This assumes the following has already been done.

• Hashicorp Vault has been installed
• Hashicorp Vault has been initialized
• Hashicorp Vault has been unsealed
• You have logged into the vault

This also assumes you have setup and configured Terraform for Hashicorp Vault. If not, check out my article FreeKB - Hashicorp Vault - Getting Started with Terraform.

This also assumes you have already created an approle role using Terraform. If not, check out my article FreeKB - Hashicorp Vault - Create role using Terraform.

Let's say the secrets engine has been enabled with -path=foo/

~]# vault secrets enable -path=foo/ kv
Success! Enabled the kv secrets engine at: foo/

Let's say you have the following files in the /usr/local/terraform/hashicorp_vault directory on your Terraform server. 

├── provider.tf
├── required_providers.tf
├── secrets.txt
├── token.txt

required_providers.tf will almost always have this.

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
    }
  }
}

And let's say provider.tf has the following. In this example, this assumes approle authentication has already been enabled and you have a role ID and secret ID that can be used to authenticate to Hashicorp Vault.

provider "vault" {
  
  address = "https://vault.example.net:8200"

  auth_login {
    path = "approle/"

    parameters = {
      role_id   = "b4a68549-1464-7aac-b0cd-d22954985aa8"
      secret_id = "6039e2e2-6017-8db9-2e1b-dd6bd449f901"
    }
  }
}

Or provider.tf could have the following. In this example, the token in token.txt will be used to authenticate to Hashicorp Vault.

provider "vault" {
  
  address = "https://vault.example.net:8200"
  
  auth_login_token_file {
    filename = "token.txt"
  }
}

The token.txt must only be readable by the user that owns the token.txt file.

chmod 0600 token.txt

And let's say secrets.tf has the following. In this example, since the secrets engine has been enabled with -path=foo/ mount must also be foo. This will create a secret named bar that contains key hello with a value of world. In Hashicorp Vault, this would be something like foo/bar/hello = world.

resource "vault_kv_secret_v2" "bar" {
  mount = "foo"
  name  = "bar"

  data_json = jsonencode({
    hello = "world"
  })
}

Then use terraform init to initialize the Vault provider.

terraform init

And use terraform plan to see if you are able to authenticate to Hashicorp Vault using the token in token.txt.

terraform plan

Something like this should be displayed.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # vault_kv_secret_v2.bar will be created
  + resource "vault_kv_secret_v2" "bar" {
      + data                = (sensitive value)
      + data_json           = (sensitive value)
      + delete_all_versions = false
      + disable_read        = false
      + id                  = (known after apply)
      + metadata            = (known after apply)
      + mount               = "foo"
      + name                = "bar"
      + path                = (known after apply)

      + custom_metadata (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Then terraform apply can be used to create the secret in Hashicorp Vault.

terraform apply