Introduction
Customers may want to remount a secrets engine from one namespace to another. This can be achieved using the remount API. In cases where customers are using Terraform to manage Vault, the vault_generic_endpoint resource can be utilized to perform this operation.
Expected Outcome
Secrets engine data from one namespace can be moved to another namespace.
Prerequisites
- Vault Enterprise
- Terraform Vault Provider
Procedure
This assumes that a Vault instance has been deployed and is already being managed by Terraform via the Vault provider.
- Run a terraform apply to enable a KV version 2 secrets engine, write a test secret, and create a new namespace
# Enable kvv2 secrets engine
resource "vault_mount" "kvv2" {
path = "kvv2"
type = "kv"
options = { version = "2" }
}
# Write secret to kvv2 secrets engine
resource "vault_kv_secret_v2" "secret" {
mount = vault_mount.kvv2.path
name = "secret"
data_json = jsonencode(
{
api-key = "123"
}
)
}
resource "vault_namespace" "ns1" {
path = "ns1"
} - Add the vault_generic_endpoint resource block and run a terraform apply to move the existing secret from the root namespace to another namespace
resource "vault_generic_endpoint" "kv_move" {
depends_on = [vault_kv_secret_v2.secret]
path = "/sys/remount"
ignore_absent_fields = true
disable_read = true
data_json = jsonencode(
{
"from" : "kvv2",
"to" : "ns1/kvv2"
}
)
}
- Confirm that the secret was moved to a new namespace
vault kv get -namespace=ns1 kvv2/secret