I'm new and would appreciate advice on managing secrets in a terraform with vault. We use a modular code structure.
./project
├──── dev
│ │
│ ├── local.tf
│ ├── main.tf
│ ├── provider.tf
│ └── terraform.tf
│
├──── qa
│ │
│ ├── local.tf
│ ├── main.tf
│ ├── provider.tf
│ └── terraform.tf
│
├──── modules
│ │
│ ├── iam
│ │ │
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── outputs.tf
│ │
│ │
│ ├── cert
│ │ │
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── outputs.tf
│ └── ...
└── ...
Consider a scenario where a specific module is responsible for storing secrets in a vault:
variable vault_path {
default = "/path/to/secret"
}
resource "vault_generic_secret" "secret" {
path = var.vault_path
data_json = json_encode({
"SECRET1": "value",
"SECRET2": "value"
})
}
After some time, I will need to save secrets in another module with the same path. Therefore, I will first need to fetch the secrets, merge them with the existing ones, and then save them.
variable vault_path {
default = "/path/to/secret"
}
data "vault_generic_secret" "data_secret" {
path = var.vault_path
}
resource "vault_generic_secret" "secret" {
path = var.vault_path
data_json = json_encode(
merge(
data.vault_generic_secret.data_secret.data,
{
"SECRET3": "value",
"SECRET4": "value"
}
)
)
}
I don't want to repeat the same actions (fetch, merge, save) in each module, assuming there could be more modules and secrets.
Would it be better to use the outputs.tf of each module for the secrets and store them all in one place in the main.tf?
Are there any better options?
Pretty interesting problem indeed. Probably, I would modify the approach to extract secrets in a dedicated TF-module itself. Later it can be uniformly referenced from other modules. Here is an interesting approach on how to handle Vault secrets with TF: https://blog.gitguardian.com/terraform-project-for-managing-vault-secrets-in-a-kubernetes-cluster/