Terraform Provider
The SyVault Terraform provider lets you read secrets at plan/apply time and manage secret lifecycle declaratively. Use it to inject credentials into cloud resources without hardcoding them in .tf files.
Installation
Add the provider to your required_providers block:
terraform {
required_providers {
syvault = {
source = "syvault/syvault"
version = "~> 0.4"
}
}
}
Provider Configuration
provider "syvault" {
server = "https://vault.example.com"
client_id = var.vf_client_id
client_secret = var.vf_client_secret
}
You can also configure the provider with environment variables:
export SY_SERVER="https://vault.example.com"
export SY_CLIENT_ID="c9a1b2d3-4e5f-6789-abcd-ef0123456789"
export SY_CLIENT_SECRET="base64-encoded-private-key"
Data Source — Read a Secret
Use syvault_secret to read an existing secret:
data "syvault_secret" "db_credentials" {
uid = "7Kj9mNpQ2xRs"
}
output "db_host" {
value = data.syvault_secret.db_credentials.fields["host"]
}
Read by Notation
data "syvault_secret_notation" "db_password" {
notation = "sy://Production/Database/field/password"
}
output "db_password" {
value = data.syvault_secret_notation.db_password.value
sensitive = true
}
Resource — Manage a Secret
Use syvault_secret_resource to create and manage secrets declaratively:
resource "syvault_secret_resource" "api_key" {
folder_id = "folder-uuid-here"
title = "Generated API Key"
fields = {
key = random_password.api_key.result
environment = "production"
created_by = "terraform"
}
}
resource "random_password" "api_key" {
length = 48
special = true
}
Example: AWS RDS with SyVault Credentials
This example creates an RDS instance using a password stored in SyVault:
data "syvault_secret" "rds_master" {
uid = "RdsMasterCreds01"
}
resource "aws_db_instance" "main" {
identifier = "prod-db"
engine = "postgres"
engine_version = "15.4"
instance_class = "db.r6g.large"
db_name = "myapp"
username = data.syvault_secret.rds_master.fields["username"]
password = data.syvault_secret.rds_master.fields["password"]
allocated_storage = 100
max_allocated_storage = 500
storage_encrypted = true
vpc_security_group_ids = [aws_security_group.db.id]
db_subnet_group_name = aws_db_subnet_group.main.name
skip_final_snapshot = false
final_snapshot_identifier = "prod-db-final"
}
Example: Kubernetes Secret from SyVault
data "syvault_secret" "app_secrets" {
uid = "AppSecrets01"
}
resource "kubernetes_secret" "app" {
metadata {
name = "app-secrets"
namespace = "production"
}
data = {
DATABASE_URL = "postgres://${data.syvault_secret.app_secrets.fields["db_user"]}:${data.syvault_secret.app_secrets.fields["db_pass"]}@${data.syvault_secret.app_secrets.fields["db_host"]}:5432/myapp"
API_KEY = data.syvault_secret.app_secrets.fields["api_key"]
}
}
State File Security
warning
Terraform stores data source values in the state file in plaintext. Anyone with access to the state file can read the secrets.
Mitigations:
- Use a remote backend with encryption at rest (S3 + KMS, Terraform Cloud, etc.).
- Restrict access to the state file with IAM policies or workspace-level permissions.
- Enable state file encryption in your backend configuration.
- Never commit
.tfstatefiles to version control.
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "prod/terraform.tfstate"
region = "us-east-1"
encrypt = true
kms_key_id = "arn:aws:kms:us-east-1:123456789:key/abcd-1234"
dynamodb_table = "terraform-locks"
}
}
Import
Existing SyVault secrets can be imported into Terraform state:
terraform import syvault_secret_resource.api_key 7Kj9mNpQ2xRs