Skip to content
This repository has been archived by the owner on Feb 16, 2023. It is now read-only.

secrethub/terraform-provider-secrethub

Repository files navigation


1Password SecretHub has joined 1Password! Find out more on the SecretHub blog. 🎉


Terraform + SecretHub


Read blog post View docs


Terraform Provider

SecretHub is a secrets management tool that works for every engineer. Securely provision passwords and keys throughout your entire stack with just a few lines of code.

The SecretHub Terraform Provider lets you manage your secrets using Terraform. It is officially supported and actively maintained by SecretHub, but community contributions are very welcome.

Usage

Terraform v0.13

terraform {
  required_providers {
    secrethub = {
      source = "secrethub/secrethub"
      version = ">= 1.2.0"
    }
  }
}

resource "secrethub_secret" "db_password" {
  path = "my-org/my-repo/db/password"

  generate {
    length   = 22
    charsets = ["alphanumeric"]
  }
}

resource "secrethub_secret" "db_username" {
  path  = "my-org/my-repo/db/username"
  value = "db-user"
}

resource "aws_db_instance" "default" {
  allocated_storage    = 10
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = secrethub_secret.db_username.value
  password             = secrethub_secret.db_password.value
  parameter_group_name = "default.mysql5.7"
}

Have a look at the reference docs for more information on the supported resources and data sources.

Terraform v0.12 and below

Manually install the secrethub provider by downloading the binary for your platform and moving it to ~/.terraform/plugins or %APPDATA%\terraform.d\plugins on Windows.

Afterwards you can run the following example with Terraform.

provider "secrethub" {}

resource "secrethub_secret" "db_password" {
  path = "my-org/my-repo/db/password"

  generate {
    length   = 22
    charsets = ["alphanumeric"]
  }
}

resource "secrethub_secret" "db_username" {
  path  = "my-org/my-repo/db/username"
  value = "db-user"
}

resource "aws_db_instance" "default" {
  allocated_storage    = 10
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = secrethub_secret.db_username.value
  password             = secrethub_secret.db_password.value
  parameter_group_name = "default.mysql5.7"
}

Have a look at the reference docs for more information on the supported resources and data sources.

Get Started

Check out the step-by-step integration guide to get started.

A detailed use case is described in the original announcement. There are also some examples in this repo.

Support

If you need help, send us a message on the #terraform channel on Discord Discord or send an email to [email protected]

Development

Building

Get the source code:

git clone https://github.com/secrethub/terraform-provider-secrethub

Build it using:

make build

Testing

To run the acceptance tests, the following environment variables need to be set up.

  • SECRETHUB_CREDENTIAL - a SecretHub credential.
  • SECRETHUB_TF_ACC_NAMESPACE - a namespace registered on SecretHub. Make sure SECRETHUB_CREDENTIAL has admin access.
  • SECRETHUB_TF_ACC_REPOSITORY - a repository within SECRETHUB_TF_ACC_NAMESPACE to be used in the acceptance tests. Make sure SECRETHUB_CREDENTIAL has admin access.
  • SECRETHUB_TF_ACC_SECOND_ACCOUNT_NAME - an account other than the authenticated account, that is a member of the repository. It will be used to test access rules.

Only for the AWS acceptance tests:

  • SECRETHUB_TF_ACC_AWS_ROLE - an AWS IAM role to use for testing AWS service accounts. The role should have decrypt permission on the key in SECRETHUB_TF_ACC_AWS_KMS_KEY.
  • SECRETHUB_TF_ACC_AWS_KMS_KEY - an AWS KMS key to use for testing AWS service accounts. The authenticated AWS user or role should have encrypt permission on this key and the SECRETHUB_TF_ACC_AWS_ROLE should have decrypt permission.

Only for the GCP acceptance tests:

  • SECRETHUB_TF_ACC_GCP_SERVICE_ACCOUNT - a GCP service account email to use for testing SecretHub GCP service accounts. It should have decrypt permission on the key in SECRETHUB_TF_ACC_GCP_KMS_KEY.
  • SECRETHUB_TF_ACC_GCP_KMS_KEY - an GCP KMS key to use for testing GCP service accounts. The authenticated GCP user or role should have encrypt permission on this key and the SECRETHUB_TF_ACC_GCP_SERVICE_ACCOUNT should have decrypt permission.

With the environment variables properly set up, run:

make testacc