HCP Vault Secrets with Terraform
In addition to using the command line interface (CLI) or application programming interface (API), you can also use the HCP Terraform provider to retrieve secrets from HCP Vault Secrets.
Prerequisites
- An existing HCP account
- Completed the previous HCP Vault Secrets tutorials
- HCP service principal with
HCP_CLIENT_ID
andHCP_CLIENT_SECRET
available - Terraform installed
- Terraform Cloud account (Terraform Cloud workflow only)
Retrieve secrets with Terraform
The HCP Terraform provider includes a data source for HCP Vault Secrets. This data source allows you to retrieve secrets and use them in a Terraform configuration.
Retrieve the
HCP_CLIENT_ID
andHCP_CLIENT_SECRET
environment variables set during the Install HCP Vault Secrets CLI tutorial.Log into the Terraform Cloud portal.
Click Projects & workspaces then click Settings.
Click Variable sets. Variables in Terraform Cloud allow you to store items similar to setting an environment variable for a shell session or in a .tfvars file.
Click Create variable set.
Enter
HCP_SERVICE_PRINCIPAL
in the Name textbox.Select the Apply globally radio button.
Click + Add variable.
Enter
HCP_CLIENT_ID
in the Key field, and the actual client ID in the Value field.Click the Sensitive checkbox, then click Add variable.
Click + Add variable again.
Enter
HCP_CLIENT_SECRET
in the Key field, and the actual client secret in the Value field.Click the Sensitive checkbox, then click Add variable.
Click Create variable set.
Click < Workspaces then click Projects & workspaces
Click New and select Workspace.
Select CLI-driven workflow and enter
HCPVaultSecretsLab
in the Workspace name field.Scroll to the bottom of the form and click Create workspace.
Copy the name of your Terraform Cloud organization and return to your terminal session.
Set an environment variable with the name of your Terraform Cloud organization.
Create an example Terraform configuration with the required provider and Terraform Cloud configuration block. The HCP Vault Secrets data source requires the
hcp
provider at version0.63.0
or greater.Declare the
HCP_CLIENT_ID
andHCP_CLIENT_SECRET
variables in the Terraform configuration.Add the
hcp_vault_secrets_app
data block to the Terraform configuration to read theWebApplication
application you created in an earlier tutorial.Add an output block to allow Terraform to display the retrieved secret. This step is not necessary for production configurations, but used in this tutorial to validate that Terraform successfully retrieved the secret.
Because HCP Vault Secrets is used to store sensitive information, you must add
sensitive = true
to the output block.Log in to Terraform Cloud with the
login
sub-command. Follow the prompts to complete the authentication process.Run
terraform init
to initialize the configuration and install the necessary providers.Run
terraform apply
to read the WebApplication values from HCP Vault Secrets.Return to the Terraform Cloud portal.
On the Overview page you can see the Latest Run is in a stage of Planned and finished.
Click States.
Click Triggered via CLI.
View the state.
The
username
secret you previously added is displayed.