Manage credentials for HCP Terraform with Vault

10min
|
HCP Terraform
Terraform
Vault

As adoption of HCP Terraform grows, more organizations are incorporating it into their automated workflows and existing tooling. Interaction with the HCP Terraform API relies on auth tokens generated by the API. External systems use these tokens to automate actions in HCP Terraform, often as part of an organization’s CI/CD pipelines.

The Vault Terraform secrets engine enables you to generate, manage and revoke credentials for HCP Terraform and Terraform Enterprise while adhering to best practices of access and control.

In this tutorial, you will enable the secrets engine, configure it to generate credentials, and then manage those credentials.

Prerequisites

To perform the tasks described in this tutorial, you need to have:

An HCP Vault cluster or a self-hosted Vault environment.
HCP Terraform account and organization created.

Policy requirements

Each persona requires a different set of capabilities. These are expressed in policies. If you are not familiar with policies, complete the policies tutorial.

The admin tasks require these capabilities.

# Mount secrets engines
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Configure the Terraform secrets engine and create roles
path "terraform/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Manage the leases
path "sys/leases/+/terraform/creds/my-user/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}

path "sys/leases/+/terraform/creds/my-user" {
  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}

# Write ACL policies
path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Manage tokens for verification
path "auth/token/create" {
  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}

The apps tasks require these capabilities.

# Get credentials from the terraform secrets engine
path "terraform/creds/my-user" {
  capabilities = [ "read" ]
}

Lab setup

The tutorial requires a HCP Terraform API key.

Retrieve HCP Terraform API key

Launch a web browser and navigate to https://app.terraform.io/session.
Click Continue with HCP account and sign in.
Expand your profile, and select Account settings.
From the side navigation, select Tokens.
Click Create an API token.
Enter "learn-vault" in the Description field.
Click Generate token.
Click the copy icon.
In a terminal, export the variable TF_TOKEN to the copied token value.
```
$ export TF_TOKEN=<Copied Token>
```
This token enables you to generate tokens for your HCP Terraform user account. Tokens generated for teams and organizations would be able to generate tokens for their respective scope.

Start Vault

Refer to the Vault install guide to install Vault. Make sure that your Vault server has been initialized and unsealed.

In another terminal, start a Vault dev server with root as the root token.
```
$ vault server -dev -dev-root-token-id root
```
The Vault dev server defaults to running at 127.0.0.1:8200. The server is initialized and unsealed.
Insecure operation
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and runs in an insecure way.
Export an environment variable for the vault CLI to address the Vault server.
```
$ export VAULT_ADDR=http://127.0.0.1:8200
```
Export an environment variable for the vault CLI to authenticate with the Vault server.
```
$ export VAULT_TOKEN=root
```

Note

For these tasks, you can use Vault's root token. However, it is recommended that root tokens are only used for enough initial setup or in emergencies. As a best practice, use an authentication method or token that meets the policy requirements.

The Vault server is ready.