Add key-value to EXISTING secret with terraform

Hey! I’m doing something like:

resource "vault_generic_secret" "vault_secret" {
  path = var.vault_path
  data_json = <<EOT
  "MONGO_PASSWORD": "${random_password.mongo_password.result}"

I want to add MONGO_PASSWORD to a path that may, or may not, exist yet.

In other words, if I have a secret already in “path” I want to update its contents with a new key-value (MONGO_PASSWORD), without destroying the existing ones.
Otherwise, I want to create a new secret with just this secret, which could be updated manually. If that’s the case, I want terraform to NOT delete the secret but to leave as it is.

Kind of a "MONGO_PASSWORD does exist? Good. It doesn’t? I’ll create a new version and I wil add it alongisde whatever already exists.

Does this make sense?

When you say an existing secret, do you mean there might be other data at the path already?

The vault_generic_secret resource manages the full path, which just stores a JSON string. So it will ensure that it contains exactly the value listed, meaning any other data would be overwritten. If you want other data to exist you’d need to store things in different paths, or also add that other data in the Terraform.

Hey stuart!! yeah, I was hoping for a resource of type “key-value” or something like that to exist, but I see now that terraform-vault manages the full path.

I will just use different paths for terraform-managed-mongo-credentials, terraform-managed-blabla-credentials and manually-managed-the-rest

Thanks a ton!

This is more due to the way Vault actually works. When you use the Vault UI and visit a path the key/value pairs are actually just a representation of a JSON document, which is what is actually being stored. You can only fetch or update that whole document (with the exception of PATCH support). It is also why you can’t control access to a single field, only to the whole path.