Registring a service requires explicit token in config file

Hi,

I’m trying to upload some secrets using vault_generic_secret as follows:

resource "vault_generic_secret" "cloudflared_secrets" {
        depends_on = [
                vault_mount.cloudflared_secrets
        ]
  path    = "network/cloudflared/tunnel_001"

  data_json = <<EOT
        {
            "account_tag": "${local.account_tag}",
            "tunnel_secret": "${local.tunnel_secret}",
            "tunnel_id": "${local.tunnel_id}"
        }
        EOT
}

And these are the variables:

locals {
        account_tag = file("${path.module}/../shared/router/secrets/cfd_account_tag")
        tunnel_secret = file("${path.module}/../shared/router/secrets/cfd_tunnel_secret")
        tunnel_id = file("${path.module}/../shared/router/secrets/cfd_tunnel_id")
}

Each of these files contain one string with an usual newline at the end (just like you save the file using vim).

When I run this, I get the following error:

╷
│ Error: invalid character '\n' in string literal
│
│   with vault_generic_secret.cloudflared_secrets,
│   on main.tf line 250, in resource "vault_generic_secret" "cloudflared_secrets":
│  250:   data_json = <<EOT
│  251:         {
│  252:             "account_tag": "${local.account_tag}",
│  253:             "tunnel_secret": "${local.tunnel_secret}",
│  254:             "tunnel_id": "${local.tunnel_id}"
│  255:         }
│  256:         EOT
│
╵

I’m guessing json doesn’t like it that it gets newlines in the variable values.

Any way I could get around this?
I’ve also tried encoding all values with base64encode:

  data_json = <<EOT
        {
            "account_tag": base64encode(local.account_tag),
            "tunnel_secret": base64encode(local.tunnel_secret),
            "tunnel_id": base64encode(local.tunnel_id),
            "cfd_privkey": base64encode(local.cfd_privkey),
            "cfd_cert": base64encode(local.cfd_cert),
            "cfd_token": base64encode(local.cfd_token),
        }
        EOT
}

but then I get:

╷
│ Error: invalid character 'b' looking for beginning of value
│
│   with vault_generic_secret.cloudflared_secrets,
│   on main.tf line 250, in resource "vault_generic_secret" "cloudflared_secrets":
│  250:   data_json = <<EOT

I might need to approach this differently.

I’ve fixed it by adding "${ }" around it:

"${base64encode(local.cfd_cert)}"

And removing the comma at the end of the last line.

Hi @lethargosapatheia,

As you’ve found here, it can be hard to generate valid JSON using just string concatenation. (Terraform’s string template features are effectively just glorified string concatenation.)

That’s why Terraform offers a jsonencode function: you can let Terraform worry about making valid JSON syntax and just focus on describing the data structure that the JSON should represent:

  data_json = jsonencode({
    account_tag = local.account_tag
    # ...etc...
  })

This function is guaranteed to always generate valid JSON syntax. When given a Terraform object value as shown above, it will always produce a JSON object with properties matching the attributes of the given object. As long as the values you provide are suitable for what the remote system is expecting, you should not encounter any JSON-related errors.