I am trying to use terraform to automate the encryption decrytion of data using the vault_generic_endpoint resource. However I encounter an error
vault_generic_endpoint.encrypt: Creating…
╷
│ Error: error reading secrets/transit/encrypt/transcoder from Vault: Error making API request.
│
│ URL: GET https://172.31.40.167:8200/v1/secrets/transit/encrypt/transcoder
│ Code: 405. Errors:
│
│ * 1 error occurred:
│ * unsupported operation
│
│
│
│ with vault_generic_endpoint.encrypt,
│ on main.tf line 28, in resource “vault_generic_endpoint” “encrypt”:
│ 28: resource “vault_generic_endpoint” “encrypt” {
│
╵
My example code is
resource “vault_generic_endpoint” “encrypt” {
path = “secrets/transit/encrypt/transcoder” # The path of the transit engine and key
disable_read = true
data_json = jsonencode({ # The data to encrypt
plaintext = base64encode(“Hello, World!”)
})
}
My policies include “update” on the path. Any help will be appreciated as we do not want to use direct API calls or curl
Is your Transit secrets engine actually mounted at secrets/transit/ or have you been misled by the way things are presented in the Vault UI, and erroneously inserted an extra secrets/ into the URL?
The transit/encrypt/:name endpoint doesn’t support being read from.
But vault_generic_endpoint by default tries to read.
I see you have already set disable_read… I would have thought that would have solved the problem. I don’t understand why a GET request is still being made :-/
I tested this setup locally. For me, terraform-provider-vault does not generate a GET request when disable_read = true is set. I was using the latest version.
I am testing this code with v1.13.2 which is the latest. I have added
capabilities = [“update”, “create”, “delete”, “read”] to the policy and it seems to have solved the problem. However, there is no encrypted data in the statefile when I checked it locally. I am trying to test if this works before advancing it.