This guide demonstrates how to use the Infisical Packer plugin to fetch secret data using a data source. The Packer plugin supports both Infisical Cloud and self-hosted instances of Infisical.

Prerequisites

Before you begin, make sure you have:
  • Packer installed
  • An Infisical account with access to a project
  • Basic understanding of Packer

Project Setup

Configure Provider

First, specify the Infisical provider in your Packer configuration: 
packer {
  required_plugins {
    infisical = {
      source  = "github.com/infisical/infisical"
      version = ">=0.0.1"
    }
  }
}

Authentication

Using a Machine Identity, you can authenticate with Universal Auth. 
data "infisical-secrets" "dev-secrets" {
  folder_path = "/"
  env_slug    = "dev" # The environment to list secrets from (e.g. dev, staging, prod)
  project_id  = "00000000-0000-0000-0000-000000000000"
  host        = "https://app.infisical.com" # Optional for cloud, required for self-hosted

  universal_auth {
    client_id = "00000000-0000-0000-0000-000000000000"
    client_secret = "..." # Optional if using INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET env variable
  }
}
Learn more about machine identities.

Using Secrets in Packer

You’re able to fetch secrets from Infisical using the infisical-secrets Data Source: 
# Fetch all secrets from a folder
data "infisical-secrets" "dev-secrets" {
  folder_path = "/"
  env_slug    = "dev"
  project_id  = "00000000-0000-0000-0000-000000000000"

  universal_auth {
    ...
  }
}

locals {
  secrets = data.infisical-secrets.dev-secrets.secrets
}

source "null" "basic-example" {
  communicator = "none"
}

build {
  sources = [
    "source.null.basic-example"
  ]

  provisioner "shell-local" {
    inline = [
      "echo secret_key: ${local.secrets["SECRET_KEY"].secret_value}",
    ]
  }
}
The local.secrets object maps secret keys to secret objects. See also: