I’ve been trying to interface Terraform to Jenkins using Approle. Yes, Jenkins has Vault plugins, but they will never pass security requirements of having to hard-code long-term tokens or secret-IDs as I have found no other way to feed them dynamic creds, at least not in their man page and I don’t code Java/Groovy enough to hack their code to work. Instead I wrote my own libraries to do simple API calls. Those work great, but not with Terraform it seems.
So far I’ve passed Terraform a vault token for the approle (myrole), but it wants to create a child token, which approle doesn’t permit.
Next I passed in the role_id and secret_id to vault_approle_auth_backend, but that errored out because it didn’t have a client token to go request it from the vault API. Ok, no problem.
I used the userpass user I have setup with limited perms to do the job of creating a short-lived, short-use secret-id (myuser) so I set VAULT_TOKEN=<myuser token>., Looking at the debug and trace logs, it does what i expect, it uses those creds to login the approle and get the approle a client token.
The problem is, Terraform uses the myuser token when trying to read a secret from vault. I can’t find any documentation or examples anywhere on the net to explain why it has this behavior or why Terraform won’t use the approle token.
Before someone points me to the Vault/Jenkins approle tutorial, that works flawlessly, it is Terraform that isn’t working and I don’t use Chef. I shouldn’t need to use it for retrieving a secret. Also the vault references on Terraform’s various docs did not provide anything useful to solve this problem and it is counter-productive to have tried to use TF to create a new approle, give it policies, and then try to read the secret permitted by the policies, and it still uses the VAULT_TOKEN passed in that TF needs to make the API call to vault, even though the vault_approle_auth_backend_login shouldn’t need VAULT_TOKEN to login, but without the VAULT_TOKEN, TF errors with with the message no client token.
I’m at a loss, so I’m hitting up the community forums to see what the heck I’m missing.
vault.tf:
data “vault_approle_auth_backend_role_id” “role” {
backend = “approle”
role_name=“myapprole”
}
output “role-id” {
value="${data.vault_approle_auth_backend_role_id.role}"
}
resource “vault_approle_auth_backend_role_secret_id” “id” {
backend = “approle”
role_name = “${data.vault_approle_auth_backend_role_id.role.role_name}”
}
output “secret-id” {
value="${vault_approle_auth_backend_role_secret_id.id.secret_id}"
}
resource “vault_approle_auth_backend_login” “login” {
backend = “approle”
role_id = “{data.vault_approle_auth_backend_role_id.role.role_id}"
secret_id = "{vault_approle_auth_backend_role_secret_id.id.secret_id}”
}
output “login” {
value="${vault_approle_auth_backend_login.login}"
}
data “vault_generic_secret” “mysecret” {
path = “devops/creds/mysecret”
depends_on = [ vault_approle_auth_backend_login.login, ]
}