Terraform credentials helper for Vault

Terraform Credentials from HashiCorp Vault

terraform-credentials-vault is a Terraform "credentials helper" plugin that allows providing credentials for Terraform-native services (private module registries, Terraform Cloud, etc) via environment variables.

It is based on apparentlymart/terraform-credentials-env

To use it, download a release archive and extract it into the ~/.terraform.d/plugins directory where Terraform looks for credentials helper plugins. (The filename of the file inside the archive is important for Terraform to discover it correctly, so don't rename it.)

Terraform will take the newest version of the plugin it finds in the plugin search directory, so if you are switching between versions you may prefer to remove existing installed versions in order to ensure Terraform selects the desired version.

Once you've installed the plugin, enable it by adding the following block to your Terraform CLI configuration:

credentials_helper "vault" {
    args = ["--vault-path=/secret/data/gitlab/terraform_registry"]
}

With this helper installed and enabled, you can set credentials for specific hostnames in the environment for your shell so that they will be inherited by terraform and then in turn by terraform-credentials-vault.

The helper will use your existing Vault environment settings like VAULT_ADDR and ~/.vault-token or VAULT_TOKEN for your token.

The Vault path must use the kv2 secrets engine and most contain a secret matching hostname with a field of token. Example: for a --vault-path of secrets/data/terraform_registry you and a hostname of gitlab.corp.com terraform-credentials-vault will search at secrets/data/terraform_registry/gitlab.com and use the value in the token field.

Terraform will execute the configured credentials helper plugin whenever it needs to make a request to a Terraform-native service whose credentials aren't directly configured in the CLI configuration using credentials blocks. credentials blocks override credentials helpers though, so if you have any existing credentials block for the hostname you wish to configure you will need to remove that block first.

Owner
James Oulman
Systems Administrator / Programmer in Gainesville, FL.
James Oulman
https://github.com/oulman/terraform-credentials-vault
Similar Resources

Terraform-provider-buddy - Terraform Buddy provider For golang

Terraform Provider for Buddy Documentation Requirements Terraform = 1.0.11 Go

Jan 5, 2022

Terraform-provider-vercel - Terraform Vercel Provider With Golang

Vercel Terraform Provider Website: https://www.terraform.io Documentation: https

Dec 14, 2022

Terraform-grafana-dashboard - Grafana dashboard Terraform module

terraform-grafana-dashboard terraform-grafana-dashboard for project Requirements

May 2, 2022

Puccini-terraform - Enable TOSCA for Terraform using Puccini

(work in progress) TOSCA for Terraform Enable TOSCA for Terraform using Puccini.

Jun 27, 2022

Terraform Provider Scaffolding (Terraform Plugin SDK)

Terraform Provider Scaffolding (Terraform Plugin SDK) This template repository is built on the Terraform Plugin SDK. The template repository built on

Feb 8, 2022

Terraform-ncloud-docs - Terraform-ncloud-docs

terraform-ncloud-docs Overview This docs help to use terraform creation server C

Oct 2, 2022

Terraform-provider-age - Age Terraform Provider with golang

Age Terraform Provider This provider lets you generate an Age key pair. Using th

Feb 15, 2022

Terraform-house - Golang Based terraform automation example using tf.json

Terraform House Manage your own terraform workflow using go language, with the b

Feb 17, 2022

LTF is a minimal, transparent Terraform wrapper. It makes Terraform projects easier to work with.

LTF Status: alpha LTF is a minimal, transparent Terraform wrapper. It makes Terraform projects easier to work with. In standard Terraform projects, th

Nov 19, 2022
Comments
  • Bump github.com/hashicorp/vault from 1.8.5 to 1.9.9

    Bump github.com/hashicorp/vault from 1.8.5 to 1.9.9

    Bumps github.com/hashicorp/vault from 1.8.5 to 1.9.9.

    Release notes

    Sourced from github.com/hashicorp/vault's releases.

    v1.9.9

    No release notes provided.

    v1.9.8

    No release notes provided.

    v1.9.7

    No release notes provided.

    v1.9.6

    No release notes provided.

    v1.9.5

    No release notes provided.

    v1.9.4

    No release notes provided.

    v1.9.3

    1.9.3

    January 27, 2022

    IMPROVEMENTS:

    • auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility [GH-13698]
    • auth/ldap: Add username to alias metadata [GH-13669]
    • core/identity: Support updating an alias' custom_metadata to be empty. [GH-13395]
    • core: Fixes code scanning alerts [GH-13667]
    • http (enterprise): Serve /sys/license/status endpoint within namespaces

    BUG FIXES:

    • auth/oidc: Fixes OIDC auth from the Vault UI when using the implicit flow and form_post response mode. [GH-13492]
    • cli: Fix using kv patch with older server versions that don't support HTTP PATCH. [GH-13615]
    • core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
    • core/identity: Address a data race condition between local updates to aliases and invalidations [GH-13476]
    • core: add support for go-sockaddr templates in the top-level cluster_addr field [GH-13678]
    • identity/oidc: Check for a nil signing key on rotation to prevent panics. [GH-13716]
    • kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
    • secrets/database/mssql: Accept a boolean for contained_db, rather than just a string. [GH-13469]
    • secrets/gcp: Fixes role bindings for BigQuery dataset resources. [GH-13548]
    • secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-13759]
    • storage/raft: On linux, use map_populate for bolt files to improve startup time. [GH-13573]
    • storage/raft: Units for bolt metrics now given in milliseconds instead of nanoseconds [GH-13749]
    • ui: Fixes breadcrumb bug for secrets navigation [GH-13604]
    • ui: Fixes issue saving KMIP role correctly [GH-13585]

    v1.9.2

    1.9.2

    December 21, 2021

    ... (truncated)

    Changelog

    Sourced from github.com/hashicorp/vault's changelog.

    1.9.9

    August 31, 2022

    CHANGES:

    • core: Bump Go version to 1.17.13.

    BUG FIXES:

    • core (enterprise): Fix some races in merkle index flushing code found in testing
    • core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
    • database: Invalidate queue should cancel context first to avoid deadlock [GH-15933]
    • secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
    • ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
    • ui: Fix issue logging in with JWT auth method [GH-16466]

    SECURITY:

    • identity/entity: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. [HCSEC-2022-18]

    1.9.8

    July 21, 2022

    CHANGES:

    • core: Bump Go version to 1.17.12.

    IMPROVEMENTS:

    • secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]

    BUG FIXES:

    • core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
    • core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
    • core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
    • storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
    • transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
    • ui: Fix issue where metadata tab is hidden even though policy grants access [GH-15824]
    • ui: Updated leasId to leaseId in the "Copy Credentials" section of "Generate AWS Credentials" [GH-15685]

    1.9.7

    June 10, 2022

    CHANGES:

    IMPROVEMENTS:

    ... (truncated)

    Commits
    • 9c11f0a Backport of UI/OIDC auth bug for hcp namespace flag into release/1.9.x (#16909)
    • f128cbd backport of commit 247a019be0ace89bfa3cdc54c0294829bf390ef0 (#16885)
    • d651606 Update 1.9.x go 1.17.13 (#16836)
    • f788761 backport of commit bab106359351d060e8691b8b7ebd1a21b72bdfbe (#16841)
    • 899c297 Typo: Corrected same typo in 2 locations (on-premise to on-premises) (#13402)...
    • 5395ad5 backport of commit 8c6c586a529df4504d4291c3ec8cd5563cc137c7 (#13984)
    • b920bde Backport consul-template update (#16792)
    • 89bd5d5 backport of commit 5118aa6d0c22bf4a09878e4f83909d167b55b1ed (#14408)
    • 462ef0f backport of commit 192c2aa7e2f092f96054c7cd36b32630e80ca351 (#16708)
    • 60cf24c backport of commit b8a706b122228dfe58611fe5ed3b5c83ffe3929f (#16689)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

Related tags
DevOps Tools terraform-credentials-vault
Terraform-operator - The Terraform Operator provides support to run Terraform modules in Kubernetes in a declaritive way as a Kubernetes manifest

Terraform Operator The Terraform Operator provides support to run Terraform modu

Oct 19, 2022
Terraform-equinix-migration-tool - Tool to migrate code from Equinix Metal terraform provider to Equinix terraform provider

Equinix Terraform Provider Migration Tool This tool targets a terraform working

Feb 15, 2022
Terraform-in-Terraform: Execute Modules directly from the Terraform Registry

Terraform-In-Terraform Provider This provider allows running Terraform in Terraform. This might seem insane but there are some edge cases where it com

Dec 25, 2022
The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.
 The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

AWS Service Enumeration Disclaimer The tool is in beta stage (testing in progress), no destructive API Calls used ( read only actions ). I hope, there

Dec 23, 2022
GitHub Rate Limits Prometheus exporter. Works with both App and PAT credentials
 GitHub Rate Limits Prometheus exporter. Works with both App and PAT credentials

Github Rate Limit Prometheus Exporter A prometheus exporter which scrapes GitHub API for the rate limits used by PAT/GitHub App. Helm Chart with value

Sep 19, 2022
Terraform utility provider for constructing bash scripts that use data from a Terraform module

Terraform Bash Provider This is a Terraform utility provider which aims to robustly generate Bash scripts which refer to data that originated in Terra

Sep 6, 2022
Terraform provider to help with various AWS automation tasks (mostly all that stuff we cannot accomplish with the official AWS terraform provider)
 Terraform provider to help with various AWS automation tasks (mostly all that stuff we cannot accomplish with the official AWS terraform provider)

terraform-provider-awsutils Terraform provider for performing various tasks that cannot be performed with the official AWS Terraform Provider from Has

Dec 8, 2022
Terraform Provider for Azure (Resource Manager)Terraform Provider for Azure (Resource Manager)
 Terraform Provider for Azure (Resource Manager)Terraform Provider for Azure (Resource Manager)

Terraform Provider for Azure (Resource Manager) Version 2.x of the AzureRM Provider requires Terraform 0.12.x and later, but 1.0 is recommended. Terra

Oct 16, 2021
Quick start repository for creating a Terraform provider using terraform-plugin-framework

Terraform Provider Scaffolding (Terraform Plugin Framework) This template repository is built on the Terraform Plugin Framework. The template reposito

Dec 15, 2022
Terraform-provider-mailcow - Terraform provider for Mailcow

Terraform Provider Scaffolding (Terraform Plugin SDK) This template repository i

Dec 31, 2021