Looks like I can store & generate secrets in Vault, use terraform to read secrets from it as terraform variables, and dump it into a file (rather than an environment variable). This should with with docker-compose: dump secrets into respective .env files, and "mount" those .env files onto docker-compose to expose secrets with environment variables at the application level but not the system level (plus, this should also work with non-vault secrets like cloudflare).
https://registry.terraform.io/providers/hashicorp/vault/latest/docs
https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file
Looks like I can store & generate secrets in Vault, use terraform to read secrets from it as terraform variables, and dump it into a file (rather than an environment variable). This should with with docker-compose: dump secrets into respective
.envfiles, and "mount" those.envfiles onto docker-compose to expose secrets with environment variables at the application level but not the system level (plus, this should also work with non-vault secrets like cloudflare).https://registry.terraform.io/providers/hashicorp/vault/latest/docs
https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file