How to protect GCP root credentials whilst still setting up Vault from Terraform?

So I would like to use vault_gcp_secret_backend to enable it in Vault from my Terraform config. But if I use credentials = ... it will store those superuser/owner credentials in the state! Also, I would have to give them to each developer. That is obviously something that we don’t want. How do you solve this? Do you keep this vault_gcp_secret_backend out of the state and run it as a one-off script, but do add the subsequent vault_gcp_secret_roleset resources? Other ways to accomplish this?


Terraform OSS doesn’t provide any ability to encrypt sensitive variables or provide security / protections for state files – these are Terraform Enterprise / Cloud features. Some links follow:

Generally speaking, Terraform OSS is intended for individual users or very small teams of users. Larger organizations or groups of users often move to Enterprise versions of our tools when working with larger sets of users/developers to take advantage of features such as these.