Dynamic annotations for Vault secrets

Hi All,

I have been working on a module to deploy our k8s apps in Terraform using the Kubernetes provider. I’m able to create all required annotations dynamically, with the exception of the format required to create a Vault agent injected secret. So far, I have:

rendered_secret = templatefile("${path.module}/templates/secrets.tpl",
    secrets = var.secrets
    team = local.namespace
    application = local.application
    env = local.env

Where var.secrets is a simple map of the secret name and the value in which the secret should be stored. For example:

secrets = {
  secret = "MY_SECRET"

The template file is as follows:

%{~ for k, v in secrets ~}
  "vault.hashicorp.com/agent-inject-secret-${k}" = "secrets/${team}/${env}/${application}/${k}",
  "vault.hashicorp.com/agent-inject-template-${k}" = "|
    {{- with secret "secrets/${team}/${env}/${application}/${k}" -}}
      {{ .Data.data.${v} }}
    {{- end -}}"
%{~ endfor ~}

I was hoping that I’d be able to use tomap() on local.rendered_secret and merge it with the other annotations, but it fails with “Invalid value for “v” parameter: cannot convert string to map of any single type”. I then changed the template to render just one line, as I thought the multi-line was causing an issue with casting to a map, but I get the same error with this template:

%{~ for k, v in secrets ~}
{"vault.hashicorp.com/agent-inject-secret-${k}" = "secrets/${team}/${env}/${application}/${k}", "vault.hashicorp.com/agent-inject-template-${k}" = "|\n    {{- with secret "secrets/${team}/${env}/${application}/${k}" -}}\n      {{ .Data.data.${v} }}\n    {{- end -}}"}
%{~ endfor ~}

Are Terraform maps capable of allowing multi-line strings as a value?

The only other option is to use the Vault provider and create Kubernetes secrets, but as they are only base64 encoded, we decided against that. Unfortunately, if we can’t do this, it effectively rules out using Terraform for our deployments, which is a shame, because everything else works perfectly.

Any ideas would be much appreciated.