Vault secrets and Terraform

7309766 · January 10, 2023, 8:40am

Hi ! Can anyone explain or point to documentation, why it happened:
I’m set up Consul-template with Vault integration (KV secret engine v1). Consul template can get kv - everything works fine. Secrets have been created by Terraform ( resource “vault_generic_secret”).
What happens:

When I re-created the secret (change only value) by Terraform - nothing happened, Consul-Template still uses the old secret value.
When I re-created secret (change only value) in GUI - Consul-template refresh value within 5 min (default behavior). As expected.
For test purpose , I’ve added ttl for secret by Terraform - and Consul-Template has refreshed the value as expected.

What is the difference between creating a secret via GUI and Terraform and how it affected Consul-Template? In Consul-Template’s docu I’ve found the only this:
" The default lease duration Consul Template will use on a Vault secret that
does not have a lease duration. This is used to calculate the sleep duration
for rechecking a Vault secret value. This field is optional and will default to
5 minutes."

maxb · January 10, 2023, 8:42am

There is no difference (assuming you confirmed both really did write to Vault). The cause of the different behaviour must lie elsewhere.

7309766 · January 10, 2023, 8:51am

No ideas, really. I’ve spent a few days, but couldn’t find anything.

Topic		Replies	Views
Terraform Vault Provider Terraform	0	258	May 17, 2021
Consul-template running under NSSM doesn't refresh secrets from Vault Consul consul-template	0	117	March 15, 2024
Is it possible to automatically detect and reissue revoked secrets with consul-template? Consul consul-template	1	1205	October 16, 2019
Consul Template trigger when new key added Consul	0	244	September 15, 2022
Consul Template not returning Vault KV items with "deletion_time" set Consul consul-template , vault	4	298	July 6, 2023

Vault secrets and Terraform

Related topics