Vault secrets and Terraform

7309766 · January 10, 2023, 8:40am

Hi ! Can anyone explain or point to documentation, why it happened:
I’m set up Consul-template with Vault integration (KV secret engine v1). Consul template can get kv - everything works fine. Secrets have been created by Terraform ( resource “vault_generic_secret”).
What happens:

When I re-created the secret (change only value) by Terraform - nothing happened, Consul-Template still uses the old secret value.
When I re-created secret (change only value) in GUI - Consul-template refresh value within 5 min (default behavior). As expected.
For test purpose , I’ve added ttl for secret by Terraform - and Consul-Template has refreshed the value as expected.

What is the difference between creating a secret via GUI and Terraform and how it affected Consul-Template? In Consul-Template’s docu I’ve found the only this:
" The default lease duration Consul Template will use on a Vault secret that
does not have a lease duration. This is used to calculate the sleep duration
for rechecking a Vault secret value. This field is optional and will default to
5 minutes."

maxb · January 10, 2023, 8:42am

There is no difference (assuming you confirmed both really did write to Vault). The cause of the different behaviour must lie elsewhere.

7309766 · January 10, 2023, 8:51am

No ideas, really. I’ve spent a few days, but couldn’t find anything.