remove automatic secrets

2 years ago · 0c6c370a7c
parent ae3defa8bd
commit 0c6c370a7c
3 changed files with 0 additions and 61 deletions
--- a/vault/README.md
+++ b/vault/README.md
@ -36,24 +36,6 @@ module "vault" {
 }
 ```

-### Configure Vault integration and automatically fetch secrets from Vault
-
-Configure Vault integration and automatically fetch secrets from Vault and inject them into the workspace environment. This works by specifying the `secrets` variable with a list of secrets paths and keys to fetch from Vault. Multiple secrets can be specified by using a map of secret paths to a list of keys to fetch from each secret. For more information, see the [Vault documentation](https://www.vaultproject.io/api-docs/secret/kv/kv-v2#read-secret-version).
-
-````hcl
-For more information, see the [Vault documentation](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
-
-```hcl
-module "vault" {
-    source     = "https://registry.coder.com/modules/vault"
-    vault_addr = "https://vault.example.com"
-    secrets    = {
-        "secret/data/foo" = ["FOO", "BAR"]
-        "secret/data/bar" = ["BAZ"]
-    }
-}
-````
-
 ### Configure Vault integration and install a specific version of the Vault CLI

 ```hcl
--- a/vault/main.tf
+++ b/vault/main.tf
@ -26,25 +26,6 @@ variable "vault_auth_id" {
  default     = "vault"
 }

-variable "secrets" {
-  type        = map(object({ secrets = list(string), file = string }))
-  description = <<EOF
-  description = "A map of secret paths, secret names, and destination files."
-  e.g,
-  {
-    "secret/data/my-secret-1" = {
-      "secrets" = ["username", "password"]
-      "file" = "secrets.env"
-    },
-    "secret/data/my-secret-2" = {
-      "secrets" = ["username", "password"]
-      "file" = "secrets2.env"
-    }
-  }
-  EOF 
-  default     = {}
-}
-
 variable "vault_cli_version" {
  type        = string
  description = "The version of Vault to install."
@ -64,7 +45,6 @@ resource "coder_script" "vault" {
    VAULT_ADDR : var.vault_addr,
    VAULT_TOKEN : data.coder_git_auth.vault.access_token,
    VERSION : var.vault_cli_version,
-    SECRETS : replace(replace(jsonencode(var.secrets), "\"", "\\\""), "/", "_")
  })
  run_on_start = true
 }
--- a/vault/run.sh
+++ b/vault/run.sh
@ -61,26 +61,3 @@ if [[ -f ~/.config/fish/config.fish ]] && ! grep -q "VAULT_ADDR" ~/.config/fish/
    printf "\nAdding VAULT_ADDR to ~/.config/fish/config.fish ...\n"
    echo "set -x VAULT_ADDR ${VAULT_ADDR}" >> ~/.config/fish/config.fish
 fi
-
-
-
-# Skip fetching secrets if SECRETS is {}
-if [ "${SECRETS}" = "{}" ]; then
-    exit 0
-fi
-
-printf "🔍 Fetching secrets ...\n\n"
-for key in $(echo "${SECRETS}" | jq -r "keys[]" ); do
-    formatted_key=$(echo "$${key}" | tr '_' '/')
-    secrets=$(echo "${SECRETS}" | jq -r ".$${key}.secrets[]")
-    file=$(echo "${SECRETS}" | jq -r ".$${key}.file")
-    printf "Fetching secrets from $${formatted_key} ...\n"
-    for secret in $${secrets}; do
-        value=$(vault kv get -format=json $${formatted_key} | jq -r ".data.data.$${secret}")
-        # create directory if it doesn't exist
-        mkdir -p $(dirname $${file})
-        printf "$${secret}=$${value}\n" >> $${file}
-    done
-    printf "\n"
-done
-