vault_generic_secret data source documentation is confusing

[glasswalk3r]

Hi there,

I recently tried to use vault_generic_secret with data source with a Vault server to retrieve access keys and had a hard time to do it just because the documentation is confusing regarding how to define the path to the secret.

We are not using the "generic secret backend", but the kv version 1. Documentation says:

but it is also compatible with any other Vault endpoint that supports the vault read command.

So I tried to validate the path with vault cli:

$ vault read -address=https://myvault.foobar.br /kv/data/apps/foo/bar/pagerduty
Key         Value
---         -----
data        map[value:XXXXXXXXXXXXXXXXXXXXXXXXXXX]
metadata    map[created_time:2019-07-18T13:01:34.851047548Z deletion_time: destroyed:false version:1]

The same path didn't worked out with Terraform data source.

$ terraform apply
data.vault_generic_secret.pagerduty: Refreshing state...

Error: Error refreshing state: 1 error occurred:
        * data.vault_generic_secret.pagerduty: 1 error occurred:
        * data.vault_generic_secret.pagerduty: data.vault_generic_secret.pagerduty: no secret found at "/kv/data/apps/foo/bar/pagerduty"

Then there is also this additional information from the doc:

To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.

So I tried with prepending with secret, but without success. Also, I couldn't find in the Vault documentation more details on the expected path.

After several attempts with paths variations, I found that the actual path is /kv/apps/foo/bar/pagerduty, without the data path.

Terraform Version

$ terraform -v
Terraform v0.11.14

Your version of Terraform is out of date! The latest version
is 0.12.4. You can update by downloading from www.terraform.io/downloads.html

Affected Resource(s)

vault_generic_secret

Terraform Configuration Files

$ cat data.tf 

data "vault_generic_secret" "pagerduty" {
  path = "kv/apps/foo/bar/pagerduty"
}

$ cat backend.tf 

provider "vault" {
  address = "https://myvault.foobar.br"
}

$ cat outputs.tf 

output "test" {
  value = "${data.vault_generic_secret.pagerduty.data["value"]}"
}

Expected Behavior

I should have clear explanation about how to build the path depending on the Vault backend.

Actual Behavior

It's confusing.

Steps to Reproduce

1. Create the sample files
2. terraform apply in the same directory where the files are located.

[Andr1500]

@brunopadz I have exactly the same error, I can get my credentials with vault kv get cubbyhole/aws but I hare error during execution terraform plan:

data.vault_generic_secret.aws_creds: Reading...
╷
│ Error: no secret found at "cubbyhole/aws"
│ 
│   with data.vault_generic_secret.aws_creds,
│   on main.tf line 10, in data "vault_generic_secret" "aws_creds":
│   10: data "vault_generic_secret" "aws_creds" { 

I tried with different paths, with and without /data but no results.

Unfortunately main link about the resource doesn't contain necessary information: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_secret

as main source of code I used this manual: https://dev.to/aws-builders/deploying-iac-with-your-secrets-in-terraform-vault-4ggc

my Vault version: 1.12.0 Terraform version: 1.3.3

[brunopadz]

@Andr1500 which version of Vault provider are you running?

Here's a snippet that is currently working

data "vault_generic_secret" "watchdog" {
  path = "tools/watchdog/${local.stack}-${local.env}"
}

resource "kubernetes_secret" "alertmanager_secrets" {
  metadata {
    name      = "alertmanager-secrets"
    namespace = "observability"
  }

  data = {
    watchdog_webhook_url     = sensitive(data.vault_generic_secret.watchdog.data["WEBHOOK_URL"])
  }
}

[Andr1500]

@brunopadz "Installed hashicorp/vault v3.10.0 (signed by HashiCorp), hashicorp/aws v4.36.1"

[brunopadz]

Have you tried following the example I provided @Andr1500?

Since I don't know how your Vault is configured and your secrets are stored it's kinda hard to help you out.

[Andr1500]

@brunopadz sorry, but I don't understand how your example works, especially "data.vault_generic_secret.watchdog.data". Can you please share your path of credentials in Vault (in GUI)?

[brunopadz]

There you go

Where the pixelated part is ${local.stack}-${local.env}