This module lets you fetch all or selective secrets from a HCP Vault Secrets app into your Coder workspaces. It makes use of the hcp_vault_secrets_app
data source from the HCP provider.
module "vault" { source = "registry.coder.com/coder/hcp-vault-secrets/coder" version = "1.0.33" agent_id = coder_agent.example.id app_name = "demo-app" project_id = "aaa-bbb-ccc" }
Configuration
To configure the HCP Vault Secrets module, follow these steps,
- Create secrets in HCP Vault Secrets
- Create an HCP Service Principal from the HCP Vault Secrets app in the HCP console. This will give you the
HCP_CLIENT_ID
andHCP_CLIENT_SECRET
that you need to authenticate with HCP Vault Secrets. - Set
HCP_CLIENT_ID
andHCP_CLIENT_SECRET
variables on the coder provisioner (recommended) or supply them as input to the module. - Set the
project_id
. This is the ID of the project where the HCP Vault Secrets app is running.
See the HCP Vault Secrets documentation for more information.
Fetch All Secrets
To fetch all secrets from the HCP Vault Secrets app, skip the secrets
input.
module "vault" { source = "registry.coder.com/coder/hcp-vault-secrets/coder" version = "1.0.33" agent_id = coder_agent.example.id app_name = "demo-app" project_id = "aaa-bbb-ccc" }
Fetch Selective Secrets
To fetch selective secrets from the HCP Vault Secrets app, set the secrets
input.
module "vault" { source = "registry.coder.com/coder/hcp-vault-secrets/coder" version = "1.0.33" agent_id = coder_agent.example.id app_name = "demo-app" project_id = "aaa-bbb-ccc" secrets = ["MY_SECRET_1", "MY_SECRET_2"] }
Set Client ID and Client Secret as Inputs
Set client_id
and client_secret
as module inputs.
module "vault" { source = "registry.coder.com/coder/hcp-vault-secrets/coder" version = "1.0.33" agent_id = coder_agent.example.id app_name = "demo-app" project_id = "aaa-bbb-ccc" client_id = "HCP_CLIENT_ID" client_secret = "HCP_CLIENT_SECRET" }
1terraform {
2 required_version = ">= 1.0"
3
4 required_providers {
5 coder = {
6 source = "coder/coder"
7 version = ">= 0.12.4"
8 }
9 hcp = {
10 source = "hashicorp/hcp"
11 version = ">= 0.82.0"
12 }
13 }
14}
15
16provider "hcp" {
17 client_id = var.client_id
18 client_secret = var.client_secret
19 project_id = var.project_id
20}
21
22provider "coder" {}
23
24variable "agent_id" {
25 type = string
26 description = "The ID of a Coder agent."
27}
28
29variable "project_id" {
30 type = string
31 description = "The ID of the HCP project."
32}
33
34variable "client_id" {
35 type = string
36 description = <<-EOF
37 The client ID for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_ID is set as an environment variable.)
38 EOF
39 default = null
40 sensitive = true
41}
42
43variable "client_secret" {
44 type = string
45 description = <<-EOF
46 The client secret for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_SECRET is set as an environment variable.)
47 EOF
48 default = null
49 sensitive = true
50}
51
52variable "app_name" {
53 type = string
54 description = "The name of the secrets app in HCP Vault Secrets"
55}
56
57variable "secrets" {
58 type = list(string)
59 description = "The names of the secrets to retrieve from HCP Vault Secrets"
60 default = null
61}
62
63data "hcp_vault_secrets_app" "secrets" {
64 app_name = var.app_name
65}
66
67resource "coder_env" "hvs_secrets" {
68 # https://support.hashicorp.com/hc/en-us/articles/4538432032787-Variable-has-a-sensitive-value-and-cannot-be-used-as-for-each-arguments
69 for_each = var.secrets != null ? toset(var.secrets) : nonsensitive(toset(keys(data.hcp_vault_secrets_app.secrets.secrets)))
70 agent_id = var.agent_id
71 name = each.key
72 value = data.hcp_vault_secrets_app.secrets.secrets[each.key]
73}