Terraform Vault Provider


We internally use a home built module that sets up a github repository, branch protection, CI config, and a few other things in a single spot so we get things mostly consistent and simplified. The most recent addition I have been working to add is Vault integration so that project teams can change some of the values more rapidly than our normal process flow, We’re doing this with Vault stores instead of Consul as some of the things they edit ( Tokens, etc. ) are “secret” to a particular project and we thought it best to have all the values in one interface instead of some in Consul and some in Vault.

This mostly works except for our desire to populate the defaults the module uses into Vault so the secret keys already exist and contain the active value.

I’ve done this by creating a local map and attaching it to a newly created, secrets store path in a vault_generic_secret resource.

resource "vault_generic_secret" "repository_secrets_store" {
  path = "${var.project_team}-developer/managed_repository/${var.project_name}"
  disable_read = false
  data_json = jsonencode(local.vault_default)
  lifecycle {
      ignore_changes = [ data ]

This works, but it doesn’t. What I am wanting/expecting is that a new document is created at the "${var.project_team}-developer/managed_repository/${var.project_name}" location with each of the local.vault_default map key/vaule pairs in as secrets.

What I get instead is a text field containing the JSON document.

Any ideas?