Terraform - Secret Management
Manoj MSecret Management for storing sensitive information using Hashicorp Vaults
vault is not available as official repo of ubuntu hence need to download and install
Vault are useful and all the secret are encrypted and stored in instances it only decrypted by vault
Integration of vault ref: https://github.com/iam-veeramalla/terraform-zero-to-hero/blob/main/Day-7/02-vault-integration.md
Start the vault server (can be dev server or prod server)
Cmd to start dev server
vault server -dev -dev-listen-address="0.0.0.0:8200" #it won't run in backgroungGo to <Ip addr>:8200 and get login using the root token that displayed in terminal when vault is started.
You will get into Vault UI
Secret Engine (Confusable topic) - diff type of secret that we can create in hashicorp vault
For giving access to vault we can give user roles(like IAM)
Cannot create any roles through UI (drawback)
May be JWT
User name and password etc
Most popular is App role similar to IAM role
If you are using please set the $VAULT_ADDR var in bash if not it will be redirected to default localhost
export VAULT_ADDR=http://44.202.238.160:8200Enable the app role in UI or in CMD line as below
vault auth enable approleFor creating app role first need Policy (in policy the mentioned paths are all the mount points, we can add or remove any pointes for policy ), here we are updating the terraform role
```bash vault policy write terraform - <<EOF path "*" { capabilities = ["list", "read"] }
path "secrets/data/*" { capabilities = ["create", "read", "update", "delete", "list"] }
path "kv/data/*" { capabilities = ["create", "read", "update", "delete", "list"] }
path "secret/data/*" { capabilities = ["create", "read", "update", "delete", "list"] }
path "auth/token/create" { capabilities = ["create", "read", "update", "list"] } EOF
* Creating terraform role, here we are adding the created policy with the role.
```bash
vault write auth/approle/role/terraform \
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=40 \
token_policies=terraform
Create a role-id (similar to a access key)
vault read auth/approle/role/my-approle/role-id #replace my-approle with role nameCreate a secret-id (similar to secret key)
vault write -f auth/approle/role/my-approle/secret-id #replace my-approle with role nameSo using these things we can access to vault through terraform and others
usage of vault secret in terraform
provider "aws" { region = "us-east-1" } provider "vault" { address = "http://44.202.238.160:8200" skip_child_token = true //if not means some errors will rise //how to authenticate auth_login { path = "auth/approle/login" parameters = { role_id = "role-id" secret_id = "secret-id" } } } data "vault_kv_secret_v2" "example" { mount = "kv" // change it according to your mount name = "test-secret" // change it according to your secret } resource "aws_instance" "main" { ami = "ami-020cba7c55df1f615" instance_type = "t2.micro" tags = { "Secret" = data.vault_kv_secret_v2.example.data["username"] } }
Subscribe to my newsletter
Read articles from Manoj M directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Manoj M
Manoj M
Software Engineer with 2 years of experience developing scalable full-stack applications and managing cloud native infrastructure. Proficient in Java, Spring Boot, micro-services architecture, and modern frontend frameworks including React and Angular. Experienced in containerisation with Docker and Kubernetes, implementing robust CI/CD pipelines, and deploying applications on AWS. Strong background in translating business requirements into technical solutions and collaborating with cross-functional teams to deliver enterprise-grade applications