Skip to content

blablacar/terraform-provider-vaultprov

BranchesTags

Repository files navigation

Terraform Provider vaultprov

blablacar/vaultprov is a custom provider to generate and store random secrets directly into Vault without storing any sensitive value into Terraform state. Secrets metadata are still stored into Terraform state as for any other resources, only the secret itself isn't.

Resources

There are two resources: vaultprov_random_secret for generating random secrets and vaultprov_keypair_secret for generating cryptographic keypairs.

vaultprov_random_secret

Generate fully random bytes that can be used as secret keys for symmetric cryptography operation (encryption, MAC).

resource "vaultprov_random_secret" "my_key" {
  path   = "/secrets/foo/bar"
  length = 32
  metadata = {
    owner    = "my_team"
    some-key = "some-value"
  }
}

vaultprov_random_secret attributes:

  • path: path of the generated Secret into Vault. Must be a path to a KV v2 mount. Used as ID for the resource
  • length: length of the secret in bytes. Default is 32
  • metadata: Key/value (string only) custom metadata that will be added to the Vault Secret
  • force_destroy: If set to true, removing the resource will delete the secret and all versions in Vault. If set to false or not defined, removing the resource will fail.

The resulting Vault secret will have 2 additional metadata:

  • secret_type: will be set to random_secret
  • secret_length: secret length in bytes

Once created, only metadata can be updated without deleting the secret. path can't be changed afterward. Changing length will cause the secret to be deleted and re-created.

⚠️ When deleting a vaultprov_random_secret resource, every secret's versions and metadata will be permanently deleted.

vaultprov_keypair_secret

Generate a Curve25519 keypair that can be used for asymmetric cryptography operation (key exchange, signatures). The private and public keys are stored as two separate Vault secrets.

resource "vaultprov_keypair_secret" "my_keypair" {
  base_path = "/secrets/bar/foo"
  type      = "curve25519"
  metadata = {
    owner    = "my_team"
    some-key = "some-value"
  }
}

vaultprov_keypair_secret attributes:

  • base_path: base path of the keypair secrets in Vault. Two Vault secrets will be created at this path: one for the private key (private) and one for the public one (public). For example, for a base_path /secrets/bar/foo, the keypair secrets will be /secrets/bar/foo/private and /secrets/bar/foo/public. Serves as the resource id.
  • type: type of keypair to create. Only supported value for now is curve25519 (default)
  • metadata: Key/value (string only) custom metadata that will be added to the Vault Secrets
  • force_destroy: If set to true, removing the resource will delete the secrets and all versions in Vault. If set to false or not defined, removing the resource will fail.

The resulting Vault secrets will have additional metadata:

  • secret_type: will be set to curve25519
  • secret_length: secret length in bytes (32 for Curve25519)
  • keypair_linked_secret_path: path to the other part of the keypair
  • keypair_part: either private or public

Once created, only metadata can be updated without deleting the secrets. base_path and type can't be changed afterward.

⚠️ When deleting a vaultprov_keypair_secret resource, both secrets' versions and metadata will be permanently deleted.

Provider configuration

In order to communicate with a Vault cluster, the provider needs to be configured accordingly. Only Kubernetes authentication is supported.

terraform {
  required_providers {
    vaultprov = {
      source  = "blablacar/vaultprov"
      version = "0.4.0"
    }
  }
}

provider "vaultprov" {
  address = "https://some.vault.com:8200"

  auth = {
    path = "auth/kubernetes/login"
    role = "some-role"
    jwt = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
  }
}

Provider attributes:

  • address: Vault address
  • auth
    • path: Authentication endpoint to use with Vault
    • role: Vault Kubernetes authentication role to use
    • jwt: Path of the local Kubernetes service account to be used for authentication

Build

To build for current or specific arch:

make build
# or
OS_ARCH="linux_amd64" make build

To build & install on locally

make install
# or
OS_ARCH="linux_amd64" make install

To build for release:

make release

To generate documentation:

make docs

Test

Acceptance tests

In order to launch acceptance you must first have a running Vault instance:

vault server -dev -dev-root-token-id=ROOT_TOKEN

You must also set the following environment variables:

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='ROOT_TOKEN'

Then you can launch tests: make testacc

Local testing

In order to use the provider locally (without publishing it on Terraform Registry), use the make install command in order to copy the provider binary in the local provider registry.

Publish

GitHub action is used to released new versions of the provider in Terraform Registry.

Follow the official Terraform documentation for the publishing procedure.

About

Custom Terraform provider to provision Vault with random secrets.

Topics

security owner-security

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

9 watching

Forks

2 forks
Report repository

Releases 5

v0.4.0 Latest
Apr 2, 2026
+ 4 releases

Packages

 
 
 

Contributors

Languages