From 762041eb87aa848c76a5d85a2cdafafaca334f22 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <me@matifali.dev>
Date: Sun, 26 Nov 2023 05:05:24 +0300
Subject: [PATCH] add vault-github auth

---
 vault-github/README.md | 59 ++++++++++++++++--------------------------
 vault-github/main.tf   | 19 +++++++++-----
 vault-github/run.sh    | 22 +++++++++++-----
 3 files changed, 50 insertions(+), 50 deletions(-)

diff --git a/vault-github/README.md b/vault-github/README.md
index 5fbf050..cacf6f6 100644
--- a/vault-github/README.md
+++ b/vault-github/README.md
@@ -1,21 +1,19 @@
 ---
-display_name: vault
-description: Authenticates with Vault
+display_name: Hashicorp Vault Integration (GitHub)
+description: Authenticates with Vault using GitHub
 icon: ../.icons/vault.svg
 maintainer_github: coder
 verified: true
-tags: [helper, integration, vault]
+tags: [helper, integration, vault, github]
 ---
 
-# Hashicorp Vault
+# Hashicorp Vault Integration (GitHub)
 
-This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces.
-
-> **Note:** This module does not cover setting up and configuring Vault auth methods. For that, see the [Vault documentation](https://developer.hashicorp.com/vault/docs/auth).
+This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces using GitHub [external auth](https://coder.com/docs/v2/latest/admin/external-auth).
 
 ```hcl
 module "vault" {
-    source     = "https://registry.coder.com/modules/vault"
+    source     = "https://registry.coder.com/modules/vault-github"
     agent_id   = coder_agent.example.id
     vault_addr = "https://vault.example.com"
 }
@@ -37,43 +35,30 @@ curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET $VAULT_ADDR/v1/secret/data/my-secre
 
 ## Configuration
 
-To configure the Vault module, you must setup a Vault [OIDC Provider](https://developer.hashicorp.com/vault/docs/concepts/oidc-provider) and [configure](https://coder.com/docs/v2/latest/admin/external-auth) Coder to use it.
-
-### OIDC Provider in Vault
-
-1. Create a [Vault OIDC Application](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-identity-provider) with name `coder` and set the Redirect URI to `https://coder.example.com/external-auth/vault/callback`.
-2. Make note of the `Client ID` and `Client Secret`.
-3. Add a provider to OIDC application with name `coder` and set the "Issuer URL" to `$VAULT_ADDR`.
+To configure the Vault module, you must set up a Vault GitHub auth method. See the [Vault documentation](https://www.vaultproject.io/docs/auth/github) for more information.
 
-### Coder configuration
+## Examples
 
-Add the following to your Coder configuration:
+### Configure Vault integration with a different Coder GitHub external auth ID (i.e., not the default `github`)
 
-```env
-CODER_EXTERNAL_AUTH_0_ID: "vault"
-CODER_EXTERNAL_AUTH_0_TYPE: "vault"
-CODER_EXTERNAL_AUTH_0_CLIENT_ID: "XXXXXXXXXX"
-CODER_EXTERNAL_AUTH_0_CLIENT_SECRET: "XXXXXXXXX"
-CODER_EXTERNAL_AUTH_0_DISPLAY_NAME: "Hashicorp Vault"
-CODER_EXTERNAL_AUTH_0_DISPLAY_ICON: "/icon/vault.svg"
-CODER_EXTERNAL_AUTH_0_VALIDATE_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/userinfo"
-CODER_EXTERNAL_AUTH_0_AUTH_URL: "$VAULT_ADDR/ui/vault/identity/oidc/provider/coder/authorize"
-CODER_EXTERNAL_AUTH_0_TOKEN_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/token"
-CODER_EXTERNAL_AUTH_0_SCOPES: "openid"
+```hcl
+module "vault" {
+    source               = "https://registry.coder.com/modules/vault"
+    agent_id             = coder_agent.example.id
+    vault_addr           = "https://vault.example.com"
+    coder_github_auth_id = "my-github-auth-id"
+}
 ```
 
-> **Note:** Replace `$VAULT_ADDR` with your Vault address. e.g. `https://vault.example.com`.
-
-## Examples
-
-### Configure Vault integration with a custom Vault auth id
+### Configure Vault integration with a different Coder GitHub external auth ID and a different Vault GitHub auth path
 
 ```hcl
 module "vault" {
-    source           = "https://registry.coder.com/modules/vault"
-    agent_id         = coder_agent.example.id
-    vault_addr       = "https://vault.example.com"
-    auth_provider_id = "my-auth-id"
+    source                 = "https://registry.coder.com/modules/vault"
+    agent_id               = coder_agent.example.id
+    vault_addr             = "https://vault.example.com"
+    coder_github_auth_id   = "my-github-auth-id"
+    vault_github_auth_path = "my-github-auth-path"
 }
 ```
 
diff --git a/vault-github/main.tf b/vault-github/main.tf
index b43a18f..b867404 100644
--- a/vault-github/main.tf
+++ b/vault-github/main.tf
@@ -20,10 +20,16 @@ variable "vault_addr" {
   description = "The address of the Vault server."
 }
 
-variable "auth_provider_id" {
+variable "coder_github_auth_id" {
   type        = string
-  description = "The ID of the Vault auth method to use."
-  default     = "vault"
+  description = "The ID of the GitHub external auth."
+  default     = "github"
+}
+
+variable "vault_github_auth_path" {
+  type        = string
+  description = "The path to the GitHub auth method."
+  default     = "github"
 }
 
 variable "vault_cli_version" {
@@ -42,12 +48,13 @@ resource "coder_script" "vault" {
   icon         = "/icon/vault.svg"
   script = templatefile("${path.module}/run.sh", {
     VAULT_ADDR : var.vault_addr,
-    PROVIDER_ID : var.auth_provider_id,
+    AUTH_PATH : var.vault_github_auth_path,
+    GITHUB_EXTERNAL_AUTH_ID : data.coder_external_auth.github.id,
     VERSION : var.vault_cli_version,
   })
   run_on_start = true
 }
 
-data "coder_external_auth" "vault" {
-  id = var.auth_provider_id
+data "coder_external_auth" "github" {
+  id = var.coder_github_auth_id
 }
diff --git a/vault-github/run.sh b/vault-github/run.sh
index d23689f..7f4112b 100644
--- a/vault-github/run.sh
+++ b/vault-github/run.sh
@@ -1,9 +1,10 @@
 #!/usr/bin/env bash
 
 BOLD='\033[0;1m'
-PROVIDER_ID=${PROVIDER_ID}
 VAULT_ADDR=${VAULT_ADDR}
 VERSION=${VERSION}
+AUTH_PATH=${AUTH_PATH}
+GITHUB_EXTERNAL_AUTH_ID=${GITHUB_EXTERNAL_AUTH_ID}
 
 # Check if vault is installed
 if ! command -v vault &>/dev/null; then
@@ -36,19 +37,23 @@ printf "🥳 Installation complete!\n\n"
 
 # Set up Vault token
 printf "🔑 Authenticating with Vault ...\n\n"
-echo "PROVIDER_ID: $PROVIDER_ID"
-VAULT_TOKEN=$(coder external-auth access-token $PROVIDER_ID)
+echo "AUTH_PATH: $AUTH_PATH"
+echo "GITHUB_EXTERNAL_AUTH_ID: $GITHUB_EXTERNAL_AUTH_ID"
+GITHUB_TOKEN=$(coder external-auth access-token $GITHUB_EXTERNAL_AUTH_ID)
 if [ $? -ne 0 ]; then
-    printf "Authenticate with Vault:\n$VAULT_TOKEN\n"
+    printf "Authentication with Vault failed. Please check your credentials.\n"
     exit 1
 fi
 
 export VAULT_ADDR=$VAULT_ADDR
 
-# Verify Vault address and token
-printf "🔎 Verifying Vault address and token ...\n\n"
+# Verify Vault address
+printf "🔎 Verifying Vault address...\n\n"
 vault status
-vault login $VAULT_TOKEN
+
+# Login to Vault to using GitHub token
+printf "🔑 Logging in to Vault ...\n\n"
+vault login -method=github token=$GITHUB_TOKEN -path=/$AUTH_PATH
 
 # Add VAULT_ADDR to shell login scripts if not already present e.g. .bashrc, .zshrc
 # This is a temporary fix and will be replaced with https://github.com/coder/coder/issues/10166
@@ -69,3 +74,6 @@ if [[ -f ~/.config/fish/config.fish ]] && ! grep -q "VAULT_ADDR" ~/.config/fish/
     printf "\nAdding VAULT_ADDR to ~/.config/fish/config.fish ...\n"
     echo "set -x VAULT_ADDR $VAULT_ADDR" >>~/.config/fish/config.fish
 fi
+
+printf "\n🥳 Vault authentication complete!\n\n"
+printf "You can now use Vault CLI to access secrets.\n"