Skip to content

Integrate OpenTofu with OpenBao for secret retrieval #158

Open
Open
Integrate OpenTofu with OpenBao for secret retrieval#158
Labels
priority:medMedium priority
@cwage

Description

@cwage
cwage
opened on Feb 25, 2026

Overview

OpenTofu currently reads Proxmox API credentials from the local .env file. Now that OpenBao is in production and Ansible is using it as a trusted orchestrator, OpenTofu should do the same.

Tasks

  • Add HashiCorp Vault provider to OpenTofu
  • Move Proxmox API credentials from .env to OpenBao (kv/infra/proxmox)
  • Update OpenTofu to fetch Proxmox creds at runtime
  • Remove Proxmox secrets from .env (keep only BAO_TOKEN)

Context

Split out from #67 (Phase 3). The trusted orchestrator pattern is established and working for Ansible — this extends it to OpenTofu.

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority:medMedium priority

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions