I am writing to ask for advice on how to manage the provisioning of static V2 secret vaults.
The tools I have available are: Terraform OSS, Vault Enterprise and Gitalb.
I’m creating a Gitlab pipeline that will take care of saving secrets within Vault. My doubt is how to manage these secrets. Specifically, I would like to understand if, since they are static secrets, it makes sense to keep them in a tfvars file inside my repo or if there is some other solution.
The problem is that every time I have to modify the contents of one or more secrets on the same mount path I have to pass the complete contents of the secret as input to Terraform, otherwise Terraform will perform a deletion.
I’m a bit confused about what you’re trying to do. In particular, you talk about provisioning Vault, and a KVv2 secrets engine, yet you talk about managing secrets without mentioning any of that.
I’m going to guess that you are trying to automate the deployment of a specific install of Vault, with ‘seed’ secrets, if you will. And sometimes those ‘seed’ secrets need to be changed, as part of new deployments. This, to me, sounds like you should have a Vault sitting behind that automated process, storing the ‘seed’ secrets, which can then be retrieved by your GitLab pipeline, or Terraform itself, depending on your requirements. And then those ‘seed’ secrets can be updated as required, and even if you need to change them in Vaults that have already been deployed, Terraform or GitLab could retrieve them from that original Vault, if you will, rather than having them sitting in a repo waiting to be compromised.
Or maybe I’ve completely misunderstood your situation! If so, please clarify.
Thank you for your answer.
I’ll try to explain myself better.
I would like to use Terraform, via the Gitlab CI, to create/update KVV2 static secrets which will then be consumed by my microservices. I have difficulty understanding how to manage these secrets before they are saved in the Vault, because every time I have to update one I have to ask a human operator to remember the contents of the secret otherwise Terraform will either delete it or not perform patching. I hope I explained myself,