Update Hashicorp vault modules (#140)

Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
1 year ago · ac64af6f02
parent b299f98161
commit ac64af6f02
5 changed files with 307 additions and 46 deletions
--- a/vault-github/run.sh
+++ b/vault-github/run.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash

 # Convert all templated variables to shell variables
 INSTALL_VERSION=${INSTALL_VERSION}
@ -20,7 +20,7 @@ fetch() {
  fi
 }

-unzip() {
+unzip_safe() {
  if command -v unzip > /dev/null 2>&1; then
    command unzip "$@"
  elif command -v busybox > /dev/null 2>&1; then
@ -31,57 +31,68 @@ unzip() {
  fi
 }

-# Fetch the latest version of Vault if INSTALL_VERSION is 'latest'
-if [ "$${INSTALL_VERSION}" = "latest" ]; then
-  LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1)
-  printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}"
-  if [ -z "$${LATEST_VERSION}" ]; then
-    printf "Failed to determine the latest Vault version.\n"
-    exit 1
+install() {
+  # Fetch the latest version of Vault if INSTALL_VERSION is 'latest'
+  if [ "$${INSTALL_VERSION}" = "latest" ]; then
+    LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1)
+    printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}"
+    if [ -z "$${LATEST_VERSION}" ]; then
+      printf "Failed to determine the latest Vault version.\n"
+      return 1
+    fi
+    INSTALL_VERSION=$${LATEST_VERSION}
  fi
-  VERSION=$${LATEST_VERSION}
-fi

-# Check if the vault CLI is installed and has the correct version
-installation_needed=1
-if command -v vault > /dev/null 2>&1; then
-  CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
-  if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then
-    printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}"
-    installation_needed=0
+  # Check if the vault CLI is installed and has the correct version
+  installation_needed=1
+  if command -v vault > /dev/null 2>&1; then
+    CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+    if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then
+      printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}"
+      installation_needed=0
+    fi
  fi
-fi

-if [ $${installation_needed} -eq 1 ]; then
-  # Download and install Vault
-  if [ -z "$${CURRENT_VERSION}" ]; then
-    printf "Installing Vault CLI ...\n\n"
-  else
-    printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "$${VERSION}"
-  fi
-  fetch vault.zip "https://releases.hashicorp.com/vault/$${VERSION}/vault_$${VERSION}_linux_amd64.zip"
-  if [ $? -ne 0 ]; then
-    printf "Failed to download Vault.\n"
-    exit 1
-  fi
-  unzip vault.zip
-  if [ $? -ne 0 ]; then
-    printf "Failed to unzip Vault.\n"
-    exit 1
-  fi
-  rm vault.zip
-  if sudo mv vault /usr/local/bin/vault 2> /dev/null; then
-    printf "Vault installed successfully!\n\n"
-  else
-    mkdir -p ~/.local/bin
-    mv vault ~/.local/bin/vault
-    if [ ! -f ~/.local/bin/vault ]; then
-      printf "Failed to move Vault to local bin.\n"
-      exit 1
+  if [ $${installation_needed} -eq 1 ]; then
+    # Download and install Vault
+    if [ -z "$${CURRENT_VERSION}" ]; then
+      printf "Installing Vault CLI ...\n\n"
+    else
+      printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "${INSTALL_VERSION}"
+    fi
+    fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip"
+    if [ $? -ne 0 ]; then
+      printf "Failed to download Vault.\n"
+      return 1
+    fi
+    if ! unzip_safe vault.zip; then
+      printf "Failed to unzip Vault.\n"
+      return 1
+    fi
+    rm vault.zip
+    if sudo mv vault /usr/local/bin/vault 2> /dev/null; then
+      printf "Vault installed successfully!\n\n"
+    else
+      mkdir -p ~/.local/bin
+      if ! mv vault ~/.local/bin/vault; then
+        printf "Failed to move Vault to local bin.\n"
+        return 1
+      fi
+      printf "Please add ~/.local/bin to your PATH to use vault CLI.\n"
    fi
-    printf "Please add ~/.local/bin to your PATH to use vault CLI.\n"
  fi
+  return 0
+}
+
+TMP=$(mktemp -d)
+if ! (
+  cd "$TMP"
+  install
+); then
+  echo "Failed to install Vault CLI."
+  exit 1
 fi
+rm -rf "$TMP"

 # Authenticate with Vault
 printf "🔑 Authenticating with Vault ...\n\n"
--- a/vault-token/README.md
+++ b/vault-token/README.md
@ -0,0 +1,83 @@
+---
+display_name: Hashicorp Vault Integration (Token)
+description: Authenticates with Vault using Token
+icon: ../.icons/vault.svg
+maintainer_github: coder
+partner_github: hashicorp
+verified: true
+tags: [helper, integration, vault, token]
+---
+
+# Hashicorp Vault Integration (Token)
+
+This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces using a [Vault token](https://developer.hashicorp.com/vault/docs/auth/token).
+
+```tf
+variable "vault_token" {
+  type        = string
+  description = "The Vault token to use for authentication."
+  sensitive   = true
+}
+
+module "vault" {
+  source      = "registry.coder.com/modules/vault-token/coder"
+  version     = "1.0.3"
+  agent_id    = coder_agent.example.id
+  vault_token = var.token
+  vault_addr  = "https://vault.example.com"
+}
+```
+
+Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:
+
+```shell
+vault kv get -namespace=coder -mount=secrets coder
+```
+
+or using the Vault API:
+
+```shell
+curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"
+```
+
+## Configuration
+
+To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address.
+
+1. Create a vault policy with read access to the secret mount you need your developers to access.
+   ```shell
+   vault policy write read-coder-secrets - <<EOF
+    path "coder/data/*" {
+      capabilities = ["read"]
+    }
+    path "coder/metadata/*" {
+      capabilities = ["read"]
+    }
+    EOF
+   ```
+2. Create a token using this policy.
+   ```shell
+   vault token create -policy="read-coder-secrets"
+   ```
+3. Copy the generated token and use in your template.
+
+## Examples
+
+### Configure Vault integration and install a specific version of the Vault CLI
+
+```tf
+variable "vault_token" {
+  type        = string
+  description = "The Vault token to use for authentication."
+  sensitive   = true
+}
+
+module "vault" {
+  source            = "registry.coder.com/modules/vault-token/coder"
+  version           = "1.0.3"
+  agent_id          = coder_agent.example.id
+  vault_addr        = "https://vault.example.com"
+  vault_token       = var.token
+  vault_cli_version = "1.15.0"
+}
+```
--- a/vault-token/main.test.ts
+++ b/vault-token/main.test.ts
@ -0,0 +1,12 @@
+import { describe } from "bun:test";
+import { runTerraformInit, testRequiredVariables } from "../test";
+
+describe("vault-token", async () => {
+  await runTerraformInit(import.meta.dir);
+
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "foo",
+    vault_addr: "foo",
+    vault_token: "foo",
+  });
+});
--- a/vault-token/main.tf
+++ b/vault-token/main.tf
@ -0,0 +1,62 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.12.4"
+    }
+  }
+}
+
+# Add required variables for your modules and remove any unneeded variables
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "vault_addr" {
+  type        = string
+  description = "The address of the Vault server."
+}
+
+variable "vault_token" {
+  type        = string
+  description = "The Vault token to use for authentication."
+  sensitive   = true
+}
+
+variable "vault_cli_version" {
+  type        = string
+  description = "The version of Vault to install."
+  default     = "latest"
+  validation {
+    condition     = can(regex("^(latest|[0-9]+\\.[0-9]+\\.[0-9]+)$", var.vault_cli_version))
+    error_message = "Vault version must be in the format 0.0.0 or latest"
+  }
+}
+
+data "coder_workspace" "me" {}
+
+resource "coder_script" "vault" {
+  agent_id     = var.agent_id
+  display_name = "Vault (Token)"
+  icon         = "/icon/vault.svg"
+  script = templatefile("${path.module}/run.sh", {
+    INSTALL_VERSION : var.vault_cli_version,
+  })
+  run_on_start       = true
+  start_blocks_login = true
+}
+
+resource "coder_env" "vault_addr" {
+  agent_id = var.agent_id
+  name     = "VAULT_ADDR"
+  value    = var.vault_addr
+}
+
+resource "coder_env" "vault_token" {
+  agent_id = var.agent_id
+  name     = "VAULT_TOKEN"
+  value    = var.vault_token
+}
--- a/vault-token/run.sh
+++ b/vault-token/run.sh
@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+
+# Convert all templated variables to shell variables
+INSTALL_VERSION=${INSTALL_VERSION}
+
+fetch() {
+  dest="$1"
+  url="$2"
+  if command -v curl > /dev/null 2>&1; then
+    curl -sSL --fail "$${url}" -o "$${dest}"
+  elif command -v wget > /dev/null 2>&1; then
+    wget -O "$${dest}" "$${url}"
+  elif command -v busybox > /dev/null 2>&1; then
+    busybox wget -O "$${dest}" "$${url}"
+  else
+    printf "curl, wget, or busybox is not installed. Please install curl or wget in your image.\n"
+    return 1
+  fi
+}
+
+unzip_safe() {
+  if command -v unzip > /dev/null 2>&1; then
+    command unzip "$@"
+  elif command -v busybox > /dev/null 2>&1; then
+    busybox unzip "$@"
+  else
+    printf "unzip or busybox is not installed. Please install unzip in your image.\n"
+    return 1
+  fi
+}
+
+install() {
+  # Fetch the latest version of Vault if INSTALL_VERSION is 'latest'
+  if [ "$${INSTALL_VERSION}" = "latest" ]; then
+    LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1)
+    printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}"
+    if [ -z "$${LATEST_VERSION}" ]; then
+      printf "Failed to determine the latest Vault version.\n"
+      return 1
+    fi
+    INSTALL_VERSION=$${LATEST_VERSION}
+  fi
+
+  # Check if the vault CLI is installed and has the correct version
+  installation_needed=1
+  if command -v vault > /dev/null 2>&1; then
+    CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+    if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then
+      printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}"
+      installation_needed=0
+    fi
+  fi
+
+  if [ $${installation_needed} -eq 1 ]; then
+    # Download and install Vault
+    if [ -z "$${CURRENT_VERSION}" ]; then
+      printf "Installing Vault CLI ...\n\n"
+    else
+      printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "${INSTALL_VERSION}"
+    fi
+    fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip"
+    if [ $? -ne 0 ]; then
+      printf "Failed to download Vault.\n"
+      return 1
+    fi
+    if ! unzip_safe vault.zip; then
+      printf "Failed to unzip Vault.\n"
+      return 1
+    fi
+    rm vault.zip
+    if sudo mv vault /usr/local/bin/vault 2> /dev/null; then
+      printf "Vault installed successfully!\n\n"
+    else
+      mkdir -p ~/.local/bin
+      if ! mv vault ~/.local/bin/vault; then
+        printf "Failed to move Vault to local bin.\n"
+        return 1
+      fi
+      printf "Please add ~/.local/bin to your PATH to use vault CLI.\n"
+    fi
+  fi
+  return 0
+}
+
+TMP=$(mktemp -d)
+if ! (
+  cd "$TMP"
+  install
+); then
+  echo "Failed to install Vault CLI."
+  exit 1
+fi
+rm -rf "$TMP"