Terraform - Secret Management

Manoj MManoj M
3 min read

Secret Management for storing sensitive information using Hashicorp Vaults

  • vault is not available as official repo of ubuntu hence need to download and install

  • Vault are useful and all the secret are encrypted and stored in instances it only decrypted by vault

  • Integration of vault ref: https://github.com/iam-veeramalla/terraform-zero-to-hero/blob/main/Day-7/02-vault-integration.md

  • Start the vault server (can be dev server or prod server)

  • Cmd to start dev server

      vault server -dev -dev-listen-address="0.0.0.0:8200" #it won't run in backgroung
    
  • Go to <Ip addr>:8200 and get login using the root token that displayed in terminal when vault is started.

  • You will get into Vault UI

  • Secret Engine (Confusable topic) - diff type of secret that we can create in hashicorp vault

  • For giving access to vault we can give user roles(like IAM)

    • Cannot create any roles through UI (drawback)

    • May be JWT

    • User name and password etc

    • Most popular is App role similar to IAM role

  • If you are using please set the $VAULT_ADDR var in bash if not it will be redirected to default localhost

      export VAULT_ADDR=http://44.202.238.160:8200
    
  • Enable the app role in UI or in CMD line as below

      vault auth enable approle
    
  • For creating app role first need Policy (in policy the mentioned paths are all the mount points, we can add or remove any pointes for policy ), here we are updating the terraform role

    ```bash vault policy write terraform - <<EOF path "*" { capabilities = ["list", "read"] }

    path "secrets/data/*" { capabilities = ["create", "read", "update", "delete", "list"] }

    path "kv/data/*" { capabilities = ["create", "read", "update", "delete", "list"] }

path "secret/data/*" { capabilities = ["create", "read", "update", "delete", "list"] }

path "auth/token/create" { capabilities = ["create", "read", "update", "list"] } EOF


* Creating terraform role, here we are adding the created policy with the role.

    ```bash
    vault write auth/approle/role/terraform \
        secret_id_ttl=10m \
        token_num_uses=10 \
        token_ttl=20m \
        token_max_ttl=30m \
        secret_id_num_uses=40 \
        token_policies=terraform
  • Create a role-id (similar to a access key)

      vault read auth/approle/role/my-approle/role-id #replace my-approle with role name
    
  • Create a secret-id (similar to secret key)

      vault write -f auth/approle/role/my-approle/secret-id #replace my-approle with role name
    
  • So using these things we can access to vault through terraform and others

  • usage of vault secret in terraform

      provider "aws" {
          region = "us-east-1"
      }
      provider "vault" {
          address = "http://44.202.238.160:8200"
        skip_child_token = true //if not means some errors will rise
    
          //how to authenticate
        auth_login {
          path = "auth/approle/login"
    
          parameters = {
            role_id = "role-id"
            secret_id = "secret-id"
          }
        }
      }
      data "vault_kv_secret_v2" "example" {
        mount = "kv" // change it according to your mount
        name  = "test-secret" // change it according to your secret
      }
    
      resource "aws_instance" "main" {
          ami = "ami-020cba7c55df1f615"
          instance_type = "t2.micro"
    
          tags = {
              "Secret" = data.vault_kv_secret_v2.example.data["username"]
          }
      }
    
0
Subscribe to my newsletter

Read articles from Manoj M directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Manoj M
Manoj M

Software Engineer with 2 years of experience developing scalable full-stack applications and managing cloud native infrastructure. Proficient in Java, Spring Boot, micro-services architecture, and modern frontend frameworks including React and Angular. Experienced in containerisation with Docker and Kubernetes, implementing robust CI/CD pipelines, and deploying applications on AWS. Strong background in translating business requirements into technical solutions and collaborating with cross-functional teams to deliver enterprise-grade applications