Terraform Plugin
Keeper Secrets Manager Terraform plugin for accessing secrets in Terraform builds

Prerequisites

This page documents the Secrets Manager Terraform integration. In order to utilize this integration, you will need:
  • Keeper Secrets Manager access (See the Quick Start Guide for more details)
    • Secrets Manager addon enabled for your Keeper account
    • Membership in a Role with the Secrets Manager enforcement policy enabled
  • A Keeper Secrets Manager Application with secrets shared to it
  • An initialized Keeper Secrets Manager Configuration
    • The Terraform integration accepts JSON and Base 64 format configurations

About

The Keeper Terraform Plugin utilizes Keeper Secrets Manager to provide access to secret credentials saved in the Keeper Vault. The Keeper Terraform plugin allows for injecting secrets directly into Terraform builds securely using Keeper's zero-knowledge infrastructure.

Installation

Registry install

The Keeper Secrets Manager provider page is located here
To install this provider, add the following code to your Terraform configuration and run terraform init:
1
terraform {
2
required_providers {
3
secretsmanager = {
4
source = "keeper-security/secretsmanager"
5
version = ">= 1.0.0"
6
}
7
}
8
}
9
10
provider "secretsmanager" {
11
# Configuration options
12
}
Copied!

Manual Installation

Download the latest version of the Terraform Provider for your platform from our GitHub release page and copy the archive to the corresponding Terraform plugin folder (creating any missing folders in the path). Initialize source with full provider URL: source = "github.com/keeper-security/secretsmanager"
Windows
Mac OS
Linux
1
SETLOCAL EnableExtensions && ^
2
mkdir %APPDATA%\.terraform.d\plugins\github.com\keeper-security\secretsmanager && ^
3
cd %APPDATA%\.terraform.d\plugins\github.com\keeper-security\secretsmanager && ^
4
curl -SfLOJ https://github.com/keeper-security/terraform-provider-secretsmanager/releases/download/v1.0.0/terraform-provider-secretsmanager_1.0.0_windows_amd64.zip
Copied!
1
mkdir -p ~/.terraform.d/plugins/github.com/keeper-security/secretsmanager && \
2
cd ~/.terraform.d/plugins/github.com/keeper-security/secretsmanager && \
3
curl -SfLOJ https://github.com/keeper-security/terraform-provider-secretsmanager/releases/download/v1.0.0/terraform-provider-secretsmanager_1.0.0_darwin_amd64.zip
Copied!
1
mkdir -p ~/.terraform.d/plugins/github.com/keeper-security/secretsmanager && \
2
cd ~/.terraform.d/plugins/github.com/keeper-security/secretsmanager && \
3
curl -SfLOJ https://github.com/keeper-security/terraform-provider-secretsmanager/releases/download/v1.0.0/terraform-provider-secretsmanager_1.0.0_linux_amd64.zip
Copied!
For help on manually installing Terraform Providers, please refer to the official Terraform documentation.

Usage

Configure the Provider

The Keeper Secrets Manager provider is used to interact with the resources supported by Keeper Secrets Manager. The provider needs to be configured with Keeper credentials before it can be used.
1
terraform {
2
required_providers {
3
secretsmanager = {
4
source = "keeper-security/secretsmanager"
5
version = ">= 1.0.0"
6
}
7
}
8
}
9
10
provider "secretsmanager" {
11
# Specify config contents as a string or load from file
12
# credential = "<CONFIG FILE CONTENTS BASE64>"
13
credential = file("/path/to/config.json")
14
}
Copied!

Configuration File Contents

  • app_key - (Required) Application key.
  • client_id - (Required) Client ID.
  • private_key - (Required) Private key.
  • hostname - (Optional) By default plugin will connect to keepersecurity.com
For more information on creating a Secrets Manager configuration, see the Configuration Documentation

Get Secrets Using Data Sources

A data source is provided for each standard Keeper record type, which facilitates easy fetching of secret credentials.
Data sources are accessed using the following format:
1
data "<data_source_name>" "<record_type_reference>" {
2
path = "<record_uid>"
3
}
Copied!
For example, using a Login type record:
1
data "secretsmanager_login" "my_login_record" {
2
path = "<RECORD_UID>"
3
}
Copied!
To access any additional custom fields or standard fields for user defined record types use secretsmanager_field data source

List of supported record types

Record Type
Data Source Name
Address
"secretsmanager_address"
"secretsmanager_bank_account"
Bank Card
"secretsmanager_bank_card"
"secretsmanager_birth_certificate"
Contact
"secretsmanager_contact"
"secretsmanager_database_credentials"
"secretsmanager_drivers_license"
"secretsmanager_encrypted_notes"
Field
"secretsmanager_field"
File
"secretsmanager_file"
"secretsmanager_health_insurance"
Login
"secretsmanager_login"
"secretsmanager_membership"
Passport
"secretsmanager_passport"
Photo
"secretsmanager_photo"
"secretsmanager_server_credentials"
"secretsmanager_software_license"
SSH Keys
"secretsmanager_ssh_keys"
SSN Card
"secretsmanager_ssn_card"
To see the fields available to each data source see Record Types Data Source Reference
For more information on record types see record types documentation

Accessing Record Fields

To access a secret credential saved to a field in a record, access the field as part of the data source.
Access the field of a typed record data source
Use this format to access fields of a typed data resource
1
${ data.<data_source_name>.<record_type_reference>.<field> }
Copied!
Example: access the password of a login type data source
1
${ data.secretsmanager_login.my_login_secret.password }
Copied!
Use the field data source to query any field in a record with Keeper Notation
Create a data source using the "secretsmanager_field" data source type, and specify a field query in the path property.
1
data "secretsmanager_field" "my_field" {
2
path = "<record UID>/field/login"
3
}
Copied!
The field query uses the format: "<UID>/field/<field type>"

Complete Example File

This example provisions Keeper Secrets Manager, reads a login type data source, and accesses each field of the data source.
1
terraform {
2
required_providers {
3
secretsmanager = {
4
source = "keeper-security/secretsmanager"
5
version = ">= 1.0.0"
6
}
7
local = {
8
source = "hashicorp/local"
9
version = "2.1.0"
10
}
11
}
12
}
13
14
provider "local" { }
15
provider "secretsmanager" {
16
# Specify config contents as a string or load from file
17
# credential = "<CONFIG FILE CONTENTS BASE64>"
18
credential = file("~/.keeper/ksm-config.json")
19
}
20
21
data "secretsmanager_login" "db_server" {
22
path = "<record UID>"
23
}
24
25
resource "local_file" "out" {
26
filename = "${path.module}/out.txt"
27
file_permission = "0644"
28
content = <<EOT
29
UID: ${ data.secretsmanager_login.db_server.path }
30
Type: ${ data.secretsmanager_login.db_server.type }
31
Title: ${ data.secretsmanager_login.db_server.title }
32
Notes: ${ data.secretsmanager_login.db_server.notes }
33
======
34
Login: ${ data.secretsmanager_login.db_server.login }
35
Password: ${ data.secretsmanager_login.db_server.password }
36
URL: ${ data.secretsmanager_login.db_server.url }
37
TOTP:
38
-----
39
%{ for t in data.secretsmanager_login.db_server.totp ~}
40
URL: ${ t.url }
41
Token: ${ t.token }
42
TTL: ${ t.ttl }
43
%{ endfor ~}
44
FileRefs:
45
---------
46
%{ for fr in data.secretsmanager_login.db_server.file_ref ~}
47
UID: ${ fr.uid }
48
Title: ${ fr.title }
49
Name: ${ fr.name }
50
Type: ${ fr.type }
51
Size: ${ fr.size }
52
Last Modified: ${ fr.last_modified }
53
URL: ${ fr.url }
54
Content/Base64: ${ fr.content_base64 }
55
%{ endfor ~}
56
EOT
57
}
58
59
output "db_secret_login" {
60
value = data.secretsmanager_login.db_server.login
61
}
Copied!
For more examples, check out the examples folder in the source code.
Last modified 23d ago