Consul backend for vault

bernardogza · January 30, 2020, 4:31pm

I would like to know what is the best practice to handle sensitive information if I store the tfstate file on Consul.

Crizstian · January 31, 2020, 4:52pm

Hello @bernardogza I would recommend you to create Consul ACL to protect access to the vault kv path, and create specific consul tokens with the specific ACL policies to the consul servers that should be the only ones that has access to the vault kv path.
Also this tokens should be rotated constantly, for security.

fewknow · January 31, 2020, 5:25pm

You can also use vault to store the sensitive data. Then reference it with the vault provider when running terraform.

tyrannosaurus-becks · February 1, 2020, 12:30am

Also, for what it’s worth, we don’t recommend that you store any long-lived secrets in your Terraform state file. I actually did a webinar on how to do this flow securely right here: Best Practices for Using HashiCorp Terraform with HashiCorp Vault. It includes using Consul as a storage back-end.

Topic		Replies	Views
[BLOG] Managing HashiCorp Consul Access Control Lists with Terraform & Vault Consul	2	933	December 30, 2021
Using Terraform Remote State with Consul Backend Consul	2	448	August 6, 2021
Data storage paths when Consul used as vault storage backend Vault	3	1456	March 5, 2020
Vault with Consul - ACL token Vault	1	411	May 20, 2022
Variable Use in the Terraform Consul Backend Terraform vault	2	438	August 19, 2022

Consul backend for vault

Related topics