1

Is it programmatically possible to access the previous version of a Vault secret in Terraform using the vault_generic_secret resouce?

If the current version of a Vault secret is 21, Terraform datasource can access the previous secret version like so:

data "vault_generic_secret" "ssh_key_previous_version" {
  path = "kv/dev/ssh/var.ssh_key_name"
  version = 20
}

Is there a process to lookup the previous Vault secret version (key version -1) dynamically ?

Theo Sweeny
  • 1,033
  • 14
  • 26
  • I do not see that in the documentation: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/generic_secret ... you can try see if that is even possible using the vault api, IF it is, you will need to modify the terraform provider to add that feature – Helder Sepulveda Jun 19 '22 at 20:19

1 Answers1

0

The vault_generic_secret data source was originally written for much earlier versions of Vault, before the Key/Value backend supported versioning.

However, current versions of the hashicorp/vault provider also support vault_kv_secret_v2, which is a data source designed specifically for version 2 of the key/value store API in Vault.

data "vault_kv_secret_v2" "ssh_key_previous_version" {
  mount   = "kv"
  name    = "dev/ssh/${var.ssh_key_name}"
  version = 20
}

(Notice that if you want to refer to var.ssh_key_name as part of a string you will need to use the string interpolation syntax ${ ... }, or else Terraform will take var.ssh_key_name literally. I assumed that you intended to refer to a Terraform input variable named ssh_key_name there, but if I assumed incorrectly then you can keep the literal string you had in your example.)

Martin Atkins
  • 62,420
  • 8
  • 120
  • 138