS acceptance tests:
SECRETHUB_TF_ACC_AWS_ROLE- an AWS IAM role to use for testing AWS service accounts. The role should have decrypt permission on the key inSECRETHUB_TF_ACC_AWS_KMS_KEY.SECRETHUB_TF_ACC_AWS_KMS_KEY- an AWS KMS key to use for testing AWS service accounts. The authenticated AWS user or role should have encrypt permission on this key and theSECRETHUB_TF_ACC_AWS_ROLEshould have decrypt permission.
Only for the GCP acceptance tests:
SECRETHUB_TF_ACC_GCP_SERVICE_ACCOUNT- a GCP service account email to use for testing SecretHub GCP service accounts. It should have decrypt permission on the key inSECRETHUB_TF_ACC_GCP_KMS_KEY.SECRETHUB_TF_ACC_GCP_KMS_KEY- an GCP KMS key to use for testing GCP service accounts. The authenticated GCP user or role should have encrypt permission on this key and theSECRETHUB_TF_ACC_GCP_SERVICE_ACCOUNTshould have decrypt permission.
With the environment variables properly set up, run:
make testacc