fetching vault secret value using terraform

7
votes

I am using a vault server with consul as a storage backend and trying to fetch a password value using vault provider in terraform. But it doesn't fetch its value. I stored my secrets at location secret/instances

main.tf

provider "vault" {
 address = "https://<IP_ADDRESS>:<PORT_NUMBER>"
 token = "118bb796-d715-8ce4-b987-7f354ff3f5a7"
}
data "vault_generic_secret" "mypass"{
 path = "secret/instances/password"
}
output "mypassword" {
 value = "${data.vault_generic_secret.mypass.data["value"]}"
}

When i run terraform apply it shows:

data.vault_generic_secret.mypass: Refreshing state...
data.vault_generic_secret.mypass: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Please suggest me something what i have done wrong over here as it does not fetch value of password from vault.

2
terraformhashicorp-vault
any output for ${data.vault_generic_secret.mypass.data}? Check first if you can get the data. - BMW
Thank you for your response. Yes I checked output of suggested command, it also gives nothing like before. - Suneha
then you need check if vault setting is proper or not. - BMW
ok.. i will check it then.. - Suneha
I checked vault works fine for me.. I am able to fetch secret value using rest api also. curl -k --header "X-VAULT-TOKEN:118bb796-d715-8ce4-b987-7f354ff3f5a7" -X GET 10.110.159.196:8200/v1/secret/instances/password {"lease_id":"","renewable":false,"lease_duration":2592000,"data":{"excited":"yes","value":"pM0dularc"},"warnings":null,"auth":null} - Suneha

2 Answers

4
votes

I also ran into the similar issue and found this post. In my case issue was with compatibility between terraform and vault. I was using KV version 2 which is not compatible with terraform v0.11.10.

Related Issue: GitHub Link

So i will try to write my answer with working example and environment details as it might help other people.

Vault Version: Vault 0.10.1

Secret Engine Type: KV Version 1

Path: srekv1/development

vault secret

Terraform Version: Terraform v0.11.10

  • provider.local v1.1.0
  • provider.vault v1.1.4

Terraform Code to pull secret: 

provider "vault" {

address = "https://vault-myappXXX.net"
skip_tls_verify = true
token = "95XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}

data "vault_generic_secret" "srekv1" {
  path = "srekv1/development"
}

output Namekv1 {
value = "${data.vault_generic_secret.srekv1.data["Name"]}"
}
-3
votes

vault_generic_secret should be defined in a resource block.

You have defined it in a data block.

Ref: https://www.terraform.io/docs/providers/vault/d/aws_access_credentials.html