Skip to content

Commit 5a7e3f6

Browse files
matifalimatifali
authored
Add Hashicorp Vault Secrets Integration module (coder#144)
1 parent acab643 commit 5a7e3f6

File tree

2 files changed

+135
-0
lines changed

2 files changed

+135
-0
lines changed

hcp-vault-secrets/README.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
---
2+
display_name: "HCP Vault Secrets"
3+
description: "Fetch secrets from HCP Vault"
4+
icon: ../.icons/vault.svg
5+
maintainer_github: coder
6+
partner_github: hashicorp
7+
verified: true
8+
tags: [helper, integration, vault, hashicorp, hvs]
9+
---
10+
11+
# HCP Vault Secrets
12+
13+
This module lets you fetch all or selective secrets from a [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) app into your [Coder](https://coder.com) workspaces. It makes use of the [`hcp_vault_secrets_app`](https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/data-sources/vault_secrets_app) data source from the [HCP provider](https://registry.terraform.io/providers/hashicorp/hcp/latest).
14+
15+
```tf
16+
module "vault" {
17+
source = "registry.coder.com/modules/hcp-vault-secrets/coder"
18+
version = "1.0.3"
19+
agent_id = coder_agent.example.id
20+
app_name = "demo-app"
21+
}
22+
```
23+
24+
## Configuration
25+
26+
To configure the HCP Vault Secrets module, you must create an HCP Service Principal from the HCP Vault Secrets app in the HCP console. This will give you the `HCP_CLIENT_ID` and `HCP_CLIENT_SECRET` that you need to authenticate with HCP Vault Secrets. See the [HCP Vault Secrets documentation](https://developer.hashicorp.com/hcp/docs/vault-secrets) for more information.
27+
28+
## Fetch All Secrets
29+
30+
To fetch all secrets from the HCP Vault Secrets app, skip the `secrets` input.
31+
32+
```tf
33+
module "vault" {
34+
source = "registry.coder.com/modules/hcp-vault-secrets/coder"
35+
version = "1.0.3"
36+
agent_id = coder_agent.example.id
37+
app_name = "demo-app"
38+
}
39+
```
40+
41+
## Fetch Selective Secrets
42+
43+
To fetch selective secrets from the HCP Vault Secrets app, set the `secrets` input.
44+
45+
```tf
46+
module "vault" {
47+
source = "registry.coder.com/modules/hcp-vault-secrets/coder"
48+
version = "1.0.3"
49+
agent_id = coder_agent.example.id
50+
app_name = "demo-app"
51+
secrets = ["MY_SECRET_1", "MY_SECRET_2"]
52+
}
53+
```
54+
55+
## Set Client ID and Client Secret as Inputs
56+
57+
Set `client_id` and `client_secret` as module inputs.
58+
59+
```tf
60+
module "vault" {
61+
source = "registry.coder.com/modules/hcp-vault-secrets/coder"
62+
version = "1.0.3"
63+
agent_id = coder_agent.example.id
64+
app_name = "demo-app"
65+
client_id = "HCP_CLIENT_ID"
66+
client_secret = "HCP_CLIENT_SECRET"
67+
}
68+
```

hcp-vault-secrets/main.tf

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
terraform {
2+
required_version = ">= 1.0"
3+
4+
required_providers {
5+
coder = {
6+
source = "coder/coder"
7+
version = ">= 0.12.4"
8+
}
9+
hcp = {
10+
source = "hashicorp/hcp"
11+
version = ">= 0.82.0"
12+
}
13+
}
14+
}
15+
16+
provider "hcp" {
17+
client_id = var.client_id
18+
client_secret = var.client_secret
19+
}
20+
21+
provider "coder" {}
22+
23+
variable "agent_id" {
24+
type = string
25+
description = "The ID of a Coder agent."
26+
}
27+
28+
variable "client_id" {
29+
type = string
30+
description = <<-EOF
31+
The client ID for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_ID is set as an environment variable.)
32+
EOF
33+
default = null
34+
sensitive = true
35+
}
36+
37+
variable "client_secret" {
38+
type = string
39+
description = <<-EOF
40+
The client secret for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_SECRET is set as an environment variable.)
41+
EOF
42+
default = null
43+
sensitive = true
44+
}
45+
46+
variable "app_name" {
47+
type = string
48+
description = "The name of the secrets app in HCP Vault Secrets"
49+
}
50+
51+
variable "secrets" {
52+
type = list(string)
53+
description = "The names of the secrets to retrieve from HCP Vault Secrets"
54+
default = null
55+
}
56+
57+
data "hcp_vault_secrets_app" "secrets" {
58+
app_name = var.app_name
59+
}
60+
61+
resource "coder_env" "hvs_secrets" {
62+
# https://support.hashicorp.com/hc/en-us/articles/4538432032787-Variable-has-a-sensitive-value-and-cannot-be-used-as-for-each-arguments
63+
for_each = var.secrets != null ? toset(var.secrets) : nonsensitive(toset(keys(data.hcp_vault_secrets_app.secrets.secrets)))
64+
agent_id = var.agent_id
65+
name = each.key
66+
value = data.hcp_vault_secrets_app.secrets.secrets[each.key]
67+
}

0 commit comments

Comments
 (0)