The output you have shown looks reasonable and expected. I don’t understand what it is you see differently when using the CLI. Please explain further, preferably with an example.
I think I a mixing everything… I just need to mount an engine apps and then create secrets within and setting the path for each app like that: dev/app1, dev/app2, etc.
resource "vault_mount" "kvv2-apps" {
path = "apps"
type = "kv-v2"
description = "KV Version 2 secret engine mount for Apps"
}
resource "vault_kv_secret_v2" "kube_apps_secrets" {
for_each = toset(keys(data.external.get_apps_tree.result))
mount = vault_mount.kvv2-apps.path
name = each.key
data_json = jsonencode(
{
name = each.key
}
)
}
I recommend against creating these “placeholder” secret values. There is no need to do so. Vault KV stores work a bit like Amazon S3 buckets - there is no such thing as a directory physically in storage, directories are just implied, based on prefixes ending with a slash character, in the full path to “files” stored.
Provided your Vault ACL policies allow it, the application will be able to write to apps/dev/app1/foo/bar/baz directly, whether or not these placeholder secrets exist.
Furthermore, if you do create these placeholder secrets, and the app creates the previously suggested apps/dev/app1/foo/bar/baz, and then you do vault list apps/dev/, then the result will be:
app1
app1/
...
i.e. it is permitted - but sometimes confusing! - for a “file” and a “directory” to exist at the same path, in a Vault KV store (or indeed S3 bucket).