Sometimes you have a vault server where the only authentication option is an LDAP user name and password. Here we demonstrate how you can use your LDAP authentication to pull vault secrets into terraform. Note: The following code fetches a v1 secret from vault.
Vault provider used with LDAP Username and Password in terraform to get v1 secret
main.tf
terraform {
required_providers {
vault = {
version = ">= 3.15.0"
}
}
}
# Vault provider to use with username and password
provider "vault" {
address = "https://vault.localhost"
skip_child_token = true
auth_login {
path = "auth/ldap/login/${var.VAULT_USER }"
parameters = { password: var.VAULT_PASSWORD }
}
}
data "vault_generic_secret" "secret" {
path = "kv-v1/full/path/to/secret/store"
}
# Use in code via data.vault_generic_secret.secret.data["some_key"]variables.tf
variable "VAULT_PASSWORD" {
type = string
description = "Environment variable for vault ldap password that will be used as TF_VAR_VAULT_PASSWORD"
}
variable "VAULT_USER" {
type = string
description = "Environment variable for vault ldap user that will be used as TF_VAR_VAULT_USER"
}env_vars.sh
export TF_VAR_VAULT_USER=username
export TF_VAR_VAULT_PASSWORD=somepassword
export VAULT_SKIP_VERIFY=1 # If vault ssl cert is sefl-signed