Terraformcloud~5 mins

Secret management integration (Vault, Secrets Manager) in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Storing sensitive information like passwords or API keys directly in code is risky. Secret management tools keep these secrets safe and separate from your code. Terraform can connect to these tools to use secrets securely when creating infrastructure.

When you need to provide database passwords to your infrastructure without exposing them in code.

When your application requires API keys that must stay private and secure.

When you want to rotate secrets regularly without changing your Terraform code.

When multiple teams need access to secrets but with controlled permissions.

When you want to avoid hardcoding sensitive data in Terraform files.

Config File - main.tf

main.tf

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "3.11.0"
    }
  }
}

provider "vault" {
  address = "https://vault.example.com"
  token   = "s.1234567890abcdef"
}

resource "vault_generic_secret" "example_secret" {
  path = "secret/data/myapp/config"

  data_json = jsonencode({
    username = "appuser",
    password = "supersecretpassword"
  })
}

output "retrieved_secret" {
  value = vault_generic_secret.example_secret.data.data["password"]
}

This Terraform file connects to a Vault server using the Vault provider.

The vault_generic_secret resource stores a secret at the path secret/data/myapp/config with a username and password.

The output shows how to retrieve the password from Vault after applying the configuration.

Commands

This command initializes Terraform, downloading the Vault provider plugin so Terraform can communicate with Vault.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding hashicorp/vault versions matching ">= 3.0.0"... - Installing hashicorp/vault v3.11.0... - Installed hashicorp/vault v3.11.0 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure.

This command applies the Terraform configuration, creating or updating the secret in Vault without asking for confirmation.

Terminal

terraform apply -auto-approve

Expected OutputExpected

vault_generic_secret.example_secret: Creating... vault_generic_secret.example_secret: Creation complete after 1s [id=secret/data/myapp/config] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

→

-auto-approve - Skip manual approval to apply changes immediately

This command shows the secret value retrieved from Vault after applying the configuration.

Terminal

terraform output retrieved_secret

Expected OutputExpected

supersecretpassword

Key Concept

If you remember nothing else from this pattern, remember: always keep secrets out of your code by using a secret manager and access them securely through Terraform.

Common Mistakes

Hardcoding secrets directly in Terraform variables or files.

This exposes sensitive data in code repositories, risking leaks and unauthorized access.

Use secret management tools like Vault and reference secrets dynamically in Terraform.

Not initializing Terraform before applying configuration.

Terraform won't download the necessary provider plugins, causing errors.

Always run 'terraform init' before 'terraform apply' to prepare the environment.

Using expired or invalid Vault tokens in the provider configuration.

Terraform cannot authenticate to Vault, so secret operations fail.

Ensure the Vault token is valid and has permissions to read/write secrets.

Summary

Initialize Terraform to download the Vault provider plugin.

Apply the Terraform configuration to store or update secrets in Vault.

Retrieve secrets securely from Vault using Terraform outputs.