Use the vault terraform provider to enable k/v secrets engine?

Is it possible to enable the k/v secrets engine (with the ability to specify v1 or v2, as well as the path) using the terraform vault provider?

I’ve tried to use the vault_generic_secret resource, but it would error out if the secret engine is not already enabled with a 404 error “no handler for route”.

This appears to be possible with the pki secret backend using the following. So is there a similar resource type for the generic secret backend, where terraform vault would enable the engine if it’s not already enabled?

resource "vault_pki_secret_backend" "pki" { 
  path = "pki"                              
}                                           

After a bit of searching around, it appears to be possible with:

resource "vault_mount" "kv2-created-by-terraform" {
  path        = "kv2-created-by-terraform"
  type        = "kv-v2"
  # or type = "kv"
  description = "This is an example mount for kv version 2"
}
8 Likes