Packer: [rfc] vault template function

Created on 23 Feb 2017  ·  15Comments  ·  Source: hashicorp/packer

It would be neat if packer could retrieve configuration variables straight from vault.

I think the best way to do this would be through a template function, such at {{vault path/to/key}}.

With that semantic information, we could also filter any values from vault from the logs.

We'd ideally not expose any vault client configuration through the packer template, and get it from the environment. I'm not sure we could support it otherwise.

core enhancement post-1.0
Source
picture mwhooker
👍31

Most helpful comment

picture jamesalbert on 28 Feb 2018
👍12 😄1

All 15 comments

Any news on this one? Ideally we'd also like to store password secrets in vault (local admin/root passwords etc) and retrieve them directly.

dtrac picture dtrac on 8 Sep 2017

hello any new on this one?

degilq picture degilq on 19 Oct 2017

i can not retrive values from vault for use in packer

degilq picture degilq on 20 Oct 2017

@degilq This functionality is not implemented yet. I think this will come at less of an expense once HCL support lands for Packer. Hope thats helps.

lfarnell picture lfarnell on 21 Oct 2017

@lfarnell what's the status of HCL support ? Any progress yet?

tamsky picture tamsky on 5 Nov 2017

Vault support with packer is much needed in our environment. Any idea when HCL support will be introduced to packer? @lfarnell @tamsky

ndobbs picture ndobbs on 12 Dec 2017
👍5

It's definitely on our TODO list but we have no timeline for you. Sorry.

SwampDragons picture SwampDragons on 12 Dec 2017
😕3 👍2

Any news on this needed integration?

tomerleib picture tomerleib on 21 Feb 2018

It's penciled into our roadmap for later this year; won't likely be within the next few months. We'll update the ticket when we start work on it.

SwampDragons picture SwampDragons on 21 Feb 2018
😕1 👍1

jamesalbert picture jamesalbert on 28 Feb 2018
👍12 😄1

Hi

At my employer we would be able to dedicate some time working in this feature. We imagine 2 different implementation scenarios:

  • A naive one, where Vault support would be implemented straight as a {{vault /path/to/key}} template function as suggested by @mwhooker. Vault client settings (i.e. Vault URL, token...) would be inferred by the Go api package using environment variables, and only one Vault instance could be used at a time.
  • A more complex one, where we would introduce a whole new generic "datastore" (name up to debate) abstraction allowing users to query remote key/value data storage systems – including Vault – similar to Terraform data sources, and to use retrieved values as variables in the rest of the Packer configuration. A modular plug-in based design could allow various backends to be used.

WDYT?

falzm picture falzm on 2 Mar 2018
👍1

https://github.com/hashicorp/envconsul solves this, although it would be cool to have total integration

routelastresort picture routelastresort on 3 May 2018

@degilq This functionality is not implemented yet. I think this will come at less of an expense once HCL support lands for Packer. Hope thats helps.

Terraform 0.12 HCL configuration has an exact 1:1 mapping to and from JSON.

So, does the new HCL bode well for this new feature?

mschuchard picture mschuchard on 28 Jun 2018

Can anyone test out the PR at https://github.com/hashicorp/packer/pull/6533 ?

SwampDragons picture SwampDragons on 27 Aug 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 31 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

s4mur4i picture s4mur4i  ·  3Comments
shantanugadgil picture shantanugadgil  ·  3Comments
mushon4 picture mushon4  ·  3Comments
znerd picture znerd  ·  3Comments
paulcdejean picture paulcdejean  ·  3Comments