Configuring Terraform Files for Secret Server Integration
To integrate Terraform with Delinea Secret Server, you must copy and update required files from the Terraform provider GitHub repository:
- Terraform configuration files (
.tf
) - Terraform variable files (
.tfvars
)
These files must be placed in the directory where your Terraform executable is located. Do not create them from scratch. Instead, use the examples provided in the official Delinea Terraform provider repository:
Step 1: Copy and Update the Terraform Configuration Files (.tf)
-
Go to the Delinea Terraform provider GitHub repository
terraform-provider-tss/examples/secrets
. -
Copy the relevant example .tf file into your Terraform working directory. Rename them if needed (e.g., main.tf).
-
Update each file with the required configuration definition.
-
The required Terraform version
-
The Delinea provider version (
terraform-provider-tss
) -
References to variables
-
The type of secret-management operation to perform
-
Inside your copied .tf file, update the required provider block. This ensures Terraform uses the correct provider and version to communicate with Delinea Secret Server:
Use Case | Example File |
---|---|
Retrieve a single secret | secret_get.tf
|
Retrieve multiple secrets | secrets_get.tf
|
Create or update a secret | secret_create.tf
|
Retrieve ephemeral secret | ephemeral_secret_get.tf
|
Retrieve multiple ephemeral secrets | ephemeral_secrets_get.tf
|
Delete Secret by id | secret_delete.tf
|
Delete multiple secrets by their id | secrets_delete.tf
|
terraform {
required_version = "> 1.10.5"
required_providers {
tss = {
source = "DelineaXPM/tss"
version = "3.0.0"
}
}
}
This configuration defines how Terraform will interact with Delinea Secret Server using the tss provider. Once updated, it becomes the foundation for managing secrets securely during infrastructure provisioning.
Step 2: Copy and Update the Terraform Variable Files (.tfvars)
To ensure security when using Terraform with Delinea Secret Server, avoid storing user credentials in the .tfvars
file or the .tfstate
file in plain text. Use one of the supported secure methods below to protect sensitive information during infrastructure provisioning. Ephemeral resources are temporary and short-lived. They are not persisted in the Terraform state file, making them ideal for managing sensitive secrets such as usernames, passwords, or tokens.
The variable files define the values required by your configuration file.
Navigate to terraform-provider-tss/vars/secrets and choose .tfvars file that fits your use case:
Use Case | Example File |
---|---|
Retrieve one secret | secret_get.tfvars
|
Retrieve multiple secrets | secrets_get.tfvars
|
Create Windows account secret | secret_windows_account.tfvars
|
Create Oracle (Linux) account secret | secret_oracle_account.tfvars
|
Create SSH key secret | secret_ssh.tfvars
|
Delete secret by secret ID | secret_delete.tfvars
|
Delete multiple secrets by their ID | secrets_delete.tfvars
|
Static Credential Variable
The following variables must be updated in the files (secret_get.tfvars
and secrets_get.tfvars
):
Variable | Description | Note |
---|---|---|
tss_username | Application account username | Use the example below to set up. |
tss_password | Application account password | Use the example below to set up. |
tss_server_url | Secret Server URL | Use the example below to set up. |
tss_secret_name | Secret name | Use the example below to set up. |
tss_secret_templateid | Template ID |
|
fields[] | Field name and value pairs |
|
generate_passphrase | Flag to generate passphrase | Set True to generate passphrase when creating secret. Default value is False. |
generate_ssh_keys | Flag to generate ssh keys | 1. Set True to generate SSH keys when creating secret. Default value is False. |
Example: secret_get.tfvars
tss_username = "username"
tss_password = "password"
tss_server_url = "https://example/SecretServer"
tss_secret_id = 1
Example: secrets_get.tfvars
tss_username = "username"
tss_password = "password"
tss_server_url = "https://example/SecretServer"
tss_secret_id = ["1", "2", "3"]
Using Environment Credential Variables
Storing credentials in .tfvars files can expose sensitive information. Using environment variables is a more secure option.
You can pass user credentials to Terraform via the tss_server_url, tss_username, and tss_password environment variables. You must add the prefix TF_VAR_ before these variable names so that Terraform will automatically fetch the values from these environment variables.
Set the environment variables as the following:
For Linux(secret_oracle_account.tfvars)
$ export TF_VAR_tss_username="my_app_user"
$ export TF_VAR_tss_password="Password."
$ export TF_VAR_tss_server_url="https://localhost/SecretServer"
For Windows (secret_windows_account.tfvars)
> set TF_VAR_tss_username="my_app_user"
> set TF_VAR_tss_password="Password."
> set TF_VAR_tss_server_url="https://localhost/SecretServer"
After setting these environment variables, you no longer need to store credentials in the .tfvars file. You can also execute terraform apply
or terraform plan
commands.
Ephemeral Resource Support (Preferred Method)
The Terraform provider now supports ephemeral resources using the latest Terraform Plugin Framework. Ephemeral resources are temporary, short-lived entities created during the execution of the terraform application operation. They are not persisted in the Terraform state file or any other Terraform-managed storage, offering enhanced security for managing sensitive data such as username, passwords, and API tokens.
Usage Example
In your .tf file, use the ephemeral block:
Usage Example
In your .tf file, use the ephemeral block:
ephemeral "tss_secret" "my_username" {
id = var.tss_secret_id
field = "username"
}
ephemeral "tss_secret" "my_password" {
id = var.tss_secret_id
field = "password"
}
These values can be dynamically injected into other Terraform resources:
resource "print_resource" "print_username" {
secret = ephemeral.tss_secret.my_username.secret_value
}
resource "print_resource" "print_usernames" {
secret = ephemeral.tss_secrets.my_usernames.secrets
}
Sample Terraform files demonstrating the use of ephemeral resources are available in the terraform-provider-tss/examples/secrets directory for reference. For more details and examples on using ephemeral resources, see Ephemeral Resource Support for Improved Security.
SSH Keys and Passphrase Generation in Terraform Provider for TSS
To generate SSH keys and a passphrase when creating a secret using templates that include SSH key and passphrase fields, you need to set the generate_passphrase
and generate_ssh_keys
flags to true. By default, these flags are set to false.
To Pass SSH Key and Passphrase Generation Arguments from Terraform Variable File:
fields = [
{
fieldname = "Public Key"
itemvalue = null
},
{
fieldname = "Private Key"
itemvalue = null
},
{
fieldname = "Private Key Passphrase"
itemvalue = null
}
]
# SSH Key Generation Settings
generate_passphrase = true
generate_ssh_keys = true
Important Notes
- Set
itemvalue
tonull
for SSH key fields. - Set the appropriate boolean values for
generate_passphrase
andgenerate_ssh_keys
.
Limitations and Considerations
- Creation Only: SSH key generation is only supported during secret creation, not during updates.
- Field Values: When updating a secret with previously generated SSH keys, the provider will automatically preserve the generated values.
Delete Secret
This functionality deactivates the secret in Delinea Secret Server. It does not permanently delete the secret, but renders it inaccessible.
Delete Secret by ID
The tss_secret_deletion
resource allows you to delete a secret by its ID, even if it is not managed by Terraform state. Use the following block in your .tf
file:
resource "tss_secret_deletion" "delete_secret" {
secret_id = var.tss_secret_id
}
Apply this configuration to delete the secret with the ID provided in your Terraform variable file. After deletion, run terraform destroy
to remove the resource from state before deleting another secret.
Delete Multiple Secrets
The tss_secret_deletion
resource also supports deleting multiple secrets by their IDs, even if they are not managed by Terraform state. Use the following block in your .tf
file:
resource "tss_secret_deletion" "delete_secrets" {
for_each = toset(var.tss_secret_ids)
secret_id = tonumber(each.key)
}
This configuration deletes all secrets listed in the set provided from the Terraform variable file. Each deletion is tracked separately in state.
Important Notes
- After deleting, run
terraform destroy
to clean up the state before deleting new secrets. - Deletion is performed during the
terraform apply
phase. - The resource is tracked in state to prevent repeated deletion attempts.
Creating...
in logs indicates the deletion is being performed.
Step 3: Complete Configuration
After completing the configuration, your Terraform executable directory should include:
-
The .tf configuration file
-
The .tfvars variable file
-
Terraform executable (terraform)