Terraform Vault Provider

Overview

• Read, write and configure Vault
• Best practice: avoid secrets in Terraform config and state

Use Cases

Configure and Populate Vault with Secrets

• Initial setup and configuration of Vault
• Populate with secrets
• State and plans should be stored with care—will contain the secrets written to Vault in plaintext

Use Vault Credentials in Terraform Config

• Inject 3rd party provider credentials into config
  • Vault manages credentials
• Only need suitably privileged Vault token—temporary lease of provider credentials
• Secrets returned from Vault data sources are stored in state, plan and displayed on command line in plaintext
  • Need to ensure adequate protection
  • Vault provider requests Vault token with short TTL by default (20 mins) to reduce attack window