Hi,
Trying to work out if this is possible, but been going around the documentation for hours and can’t get my head around it.
I have a Consul and Vault setup, and want to use Consul as the remote backend for Terraform. Good security practice says you shouldn’t have ‘secrets’ stored locally on your deployment box, or in the tfstate. One such secret in my setup would be Consul client certificates to connect Terraform via https to the Consul backend. Ideally I’m trying to have those certificates stored in Vault, and call them into the backend config. However, Terraform doesn’t appear to support using variables to set the ca_file, cert_file values.
I’ve tried using regular variables, locals, backend blocks, backend.tf files, backend.conf files, tfvars etc. but ultimately it still ends up with a variable in the cert file values.
Is there an approved architecture for doing this (Terraform with Consul backend, secrets pulled from Vault)? I feel like this should be easy given all three are Hashicorp tools, or am I architecting my setup incorrectly??
Thanks
James
Hi @thomson131,
The most typical way to set this up is to put the credentials needed by the backend in environment variables; exactly which variables to use will depend on the details of the backend and should be mentioned in the documentation.
Providing the credentials in this way means that they will only exist in memory as part of the environment variable table for your shell and for the Terraform commands you run in it.
Some teams employ helper scripts which automate the steps of requesting credentials from Vault and setting the appropriate environment variables based on that.
This is something that Terraform expects to be done outside of its scope before running Terraform, so that you can tailor any automation to the way you have Vault set up, and then the Terraform backends will just consult the environment variables to see the result.
@apparentlymart , thanks for taking the time to reply.
That makes sense. I’m trying to shoot for the minimum ‘setup’ to run our IaC code, and ideally wanted to just copy/paste our Vault tokens and have the tools pull and do the rest of the authentication and setup.
I’ve gone for an Ansible wrapper to setup the environment variables as described. I guess I was just hoping there was a way for these tools to directly interact with each other, but I appreciate that’s obviously not how they were designed to work.
Thanks again.
James