tfvaultenv reads secrets from HashiCorp Vault and outputs environment variables for various Terraform providers with those secrets.
This project is a work in progress and additional Secrets Engines, Providers, and features are planned. Please see the project roadmap for more details.
Currently supported are:
- Active Directory (Password Rotation)
- Kv2
- AWS (STS only currently)
- Azure
- Download the release for your platform from Releases
- untar or unzip the file and move tfvaultenv into your $PATH
- Create a .tfvaultenv.config.hcl file in your Terraform project. (see Configuration below and the examples directory)
The configuration is written in HCL and the default name is .tfvaultenv.config.hcl. Unless overridden, tfvaultenv will look in the current working directory for the config file. You can optionally set the --config and --configdepth arguments to change the config file name or search up to N parent directories. This is useful in nested Terraform directory structure scenarios.
Configuration is set in blocks representing supported secrets engines and authentication methods.
Currently all secrets engines use the same Vault client and because of that tfvaultenv only supports a single Vault backend configured via VAULT_ADDR environment variables. A feature is planned to be able to support multiple Vault backends and Namespaces.
aws "sts" {
method = "assumed_role"
role = "rolename"
role_arn = "arn:aws:iam::00000000000:role/TerraformRole"
extra_env_vars = {
"AWS_DEFAULT_REGION" = "us-east-2"
}
ttl = 900
}method: (Required) Name of the AWS Secrets Engine Method Currently onlyassumed_roleis supportedrole: (Required) AWS Secrets Engine role namerole_arn: (Optional) Role ARN to assume when method is set toassumed_roleextra_env_vars: (Optional) Map of additional environment variables to setmount: (Optional) Path to the mounted AWS secrets engine. Default:awsttl: (Optional) TTL to set on the token or iam_user
azure "sub1" {
role = "sub1-rw"
extra_env_vars = {
"ARM_TENANT_ID" = "194dd302-295b-4993-b29e-2ca2d37b9031"
"ARM_SUBSCRIPTION_ID" = "9b9c4322-74a2-474e-ad94-c5e6890713c9"
}
}role: (Required) Azure Secrets Engine role nameextra_env_vars: (Optional) Map of additional environment variables to setmount: (Optional) Path to the mounted Azure secrets engine. Default:azure
ad "vsphere" {
role = "rolename"
target_provider = "vsphere"
extra_env_vars = {
"VSPHERE_SERVER" = "vcenter.example.com"
}
}ad "generic" {
role = "tf-svc"
target_provider = "generic"
username_env_var = "TF_VAR_AD_USERNAME"
password_env_var = "TF_VAR_AD_PASSWORD"
}role: (Required) Name of the Vault Active Directory Secrets Engine role nametarget_provider: (Required) Name of the Terraform provider to generate environment variables forextra_env_vars: (Optional) Map of additional environment variables to setusername_env_var: (Optional/Required for generic provider) Environment variable to set to usernamepassword_env_var: (Optional/Required for generic provider) Environment variable to set to passwordpath: (Optional) Path to the mounted AD secrets engine. Default:ad
kv_secret "infoblox" {
path = "infoblox/terraform"
target_provider = "infoblox"
attribute_map = {
"ib_user" = "username"
"ib_password" = "password"
}
extra_env_vars = {
"FOO" = "bar"
}
}path: (Required) Path to the secret under the secrets engine mountmount: (Optional) Mount name of the secrets engine. Default: "secrets"attribute_map: (Optional) Map of kv2 secret attribute names to provider values. Defaults to username and passwordtarget_provider: (Required) Name of the Terraform provider to generate environment variables forextra_env_vars: (Optional) Map of additional environment variables to setexpand_env_vars: (Optional) Perform shell expansion of variables in the string. This only applies to values inextra_env_vars
You can use the "generic" target_provider when tfvaultenv doesnt directly support your Terraform provider.
kv_secret "generic" {
path = "teams/ops/db/pgsql"
target_provider = "generic"
attribute_map = {
"PGUSER" = "psql_user"
"PGPASSWORD" = "psql_pass"
}
extra_env_vars = {
"PGHOST" = "foo.bar.com"
"PGPORT" = "12345"
}
}path: (Required) Path to the secret under the secrets engine mountmount: (Optional) Mount name of the secrets engine. Default: "secrets"attribute_map: (Optional) Map of kv2 secret attribute names to environment vasriable keys.target_provider: (Required) genericextra_env_vars: (Optional) Map of additional environment variables to setexpand_env_vars: (Optional) Perform shell expansion of variables in the string. This only applies to values inextra_env_vars
By default tfvaultenv creates an implicit auth method that supports token based authentication in the form of VAULT_TOKEN, ~/.vault-token, and token helpers. Supported auth methods such as JWT (see below) can be used and can override token auth by configuring a priority of 1 or above. Auth methods can be conditionally activated using when {} blocks based on environment variables or other supported conditions. When multiple auth methods are defined you can specify priorities to ensure that the preferred fallback auth method is used.
method: (Required) Name of the Vault authentication methodpath: (Required) Path to the auth engine mountpriority: (Required) Priority - set > 0 to override implicit token based authwhen: (Optional) Conditional block methods to determine if the auth method should be used. Currently onlyenv_presentis supported.export_vault_token: (Optional) Print the token to theVAULT_TOKENenvironment variable.
auth "gitlab" {
method = "jwt"
path = "gitlab"
priority = 100
jwt {
role = env("VAULT_ROLE")
token = env("CI_JOB_JWT")
}
when {
env_present = "CI_JOB_JWT"
}
}role: (Required) Name of the JWT auth engine roletoken: (Required) JWT token to pass to Vault API
$ export `tfvaultenv get`
$ env | grep AWS_
AWS_ACCESS_KEY_ID=ASIA<SNIP>
AWS_ACCESS_SECRET_KEY=nJJFD/<SNIP>
AWS_ACCESS_SESSION_TOKEN=<SNIP>
$ tfvaultenv get
AWS_ACCESS_KEY_ID=ASIA<SNIP>
AWS_ACCESS_SECRET_KEY=nJJFD/<SNIP>
AWS_ACCESS_SESSION_TOKEN=<SNIP>
$ tfvaultenv get --config /path/to/config.hcl