Hard-coded credentials in an Ansible playbook, a Terraform state, or in Git are a ticking bomb. One leaked repository and an attacker has the keys to the kingdom. HashiCorp Vault and Terraform solve this systematically — and turn infrastructure into auditable code.
Two tools, two roles
Terraform describes infrastructure as code. Instead of clicking in a console you have declarative files: "I want these servers, networks, firewalls." Terraform reconciles to the desired state — repeatably, auditably, with change history in Git.
Vault handles secrets: passwords, API keys, certificates, database access. Instead of sitting in plaintext, Vault issues them dynamically and temporarily — an app gets access that expires in an hour. A leak is no longer a catastrophe.
The rule we enforce at clients: secrets must never be in Git. Not even encrypted. Vault is the only source.
How it looks in practice
- Terraform provisions infrastructure (RHEL, OpenShift, F5, networks) and records what was created into NetBox as the source of truth.
- Vault issues dynamic secrets — an Ansible playbook fetches F5 or database access only for the duration of its run.
- Ansible (Red Hat AAP) orchestrates it all — no admin ever sees a production password.
Reality check
- Vault isn't free to operate. It's a critical component — if it goes down, automation stops too. It's deployed in an HA cluster with auto-unseal.
- Terraform state is sensitive. It contains metadata about the whole estate. It belongs in a secured remote backend, not Git.
- Migrating an existing environment takes time. Rewriting years of manual config into IaC is a months-long project, not a weekend. We do it in waves.
Why now
Regulation (NIS2, DORA) and cyber insurers increasingly require provable secrets management and an audit trail of changes. "Only Honza knows the password" no longer holds. Vault + Terraform give exactly what audit wants — and speed up operations.
# Dynamic DB credentials from Vault — no password in code or Git
- name: Fetch short-lived credentials and deploy config
hosts: app_servers
tasks:
- name: Authenticate and fetch dynamic credentials
community.hashi_vault.vault_read:
url: "https://vault.internal:8200"
auth_method: approle # machine identity, not a shared password
role_id: "{{ lookup('env','VAULT_ROLE_ID') }}"
secret_id: "{{ lookup('env','VAULT_SECRET_ID') }}"
path: "database/creds/billing-app"
register: db
- name: Render config with the secret
ansible.builtin.template:
src: app.conf.j2
dest: /etc/billing/app.conf
mode: "0600"
vars:
db_user: "{{ db.data.username }}" # valid for 1 hour, then rotated
db_pass: "{{ db.data.password }}"
no_log: true # secret is never loggedKey point: credentials are never in the repo or the playbook — Vault issues them dynamically and they self-expire. Details in Vault dynamic secrets docs.
An audit found 1,200+ hardcoded credentials across playbooks, scripts and Git history. After migrating to Vault: 0 static secrets in code, fully automated rotation. Illustrative figures — verify before publishing.
Frequently asked questions
What's the difference between Vault and Terraform?
Terraform defines infrastructure as code (what to create), Vault manages secrets (who can access what, and for how long). Together they form a pipeline where infrastructure is provisioned declaratively and credentials never reach the code.
Isn't the Terraform state a risk too?
It is, if it sits on disk. That's why we encrypt Terraform state and store it in a secured backend with locking. Sensitive outputs are also pulled from Vault at runtime, not from the state file.
Do we need Vault Enterprise, or is open-source enough?
Open-source Vault is enough for most scenarios. We recommend the Enterprise edition when you need DR replication, namespaces for multi-tenant, or HSM integration. We usually start open-source and scale as needed.
How does it fit our Ansible automation?
Naturally — Ansible fetches secrets from Vault at runtime via the official collection. No vars with passwords, no ansible-vault file in the repo. More on our approach in the NetBox source-of-truth article.
Got secrets in your code?
Book a 20-minute call — we'll review where you have hardcoded credentials and how to move them into Vault without rewriting your whole automation. No sales pitch.
Book a 20-min call →