Need to output usable kubeconfig with terraform azrm provider

We are deploying AKS via TF and need to record the kubeconfig to vault for use in CICD. The problem is, the following block outputs a json that has the kubeconfig as a value with escape characters and we need to export a usable config via terraform to vault. Is there a way to do this with in terraform or do we have to write a script to export the kubeconfig to vault?

output “aks_kube_config” {

description = “Cluster Kubernetes Configuration raw file”

value = azurerm_kubernetes_cluster.main.kube_config

sensitive = true


If you are storing the value straight into Vault why don’t you use the vault_generic_secret resource?

That got me on the right path I think, now having an issue passing the attribute to jsondecode

│ Error: Error in function call

│ on line 11, in resource “vault_generic_secret” “main”:
│ 11: data_json = “${jsondecode(azurerm_kubernetes_cluster.main.kube_config_raw)}”
│ ├────────────────
│ │ azurerm_kubernetes_cluster.main.kube_config_raw has a sensitive value

│ Call to function “jsondecode” failed: invalid character ‘a’ looking for
│ beginning of value.

For anyone looking for help on this down the line, here is the resolution

resource “vault_generic_secret” “main” {

path = “kv/mynamespace”

data_json = jsonencode(yamldecode("${azurerm_kubernetes_cluster.main.kube_config_raw}"))