Refactor to fetch all or selective secrets

1 year ago · db5835deb4
parent f2269f20ff
commit db5835deb4
2 changed files with 44 additions and 18 deletions
--- a/hcp-vault-secrets/README.md
+++ b/hcp-vault-secrets/README.md
@ -10,7 +10,7 @@ tags: [helper, integration, vault, hashicorp, hvs]
 # HCP Vault Secrets
-This module lets you fetch secrets from [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) in your Coder workspaces.
+This module lets you fetch all or selective secrets from a [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) app into your Coder workspaces.
 ```tf
 module "vault" {
@ -18,7 +18,6 @@ module "vault" {
  version  = "1.0.3"
  agent_id = coder_agent.example.id
  app_name = "demo-app"
  secrets_list = ["MY_SECRET_1", "MY_SECRET_2"]
 }
 ```
@ -26,7 +25,34 @@ module "vault" {
 To configure the HCP Vault Secrets module, you must create an HCP Service Principal from the HCP Vault Secrets app in the HCP console. This will give you the `HCP_CLIENT_ID` and `HCP_CLIENT_SECRET` that you need to authenticate with HCP Vault Secrets. See the [HCP Vault Secrets documentation](https://developer.hashicorp.com/hcp/docs/vault-secrets) for more information.
-## Example
+## Fetch All Secrets
 To fetch all secrets from the HCP Vault Secrets app, skip the `secrets` input.
 ```tf
 module "vault" {
  source   = "registry.coder.com/modules/hcp-vault-secrets/coder"
  version  = "1.0.3"
  agent_id = coder_agent.example.id
  app_name = "demo-app"
 }
 ```
 ## Fetch Selective Secrets
 To fetch selective secrets from the HCP Vault Secrets app, set the `secrets` input.
 ```tf
 module "vault" {
  source   = "registry.coder.com/modules/hcp-vault-secrets/coder"
  version  = "1.0.3"
  agent_id = coder_agent.example.id
  app_name = "demo-app"
  secrets  = ["MY_SECRET_1", "MY_SECRET_2"]
 }
 ```
 ## Set Client ID and Client Secret as Inputs
 Set `client_id` and `client_secret` as module inputs.
@ -36,7 +62,6 @@ module "vault" {
  version       = "1.0.3"
  agent_id      = coder_agent.example.id
  app_name      = "demo-app"
  secrets_list  = ["MY_SECRET_1", "MY_SECRET_2"]
  client_id     = "HCP_CLIENT_ID"
  client_secret = "HCP_CLIENT_SECRET"
 }
--- a/hcp-vault-secrets/main.tf
+++ b/hcp-vault-secrets/main.tf
@ -25,10 +25,6 @@ variable "agent_id" {
  description = "The ID of a Coder agent."
 }
 variable "secrets_list" {
  type = list(string)
 }
 variable "client_id" {
  type        = string
  description = <<-EOF
@ -52,15 +48,20 @@ variable "app_name" {
  description = "The name of the secrets app in HCP Vault Secrets"
 }
-data "hcp_vault_secrets_secret" "secret" {
+variable "secrets" {
-  for_each    = toset(var.secrets_list)
+  type        = list(string)
  description = "The names of the secrets to retrieve from HCP Vault Secrets"
  default     = null
 }
 data "hcp_vault_secrets_app" "secrets" {
  app_name = var.app_name
  secret_name = each.value
 }
 resource "coder_env" "hvs_secrets" {
-  for_each = data.hcp_vault_secrets_secret.secret
+  # https://support.hashicorp.com/hc/en-us/articles/4538432032787-Variable-has-a-sensitive-value-and-cannot-be-used-as-for-each-arguments
  for_each = var.secrets != null ? toset(var.secrets) : nonsensitive(toset(keys(data.hcp_vault_secrets_app.secrets.secrets)))
  agent_id = var.agent_id
  name     = each.key
-  value    = each.value.secret_value
+  value    = data.hcp_vault_secrets_app.secrets.secrets[each.key]
 }