add vault integration

2 years ago · 2dc35d8c0b
parent dda094f168
commit 2dc35d8c0b
5 changed files with 208 additions and 0 deletions
--- a/.icons/vault.svg
+++ b/.icons/vault.svg
@ -0,0 +1,2 @@
 <?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
 <svg width="800px" height="800px" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg" fill="none"><path fill="#FFD814" d="M0 0l7.971 15.516L16 0H0zm6.732 6.16h-1.27V4.89h1.27v1.27zm0-1.906h-1.27V2.985h1.27v1.269zm1.904 3.81h-1.27v-1.27h1.27v1.27zm0-1.905h-1.27V4.89h1.27v1.27zm0-1.905h-1.27V2.985h1.27v1.269zm1.894 1.905H9.26V4.89h1.27v1.27zM9.26 4.254V2.985h1.27v1.269H9.26z"/></svg>
--- a/.images/vault-login.png
+++ b/.images/vault-login.png
--- a/vault/README.md
+++ b/vault/README.md
@ -0,0 +1,64 @@
 ---
 display_name: vault
 description: Authenticates with Vault and injects secrets into the environment.
 icon: ../.icons/vault.svg
 maintainer_github: coder
 verified: true
 tags: [helper, integration, vault]
 ---
 # Hashicorp Vault
 This module authenticates with Vault and injects secrets into the environment.
 > **Note:** This module does not cover setting up and configuring Vault. For that, see the [Vault documentation](https://www.vaultproject.io/docs).
 ```hcl
 module "vault" {
    source = "https://registry.coder.com/modules/vault"
    vault_addr = "https://vault.example.com"
 }
 ```
 ![Vault login](./.images/vault-login.png)
 ## Examples
 ### Configure Vault integration with a custom Vault auth id
 See [docs](https://coder.com/docs/v2/latest/admin/external-auth) for more information what are external auth ids.
 ```hcl
 module "vault" {
    source = "https://registry.coder.com/modules/vault"
    vault_addr = "https://vault.example.com"
    vault_auth_id = "my-auth-id"
 }
 ```
 ### Configure Vault integration and automatically fetch secrets from Vault
 Configure Vault integration and automatically fetch secrets from Vault and inject them into the workspace environment. This works by specifying the `secrets` variable with a list of secrets paths and keys to fetch from Vault. Multiple secrets can be specified by using a map of secret paths to a list of keys to fetch from each secret. For more information, see the [Vault documentation](https://www.vaultproject.io/api-docs/secret/kv/kv-v2#read-secret-version).
 ```hcl
 For more information, see the [Vault documentation](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
 ```hcl
 module "vault" {
    source     = "https://registry.coder.com/modules/vault"
    vault_addr = "https://vault.example.com"
    secrets    = {
        "secret/data/foo" = ["FOO", "BAR"]
        "secret/data/bar" = ["BAZ"]
    }
 }
 ```
 ### Configure Vault integration and install a specific version of the Vault CLI
 ```hcl
 module "vault" {
    source = "https://registry.coder.com/modules/vault"
    vault_addr = "https://vault.example.com"
    vault_cli_version = "1.15.0"
 }
 ```
--- a/vault/main.tf
+++ b/vault/main.tf
@ -0,0 +1,61 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    coder = {
      source  = "coder/coder"
      version = ">= 0.12"
    }
  }
 }
 # Add required variables for your modules and remove any unneeded variables
 variable "agent_id" {
  type        = string
  description = "The ID of a Coder agent."
 }
 variable "vault_addr" {
  type        = string
  description = "The address of the Vault server."
 }
 variable "vault_auth_id" {
  type        = string
  description = "The ID of the Vault auth method to use."
  default     = "vault"
 }
 variable "secrets" {
  type        = map(string)
  description = "A map of secrets to set as environment variables."
  default     = {}
 }
 variable "vault_cli_version" {
  type        = string
  description = "The version of Vault to install."
  default     = "latest"
  # validate the version is in the format 0.0.0 or latest
  validation {
    condition     = can(regex("^(latest|[0-9]+\\.[0-9]+\\.[0-9]+)$", var.vault_version))
    error_message = "Vault version must be in the format 0.0.0 or latest"
  }
 }
 resource "coder_script" "vault" {
  agent_id     = var.agent_id
  display_name = "vault"
  icon         = "/icon/vault.svg"
  script = templatefile("${path.module}/run.sh", {
    VAULT_ADDR : var.vault_addr,
    VAULT_TOKEN : data.coder_external_auth.vault.access_token,
    VERSION : var.vault_cli_version,
    SECRETS : jsonencode(var.secrets),
  })
  run_on_start = true
 }
 data "coder_external_auth" "vault" {
  id = var.vault_auth_id
 }
--- a/vault/run.sh
+++ b/vault/run.sh
@ -0,0 +1,81 @@
 #!/usr/bin/env sh
 BOLD='\033[0;1m'
 # Check if vault is installed
 if ! command -v vault &> /dev/null; then
    printf "$${BOLD}Installing vault CLI ...\n\n"
    # check if wget is installed
    if ! command -v wget &> /dev/null; then
        printf "wget is not installed. Please install wget in your image.\n"
        exit 1
    fi
    # check if unzip is installed
    if ! command -v unzip &> /dev/null; then
        printf "unzip is not installed. Please install unzip in your image.\n"
        exit 1
    fi
    # check if VERSION is latest
    if [ "${VERSION}" = "latest" ]; then
        INSTALL_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP '[0-9]+\.[0-9]+\.[0-9]' | tr -d '<>' | head -1)
    else
        INSTALL_VERSION=${VERSION}
    fi
    # download vault
    wget -O vault.zip https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip
    unzip vault.zip
    sudo mv vault /usr/local/bin
    rm vault.zip
 fi
 printf "🥳 Installation comlete!\n\n"
 # Set up Vault address and token
 export VAULT_ADDR=${VAULT_ADDR}
 export VAULT_TOKEN=${VAULT_TOKEN}
 # Verify Vault address and token
 printf "🔎 Verifying Vault address and token ...\n\n"
 vault status
 # Set secrets if $SECRETS is set
 if [ -z "${SECRETS}" ]; then
    printf "\n🔑 No secrets to set ...\n\n"
    exit 0
 fi
 printf "\n🔑 Fetching secrets ...\n\n"
 # Check if jq is installed
 if ! command -v jq >/dev/null; then
    echo "jq is not installed. Please install jq to automatically set the secrets."
    exit 0 # exit with 0 to prevent failure (this is not a hard requirement, a user can still set the secrets manually)
 fi
 # Decode the JSON string to a temporary file
 echo "$SECRETS" | jq '.' > temp.json
 # Iterate through the keys and values in the JSON file
 for key in $(jq -r 'keys[]' temp.json); do
    path=$(echo $key | tr -d \")
    # Fetch the secrets from Vault
    secrets=$(vault kv get -format=json $path)
    # Get the array of secret names from the JSON file
    sceret_names=$(jq -r ".$key[]" temp.json)
    # Convert the list of environment variables to an array
    IFS=', ' read -r -a sceret_array <<< "$sceret_names"
    # Set the environment variables with the secret values
    for secret_name in "${sceret_array[@]}"; do
        # Remove quotes from the variable name
        secret_name=$(echo $secret_name | tr -d \")
        # Assuming the secrets are stored in a key named 'data' in Vault
        secret_value=$(echo $secrets | jq -r ".data.data.$secret_name")
        export $secret_name=$secret_value
    done
 done
 # Remove the temporary file
 rm temp.json
		`@ -0,0 +1,2 @@`
							`<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->`
							`<svg width="800px" height="800px" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg" fill="none"><path fill="#FFD814" d="M0 0l7.971 15.516L16 0H0zm6.732 6.16h-1.27V4.89h1.27v1.27zm0-1.906h-1.27V2.985h1.27v1.269zm1.904 3.81h-1.27v-1.27h1.27v1.27zm0-1.905h-1.27V4.89h1.27v1.27zm0-1.905h-1.27V2.985h1.27v1.269zm1.894 1.905H9.26V4.89h1.27v1.27zM9.26 4.254V2.985h1.27v1.269H9.26z"/></svg>`