We are deploying AKS via TF and need to record the kubeconfig to vault for use in CICD. The problem is, the following block outputs a json that has the kubeconfig as a value with escape characters and we need to export a usable config via terraform to vault. Is there a way to do this with in terraform or do we have to write a script to export the kubeconfig to vault?
output “aks_kube_config” {
description = “Cluster Kubernetes Configuration raw file”
value = azurerm_kubernetes_cluster.main.kube_config
sensitive = true
}
If you are storing the value straight into Vault why don’t you use the vault_generic_secret resource?
https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_secret
That got me on the right path I think, now having an issue passing the attribute to jsondecode
│ Error: Error in function call
│
│ on main.tf line 11, in resource “vault_generic_secret” “main”:
│ 11: data_json = “${jsondecode(azurerm_kubernetes_cluster.main.kube_config_raw)}”
│ ├────────────────
│ │ azurerm_kubernetes_cluster.main.kube_config_raw has a sensitive value
│
│ Call to function “jsondecode” failed: invalid character ‘a’ looking for
│ beginning of value.
For anyone looking for help on this down the line, here is the resolution
resource “vault_generic_secret” “main” {
path = “kv/mynamespace”
data_json = jsonencode(yamldecode("${azurerm_kubernetes_cluster.main.kube_config_raw}"))
}