From f2269f20ff9f0048f5b6c8f3f9cc13e6b73b2523 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <me@matifali.dev>
Date: Sat, 3 Feb 2024 20:43:48 +0300
Subject: [PATCH 1/3] feat: add HCP vault secrets module

---
 hcp-vault-secrets/README.md | 43 ++++++++++++++++++++++++
 hcp-vault-secrets/main.tf   | 66 +++++++++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 hcp-vault-secrets/README.md
 create mode 100644 hcp-vault-secrets/main.tf

diff --git a/hcp-vault-secrets/README.md b/hcp-vault-secrets/README.md
new file mode 100644
index 00000000..805e7394
--- /dev/null
+++ b/hcp-vault-secrets/README.md
@@ -0,0 +1,43 @@
+---
+display_name: "HCP Vault Secrets"
+description: "Fetch secrets from HCP Vault"
+icon: ../.icons/vault.svg
+maintainer_github: coder
+partner_github: hashicorp
+verified: true
+tags: [helper, integration, vault, hashicorp, hvs]
+---
+
+# HCP Vault Secrets
+
+This module lets you fetch secrets from [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) in your Coder workspaces.
+
+```tf
+module "vault" {
+  source       = "registry.coder.com/modules/hcp-vault-secrets/coder"
+  version      = "1.0.3"
+  agent_id     = coder_agent.example.id
+  app_name     = "demo-app"
+  secrets_list = ["MY_SECRET_1", "MY_SECRET_2"]
+}
+```
+
+## Configuration
+
+To configure the HCP Vault Secrets module, you must create an HCP Service Principal from the HCP Vault Secrets app in the HCP console. This will give you the `HCP_CLIENT_ID` and `HCP_CLIENT_SECRET` that you need to authenticate with HCP Vault Secrets. See the [HCP Vault Secrets documentation](https://developer.hashicorp.com/hcp/docs/vault-secrets) for more information.
+
+## Example
+
+Set `client_id` and `client_secret` as module inputs.
+
+```tf
+module "vault" {
+  source        = "registry.coder.com/modules/hcp-vault-secrets/coder"
+  version       = "1.0.3"
+  agent_id      = coder_agent.example.id
+  app_name      = "demo-app"
+  secrets_list  = ["MY_SECRET_1", "MY_SECRET_2"]
+  client_id     = "HCP_CLIENT_ID"
+  client_secret = "HCP_CLIENT_SECRET"
+}
+```
diff --git a/hcp-vault-secrets/main.tf b/hcp-vault-secrets/main.tf
new file mode 100644
index 00000000..d52af2fd
--- /dev/null
+++ b/hcp-vault-secrets/main.tf
@@ -0,0 +1,66 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.12.4"
+    }
+    hcp = {
+      source  = "hashicorp/hcp"
+      version = ">= 0.82.0"
+    }
+  }
+}
+
+provider "hcp" {
+  client_id     = var.client_id
+  client_secret = var.client_secret
+}
+
+provider "coder" {}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "secrets_list" {
+  type = list(string)
+}
+
+variable "client_id" {
+  type        = string
+  description = <<-EOF
+  The client ID for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_ID is set as an environment variable.)
+  EOF
+  default     = null
+  sensitive   = true
+}
+
+variable "client_secret" {
+  type        = string
+  description = <<-EOF
+  The client secret for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_SECRET is set as an environment variable.)
+  EOF
+  default     = null
+  sensitive   = true
+}
+
+variable "app_name" {
+  type        = string
+  description = "The name of the secrets app in HCP Vault Secrets"
+}
+
+data "hcp_vault_secrets_secret" "secret" {
+  for_each    = toset(var.secrets_list)
+  app_name    = var.app_name
+  secret_name = each.value
+}
+
+resource "coder_env" "hvs_secrets" {
+  for_each = data.hcp_vault_secrets_secret.secret
+  agent_id = var.agent_id
+  name     = each.key
+  value    = each.value.secret_value
+}
\ No newline at end of file

From db5835deb4cd39024feb044060b090baeff0928f Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <me@matifali.dev>
Date: Tue, 6 Feb 2024 08:14:05 +0300
Subject: [PATCH 2/3] Refactor to fetch all or selective secrets

---
 hcp-vault-secrets/README.md | 41 +++++++++++++++++++++++++++++--------
 hcp-vault-secrets/main.tf   | 21 ++++++++++---------
 2 files changed, 44 insertions(+), 18 deletions(-)

diff --git a/hcp-vault-secrets/README.md b/hcp-vault-secrets/README.md
index 805e7394..ca3c2ee9 100644
--- a/hcp-vault-secrets/README.md
+++ b/hcp-vault-secrets/README.md
@@ -10,15 +10,14 @@ tags: [helper, integration, vault, hashicorp, hvs]
 
 # HCP Vault Secrets
 
-This module lets you fetch secrets from [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) in your Coder workspaces.
+This module lets you fetch all or selective secrets from a [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) app into your Coder workspaces.
 
 ```tf
 module "vault" {
-  source       = "registry.coder.com/modules/hcp-vault-secrets/coder"
-  version      = "1.0.3"
-  agent_id     = coder_agent.example.id
-  app_name     = "demo-app"
-  secrets_list = ["MY_SECRET_1", "MY_SECRET_2"]
+  source   = "registry.coder.com/modules/hcp-vault-secrets/coder"
+  version  = "1.0.3"
+  agent_id = coder_agent.example.id
+  app_name = "demo-app"
 }
 ```
 
@@ -26,7 +25,34 @@ module "vault" {
 
 To configure the HCP Vault Secrets module, you must create an HCP Service Principal from the HCP Vault Secrets app in the HCP console. This will give you the `HCP_CLIENT_ID` and `HCP_CLIENT_SECRET` that you need to authenticate with HCP Vault Secrets. See the [HCP Vault Secrets documentation](https://developer.hashicorp.com/hcp/docs/vault-secrets) for more information.
 
-## Example
+## Fetch All Secrets
+
+To fetch all secrets from the HCP Vault Secrets app, skip the `secrets` input.
+
+```tf
+module "vault" {
+  source   = "registry.coder.com/modules/hcp-vault-secrets/coder"
+  version  = "1.0.3"
+  agent_id = coder_agent.example.id
+  app_name = "demo-app"
+}
+```
+
+## Fetch Selective Secrets
+
+To fetch selective secrets from the HCP Vault Secrets app, set the `secrets` input.
+
+```tf
+module "vault" {
+  source   = "registry.coder.com/modules/hcp-vault-secrets/coder"
+  version  = "1.0.3"
+  agent_id = coder_agent.example.id
+  app_name = "demo-app"
+  secrets  = ["MY_SECRET_1", "MY_SECRET_2"]
+}
+```
+
+## Set Client ID and Client Secret as Inputs
 
 Set `client_id` and `client_secret` as module inputs.
 
@@ -36,7 +62,6 @@ module "vault" {
   version       = "1.0.3"
   agent_id      = coder_agent.example.id
   app_name      = "demo-app"
-  secrets_list  = ["MY_SECRET_1", "MY_SECRET_2"]
   client_id     = "HCP_CLIENT_ID"
   client_secret = "HCP_CLIENT_SECRET"
 }
diff --git a/hcp-vault-secrets/main.tf b/hcp-vault-secrets/main.tf
index d52af2fd..40ab2834 100644
--- a/hcp-vault-secrets/main.tf
+++ b/hcp-vault-secrets/main.tf
@@ -25,10 +25,6 @@ variable "agent_id" {
   description = "The ID of a Coder agent."
 }
 
-variable "secrets_list" {
-  type = list(string)
-}
-
 variable "client_id" {
   type        = string
   description = <<-EOF
@@ -52,15 +48,20 @@ variable "app_name" {
   description = "The name of the secrets app in HCP Vault Secrets"
 }
 
-data "hcp_vault_secrets_secret" "secret" {
-  for_each    = toset(var.secrets_list)
-  app_name    = var.app_name
-  secret_name = each.value
+variable "secrets" {
+  type        = list(string)
+  description = "The names of the secrets to retrieve from HCP Vault Secrets"
+  default     = null
+}
+
+data "hcp_vault_secrets_app" "secrets" {
+  app_name = var.app_name
 }
 
 resource "coder_env" "hvs_secrets" {
-  for_each = data.hcp_vault_secrets_secret.secret
+  # https://support.hashicorp.com/hc/en-us/articles/4538432032787-Variable-has-a-sensitive-value-and-cannot-be-used-as-for-each-arguments
+  for_each = var.secrets != null ? toset(var.secrets) : nonsensitive(toset(keys(data.hcp_vault_secrets_app.secrets.secrets)))
   agent_id = var.agent_id
   name     = each.key
-  value    = each.value.secret_value
+  value    = data.hcp_vault_secrets_app.secrets.secrets[each.key]
 }
\ No newline at end of file

From 45377f576757b1c77824ab17de830e45bb7e0596 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <me@matifali.dev>
Date: Tue, 6 Feb 2024 08:28:20 +0300
Subject: [PATCH 3/3] add hyperlinks

---
 hcp-vault-secrets/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hcp-vault-secrets/README.md b/hcp-vault-secrets/README.md
index ca3c2ee9..c45cff63 100644
--- a/hcp-vault-secrets/README.md
+++ b/hcp-vault-secrets/README.md
@@ -10,7 +10,7 @@ tags: [helper, integration, vault, hashicorp, hvs]
 
 # HCP Vault Secrets
 
-This module lets you fetch all or selective secrets from a [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) app into your Coder workspaces.
+This module lets you fetch all or selective secrets from a [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) app into your [Coder](https://coder.com) workspaces. It makes use of the [`hcp_vault_secrets_app`](https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/data-sources/vault_secrets_app) data source from the [HCP provider](https://registry.terraform.io/providers/hashicorp/hcp/latest).
 
 ```tf
 module "vault" {