What we store in HCP Vault

---

Public SSH keys for VM access PostgreSQL admin password Other sensitive variables planned (API tokens, etc.)

---

How it works

• Terraform reads secrets dynamically from HCP Vault
• VMs get provisioned with public keys from Vault (team keys can be rotated centrally)
• Database credentials come from Vault at deploy time
• Ansible connects using private keys matching the Vault-stored public keys

Secrets flow

HashiCorp Vault (HCP)
       ↓
Terraform pulls secrets during apply
       ↓
Resources provisioned (VMs, DB) with secrets injected
       ↓
Ansible uses same secrets to configure the stack

Why use Vault?

No sensitive data in code Team keys managed centrally, easy rotation Seamless integration with cloud services

Example

admin_ssh_key {
  username   = var.admin_username
  public_key = data.hcp_vault_secrets_secret.ssh_public_key.secret_value
}