Provider Configuration for vault in terraform

Question

I have the following terraform configuration in my terraform code

data "external" "region" {
  program = ["sh", "test.sh"]
  query = {
    aws_region = var.aws_region
    vault_url  = var.vault_url
    vault_role = var.vault_role
  }
}

provider "vault" {
  address = "http://3.218.2.138:8200"
  token   = data.external.region.result["vault_token"]
}

The external Program runs a command vault login -method=aws role=test-role and then it returns a vault token.

Is there a way to avoid this external program and make the vault token to be generated whenever I execute terraform apply and terraform show.

So basically Is there a method to avoild the external script from being executed and get the vault token without executing the external script.

Answer 1

A typical approach for this is to run vault login (or some other equivalent process) before running Terraform, and then have Terraform read those ambient credentials the same way that the Vault client itself would.

Although Terraform providers typically accept credentials as part of their configurations to allow for more complex cases, the ideal way to pass credentials to a Terraform provider is indirectly via whatever mechanism is standard for the system in question. For example, the Terraform AWS provider understands how to read credentials the same way as the aws CLI does, and the Vault provider looks for credentials in the same environment variables that the Vault CLI uses.

Teams that use centralized systems like Vault with Terraform will typically run Terraform in automation so that the configuration for those can be centralized, rather than re-implemented for each user running locally. Your automation script can therefore obtain a temporary token from Vault prior to running Terraform and then explicitly revoke the token after Terraform returns, even if the Terraform operation itself fails.