Update Hashicorp vault modules (#140)

Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
1 year ago · ac64af6f02
parent b299f98161
commit ac64af6f02
5 changed files with 307 additions and 46 deletions
--- a/vault-github/run.sh
+++ b/vault-github/run.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 # Convert all templated variables to shell variables
 INSTALL_VERSION=${INSTALL_VERSION}
@ -20,7 +20,7 @@ fetch() {
  fi
 }
-unzip() {
+unzip_safe() {
  if command -v unzip > /dev/null 2>&1; then
    command unzip "$@"
  elif command -v busybox > /dev/null 2>&1; then
@ -31,57 +31,68 @@ unzip() {
  fi
 }
-# Fetch the latest version of Vault if INSTALL_VERSION is 'latest'
+install() {
-if [ "$${INSTALL_VERSION}" = "latest" ]; then
+  # Fetch the latest version of Vault if INSTALL_VERSION is 'latest'
-  LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1)
+  if [ "$${INSTALL_VERSION}" = "latest" ]; then
-  printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}"
+    LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1)
-  if [ -z "$${LATEST_VERSION}" ]; then
+    printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}"
-    printf "Failed to determine the latest Vault version.\n"
+    if [ -z "$${LATEST_VERSION}" ]; then
-    exit 1
+      printf "Failed to determine the latest Vault version.\n"
      return 1
    fi
    INSTALL_VERSION=$${LATEST_VERSION}
  fi
  VERSION=$${LATEST_VERSION}
 fi
-# Check if the vault CLI is installed and has the correct version
+  # Check if the vault CLI is installed and has the correct version
-installation_needed=1
+  installation_needed=1
-if command -v vault > /dev/null 2>&1; then
+  if command -v vault > /dev/null 2>&1; then
-  CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+    CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
-  if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then
+    if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then
-    printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}"
+      printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}"
-    installation_needed=0
+      installation_needed=0
    fi
  fi
 fi
-if [ $${installation_needed} -eq 1 ]; then
+  if [ $${installation_needed} -eq 1 ]; then
-  # Download and install Vault
+    # Download and install Vault
-  if [ -z "$${CURRENT_VERSION}" ]; then
+    if [ -z "$${CURRENT_VERSION}" ]; then
-    printf "Installing Vault CLI ...\n\n"
+      printf "Installing Vault CLI ...\n\n"
-  else
+    else
-    printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "$${VERSION}"
+      printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "${INSTALL_VERSION}"
-  fi
+    fi
-  fetch vault.zip "https://releases.hashicorp.com/vault/$${VERSION}/vault_$${VERSION}_linux_amd64.zip"
+    fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip"
-  if [ $? -ne 0 ]; then
+    if [ $? -ne 0 ]; then
-    printf "Failed to download Vault.\n"
+      printf "Failed to download Vault.\n"
-    exit 1
+      return 1
-  fi
+    fi
-  unzip vault.zip
+    if ! unzip_safe vault.zip; then
-  if [ $? -ne 0 ]; then
+      printf "Failed to unzip Vault.\n"
-    printf "Failed to unzip Vault.\n"
+      return 1
-    exit 1
+    fi
-  fi
+    rm vault.zip
-  rm vault.zip
+    if sudo mv vault /usr/local/bin/vault 2> /dev/null; then
-  if sudo mv vault /usr/local/bin/vault 2> /dev/null; then
+      printf "Vault installed successfully!\n\n"
-    printf "Vault installed successfully!\n\n"
+    else
-  else
+      mkdir -p ~/.local/bin
-    mkdir -p ~/.local/bin
+      if ! mv vault ~/.local/bin/vault; then
-    mv vault ~/.local/bin/vault
+        printf "Failed to move Vault to local bin.\n"
-    if [ ! -f ~/.local/bin/vault ]; then
+        return 1
-      printf "Failed to move Vault to local bin.\n"
+      fi
-      exit 1
+      printf "Please add ~/.local/bin to your PATH to use vault CLI.\n"
    fi
    printf "Please add ~/.local/bin to your PATH to use vault CLI.\n"
  fi
  return 0
 }
 TMP=$(mktemp -d)
 if ! (
  cd "$TMP"
  install
 ); then
  echo "Failed to install Vault CLI."
  exit 1
 fi
 rm -rf "$TMP"
 # Authenticate with Vault
 printf "🔑 Authenticating with Vault ...\n\n"
--- a/vault-token/README.md
+++ b/vault-token/README.md
@ -0,0 +1,83 @@
 ---
 display_name: Hashicorp Vault Integration (Token)
 description: Authenticates with Vault using Token
 icon: ../.icons/vault.svg
 maintainer_github: coder
 partner_github: hashicorp
 verified: true
 tags: [helper, integration, vault, token]
 ---
 # Hashicorp Vault Integration (Token)
 This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces using a [Vault token](https://developer.hashicorp.com/vault/docs/auth/token).
 ```tf
 variable "vault_token" {
  type        = string
  description = "The Vault token to use for authentication."
  sensitive   = true
 }
 module "vault" {
  source      = "registry.coder.com/modules/vault-token/coder"
  version     = "1.0.3"
  agent_id    = coder_agent.example.id
  vault_token = var.token
  vault_addr  = "https://vault.example.com"
 }
 ```
 Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:
 ```shell
 vault kv get -namespace=coder -mount=secrets coder
 ```
 or using the Vault API:
 ```shell
 curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"
 ```
 ## Configuration
 To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address.
 1. Create a vault policy with read access to the secret mount you need your developers to access.
   ```shell
   vault policy write read-coder-secrets - <<EOF
    path "coder/data/*" {
      capabilities = ["read"]
    }
    path "coder/metadata/*" {
      capabilities = ["read"]
    }
    EOF
   ```
 2. Create a token using this policy.
   ```shell
   vault token create -policy="read-coder-secrets"
   ```
 3. Copy the generated token and use in your template.
 ## Examples
 ### Configure Vault integration and install a specific version of the Vault CLI
 ```tf
 variable "vault_token" {
  type        = string
  description = "The Vault token to use for authentication."
  sensitive   = true
 }
 module "vault" {
  source            = "registry.coder.com/modules/vault-token/coder"
  version           = "1.0.3"
  agent_id          = coder_agent.example.id
  vault_addr        = "https://vault.example.com"
  vault_token       = var.token
  vault_cli_version = "1.15.0"
 }
 ```
--- a/vault-token/main.test.ts
+++ b/vault-token/main.test.ts
@ -0,0 +1,12 @@
 import { describe } from "bun:test";
 import { runTerraformInit, testRequiredVariables } from "../test";
 describe("vault-token", async () => {
  await runTerraformInit(import.meta.dir);
  testRequiredVariables(import.meta.dir, {
    agent_id: "foo",
    vault_addr: "foo",
    vault_token: "foo",
  });
 });
--- a/vault-token/main.tf
+++ b/vault-token/main.tf
@ -0,0 +1,62 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    coder = {
      source  = "coder/coder"
      version = ">= 0.12.4"
    }
  }
 }
 # Add required variables for your modules and remove any unneeded variables
 variable "agent_id" {
  type        = string
  description = "The ID of a Coder agent."
 }
 variable "vault_addr" {
  type        = string
  description = "The address of the Vault server."
 }
 variable "vault_token" {
  type        = string
  description = "The Vault token to use for authentication."
  sensitive   = true
 }
 variable "vault_cli_version" {
  type        = string
  description = "The version of Vault to install."
  default     = "latest"
  validation {
    condition     = can(regex("^(latest|[0-9]+\\.[0-9]+\\.[0-9]+)$", var.vault_cli_version))
    error_message = "Vault version must be in the format 0.0.0 or latest"
  }
 }
 data "coder_workspace" "me" {}
 resource "coder_script" "vault" {
  agent_id     = var.agent_id
  display_name = "Vault (Token)"
  icon         = "/icon/vault.svg"
  script = templatefile("${path.module}/run.sh", {
    INSTALL_VERSION : var.vault_cli_version,
  })
  run_on_start       = true
  start_blocks_login = true
 }
 resource "coder_env" "vault_addr" {
  agent_id = var.agent_id
  name     = "VAULT_ADDR"
  value    = var.vault_addr
 }
 resource "coder_env" "vault_token" {
  agent_id = var.agent_id
  name     = "VAULT_TOKEN"
  value    = var.vault_token
 }
--- a/vault-token/run.sh
+++ b/vault-token/run.sh
@ -0,0 +1,93 @@
 #!/usr/bin/env bash
 # Convert all templated variables to shell variables
 INSTALL_VERSION=${INSTALL_VERSION}
 fetch() {
  dest="$1"
  url="$2"
  if command -v curl > /dev/null 2>&1; then
    curl -sSL --fail "$${url}" -o "$${dest}"
  elif command -v wget > /dev/null 2>&1; then
    wget -O "$${dest}" "$${url}"
  elif command -v busybox > /dev/null 2>&1; then
    busybox wget -O "$${dest}" "$${url}"
  else
    printf "curl, wget, or busybox is not installed. Please install curl or wget in your image.\n"
    return 1
  fi
 }
 unzip_safe() {
  if command -v unzip > /dev/null 2>&1; then
    command unzip "$@"
  elif command -v busybox > /dev/null 2>&1; then
    busybox unzip "$@"
  else
    printf "unzip or busybox is not installed. Please install unzip in your image.\n"
    return 1
  fi
 }
 install() {
  # Fetch the latest version of Vault if INSTALL_VERSION is 'latest'
  if [ "$${INSTALL_VERSION}" = "latest" ]; then
    LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1)
    printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}"
    if [ -z "$${LATEST_VERSION}" ]; then
      printf "Failed to determine the latest Vault version.\n"
      return 1
    fi
    INSTALL_VERSION=$${LATEST_VERSION}
  fi
  # Check if the vault CLI is installed and has the correct version
  installation_needed=1
  if command -v vault > /dev/null 2>&1; then
    CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
    if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then
      printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}"
      installation_needed=0
    fi
  fi
  if [ $${installation_needed} -eq 1 ]; then
    # Download and install Vault
    if [ -z "$${CURRENT_VERSION}" ]; then
      printf "Installing Vault CLI ...\n\n"
    else
      printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "${INSTALL_VERSION}"
    fi
    fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip"
    if [ $? -ne 0 ]; then
      printf "Failed to download Vault.\n"
      return 1
    fi
    if ! unzip_safe vault.zip; then
      printf "Failed to unzip Vault.\n"
      return 1
    fi
    rm vault.zip
    if sudo mv vault /usr/local/bin/vault 2> /dev/null; then
      printf "Vault installed successfully!\n\n"
    else
      mkdir -p ~/.local/bin
      if ! mv vault ~/.local/bin/vault; then
        printf "Failed to move Vault to local bin.\n"
        return 1
      fi
      printf "Please add ~/.local/bin to your PATH to use vault CLI.\n"
    fi
  fi
  return 0
 }
 TMP=$(mktemp -d)
 if ! (
  cd "$TMP"
  install
 ); then
  echo "Failed to install Vault CLI."
  exit 1
 fi
 rm -rf "$TMP"