From f2269f20ff9f0048f5b6c8f3f9cc13e6b73b2523 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Sat, 3 Feb 2024 20:43:48 +0300 Subject: [PATCH] feat: add HCP vault secrets module --- hcp-vault-secrets/README.md | 43 ++++++++++++++++++++++++ hcp-vault-secrets/main.tf | 66 +++++++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 hcp-vault-secrets/README.md create mode 100644 hcp-vault-secrets/main.tf diff --git a/hcp-vault-secrets/README.md b/hcp-vault-secrets/README.md new file mode 100644 index 0000000..805e739 --- /dev/null +++ b/hcp-vault-secrets/README.md @@ -0,0 +1,43 @@ +--- +display_name: "HCP Vault Secrets" +description: "Fetch secrets from HCP Vault" +icon: ../.icons/vault.svg +maintainer_github: coder +partner_github: hashicorp +verified: true +tags: [helper, integration, vault, hashicorp, hvs] +--- + +# HCP Vault Secrets + +This module lets you fetch secrets from [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) in your Coder workspaces. + +```tf +module "vault" { + source = "registry.coder.com/modules/hcp-vault-secrets/coder" + version = "1.0.3" + agent_id = coder_agent.example.id + app_name = "demo-app" + secrets_list = ["MY_SECRET_1", "MY_SECRET_2"] +} +``` + +## Configuration + +To configure the HCP Vault Secrets module, you must create an HCP Service Principal from the HCP Vault Secrets app in the HCP console. This will give you the `HCP_CLIENT_ID` and `HCP_CLIENT_SECRET` that you need to authenticate with HCP Vault Secrets. See the [HCP Vault Secrets documentation](https://developer.hashicorp.com/hcp/docs/vault-secrets) for more information. + +## Example + +Set `client_id` and `client_secret` as module inputs. + +```tf +module "vault" { + source = "registry.coder.com/modules/hcp-vault-secrets/coder" + version = "1.0.3" + agent_id = coder_agent.example.id + app_name = "demo-app" + secrets_list = ["MY_SECRET_1", "MY_SECRET_2"] + client_id = "HCP_CLIENT_ID" + client_secret = "HCP_CLIENT_SECRET" +} +``` diff --git a/hcp-vault-secrets/main.tf b/hcp-vault-secrets/main.tf new file mode 100644 index 0000000..d52af2f --- /dev/null +++ b/hcp-vault-secrets/main.tf @@ -0,0 +1,66 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + coder = { + source = "coder/coder" + version = ">= 0.12.4" + } + hcp = { + source = "hashicorp/hcp" + version = ">= 0.82.0" + } + } +} + +provider "hcp" { + client_id = var.client_id + client_secret = var.client_secret +} + +provider "coder" {} + +variable "agent_id" { + type = string + description = "The ID of a Coder agent." +} + +variable "secrets_list" { + type = list(string) +} + +variable "client_id" { + type = string + description = <<-EOF + The client ID for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_ID is set as an environment variable.) + EOF + default = null + sensitive = true +} + +variable "client_secret" { + type = string + description = <<-EOF + The client secret for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_SECRET is set as an environment variable.) + EOF + default = null + sensitive = true +} + +variable "app_name" { + type = string + description = "The name of the secrets app in HCP Vault Secrets" +} + +data "hcp_vault_secrets_secret" "secret" { + for_each = toset(var.secrets_list) + app_name = var.app_name + secret_name = each.value +} + +resource "coder_env" "hvs_secrets" { + for_each = data.hcp_vault_secrets_secret.secret + agent_id = var.agent_id + name = each.key + value = each.value.secret_value +} \ No newline at end of file