🔐 How I Used Vault with Terraform to Securely Deploy AWS Infrastructure

🌟 Why I Did This Project

When building infrastructure with Terraform, one of the scariest mistakes is leaving secrets inside your code.
I used to write database passwords, role IDs, and API keys directly into .tf files.

Bad idea 😅. If that code ever lands on GitHub or a shared system, my secrets are out in the wild.

So I tried something new: I connected Terraform with HashiCorp Vault. Instead of hardcoding secrets, Terraform now logs in to Vault using AppRole and securely fetches values at runtime. Then I used those secrets to tag an AWS instance.

Here’s how I set it up 👇

---

🚀 What This Project Does

• Authenticates Terraform with Vault using AppRole login

• Fetches secrets from Vault’s KV v2 secret engine

• Injects those secrets into an AWS EC2 resource dynamically

---

⚙️ Prerequisites

Before running this project, you’ll need:

• A running Vault server (in my case on http://13.50.5.78:8200)

• An AppRole configured in Vault with a role_id and secret_id

• AWS account + credentials configured

• Terraform installed

---

📂 Project Structure

vault-aws/
 ├── main.tf
 └── README.md

---

📝 The Terraform Code

Here’s my main.tf:

provider "aws" {
  region = "eu-north-1"
}

provider "vault" {
  address          = "http://13.50.5.78:8200"
  skip_child_token = true

  auth_login {
    path = "auth/approle/login"

    parameters = {
      role_id   = "a3ce1f6a-b1eb-2b4f-0355-1cc2054eb440"
      secret_id = "a265ed42-401c-d40a-e675-e6b45269fe2f"
    }
  }
}

# Fetch secret from Vault KV v2
data "vault_kv_secret_v2" "example" {
  mount = "kv"
  name  = "test-secret"
}

# Use the secret in AWS EC2 resource
resource "aws_instance" "name" {
  ami           = "ami-042b4708b1d05f512"
  instance_type = "t3.micro"

  tags = {
    secret = data.vault_kv_secret_v2.example.data["username"]
  }
}

---

🔎 How It Works

1. Vault Provider
   Terraform connects to Vault at http://13.50.5.78:8200.
   Instead of a static token, it logs in using AppRole authentication (role_id + secret_id).

2. Secret Retrieval
   It fetches a secret from the kv/test-secret path.
   Example secret inside Vault:

    {
      "username": "my-app-user",
      "password": "super-secret-pass"
    }
   

3. Using the Secret
   The username from Vault is used as a tag on the AWS EC2 instance.
   This shows how Terraform can dynamically inject Vault secrets into infrastructure.

---

▶️ Running the Project

1. Initialize Terraform

    terraform init
   

2. Plan

    terraform plan
   

3. Apply

    terraform apply -auto-approve
   

4. Verify

   • Go to your AWS console

   • Find the EC2 instance

   • Check the tags → you’ll see the username pulled straight from Vault 🎉

---

🔒 Security Lessons Learned

• 🔑 AppRole beats static tokens: Instead of keeping one token forever, AppRole allows Vault to generate scoped, revocable credentials for Terraform.

• 🚫 No secrets in code: Notice that username never exists in .tf files, only in Vault.

• 🔐 Vault + Terraform = IaC done right: This approach keeps infra automation both secure and repeatable.

---

🎯 Wrapping Up

This was a small experiment, but it showed me how powerful Vault + Terraform integration can be.
Instead of worrying about leaking secrets in GitHub, I can confidently manage them in Vault while still automating infrastructure with Terraform.

👉 Check out the project on GitHub:
Terraform Vault Integration

🙋 Author: Harshal Vernekar
GitHub: @Harshalv21