Using terraform to create vault_kv_secret resources results in json_data stored in a single key

Hello!

We’re running into an oddity trying to use vault_kv_secret to store secrets in a KV.V1 secret mount. Here is an snippet from our Terraform configuration:

resource "vault_mount" "hello" {
  path        = "hello"
  type        = "kv"
  options     = { version = "1" }
  description = "hello"
}

resource "vault_kv_secret" "hi" {
  path = "${vault_mount.hello.path}/redis"
  data_json = jsonencode(
    {
      endpoint   = "127.0.0.1"
      ttl        = "60m"
    }
  )
}

In this example, we would expect to have the following at /hello/redis, as JSON:

{
  "endpoint": "127.0.0.1",
  "ttl": "60m"
}

Instead, we end up with everything nested under a single key, named data:

{
  "data": {
    "endpoint": "127.0.0.1",
    "ttl": "60m"
  }
}

Can someone explain what we’re doing wrong and/or why this is designed this way?

We’re using version 3.7.0 of the Vault provider against an enterprise Vault cluster running version 1.10.3+ent.

Regards,
Kris

The vault_kv_secret resource was recently implemented. It appears to have been done incorrectly, treating the KV v1 API partially like the KV v2 API, when it is actually different.

It would make sense to open a bug report in the GitHub repo: GitHub - hashicorp/terraform-provider-vault: Terraform Vault provider

Meanwhile, you could switch to using the vault_generic_secret resource instead. (Note: in this context, generic is the old name of the KV v1 secret engine, not a general language term. Unlike the vault_generic_endpoint resource where the same word is used to mean “any Vault endpoint”.)

Thank you. I will give vault_generic_secret a try and report back.

Here is the link to the GitHub issue for anyone else that stumbles upon this: Using terraform to create vault_kv_secret resources results in json_data stored in a single key · Issue #1549 · hashicorp/terraform-provider-vault · GitHub

Confirming that switching to vault_generic_secret works as expected!