/terraform-credentials-vault

Terraform credentials helper for Vault

Primary LanguageGoMozilla Public License 2.0MPL-2.0

Terraform Credentials from HashiCorp Vault

terraform-credentials-vault is a Terraform "credentials helper" plugin that allows providing credentials for Terraform-native services (private module registries, Terraform Cloud, etc) via environment variables.

It is based on apparentlymart/terraform-credentials-env

To use it, download a release archive and extract it into the ~/.terraform.d/plugins directory where Terraform looks for credentials helper plugins. (The filename of the file inside the archive is important for Terraform to discover it correctly, so don't rename it.)

Terraform will take the newest version of the plugin it finds in the plugin search directory, so if you are switching between versions you may prefer to remove existing installed versions in order to ensure Terraform selects the desired version.

Once you've installed the plugin, enable it by adding the following block to your Terraform CLI configuration:

credentials_helper "vault" {
    args = ["--vault-path=/secret/data/gitlab/terraform_registry"]
}

With this helper installed and enabled, you can set credentials for specific hostnames in the environment for your shell so that they will be inherited by terraform and then in turn by terraform-credentials-vault.

The helper will use your existing Vault environment settings like VAULT_ADDR and ~/.vault-token or VAULT_TOKEN for your token.

The Vault path must use the kv2 secrets engine and most contain a secret matching hostname with a field of token. Example: for a --vault-path of secrets/data/terraform_registry you and a hostname of gitlab.corp.com terraform-credentials-vault will search at secrets/data/terraform_registry/gitlab.com and use the value in the token field.

Terraform will execute the configured credentials helper plugin whenever it needs to make a request to a Terraform-native service whose credentials aren't directly configured in the CLI configuration using credentials blocks. credentials blocks override credentials helpers though, so if you have any existing credentials block for the hostname you wish to configure you will need to remove that block first.