Read external secrets

To read a secret that has been created outside the scope of this Terraform project (e.g. through the CLI or in a different Terraform project), you can use the secrethub_secret data source. You only need to specify the path of the secret:

provider "secrethub" {
  path_prefix = "your-username/start"

data "secrethub_secret" "db_password" {
  path = "db-password"

data "secrethub_secret" "db_user" {
  path = "db-user"

As you can see in this example, the path_prefix specified on the provider also applies to secret data sources.

Just like the secret resource, you can use the value of the secret data source throughout your project by referencing the value field.

resource "heroku_app" "your_app" {
  name   = "your-app"
  region = "us"
  sensitive_config_vars {
    DB_PASSWORD = "${data.secrethub_secret.db_password.value}"
    DB_USER     = "${data.secrethub_secret.db_user.value}"

By default the data source retrieves the latest version of your secret. To insteadget a specific version of a secret, just add the version number to the path:

data "secrethub_secret" "db_password_version_1" {
  path = "your-username/start/db-password:1"

️️➡️ Next, let’s see how to import existing secrets into your Terraform project.