We are using Terraform to provision our Vault, but we cannot have any secrets show up in the state. We would like to use vault_kv_secret_v2 to create keys and optionally set non-secret metadata. With disable_read=true, we understand that drift would not be detected, but the desired behavior is that any updates to the metadata in Terraform config would be applied.
Currently, this does not work because with data_json set to "{}", any metadata changes wipe all the actual data that was set via the Vault CLI.
Affected Resource(s) and/or Data Source(s)
vault_kv_secret_v2
Potential Terraform Configuration
resource "vault_kv_secret_v2" "main" {
mount = vault_mount.main.path
name = "key"
disable_read = true
delete_all_versions = true
data_json = "{}" # Would rather set to null
custom_metadata {
data = { key = "value" }
}
}
Description
We are using Terraform to provision our Vault, but we cannot have any secrets show up in the state. We would like to use
vault_kv_secret_v2
to create keys and optionally set non-secret metadata. Withdisable_read=true
, we understand that drift would not be detected, but the desired behavior is that any updates to the metadata in Terraform config would be applied.Currently, this does not work because with
data_json
set to"{}"
, any metadata changes wipe all the actual data that was set via the Vault CLI.Affected Resource(s) and/or Data Source(s)
Potential Terraform Configuration
References
No response
Would you like to implement a fix?
No