HCP Vault Secrets

HCP Vault Secrets

By coder

Fetch secrets from HCP Vault

This module lets you fetch all or selective secrets from a HCP Vault Secrets app into your Coder workspaces. It makes use of the hcp_vault_secrets_app data source from the HCP provider.

module "vault" {
  source     = "registry.coder.com/coder/hcp-vault-secrets/coder"
  version    = "1.0.33"
  agent_id   = coder_agent.example.id
  app_name   = "demo-app"
  project_id = "aaa-bbb-ccc"
}

Configuration

To configure the HCP Vault Secrets module, follow these steps,

  1. Create secrets in HCP Vault Secrets
  2. Create an HCP Service Principal from the HCP Vault Secrets app in the HCP console. This will give you the HCP_CLIENT_ID and HCP_CLIENT_SECRET that you need to authenticate with HCP Vault Secrets. HCP vault secrets credentials
  3. Set HCP_CLIENT_ID and HCP_CLIENT_SECRET variables on the coder provisioner (recommended) or supply them as input to the module.
  4. Set the project_id. This is the ID of the project where the HCP Vault Secrets app is running.

See the HCP Vault Secrets documentation for more information.

Fetch All Secrets

To fetch all secrets from the HCP Vault Secrets app, skip the secrets input.

module "vault" {
  source     = "registry.coder.com/coder/hcp-vault-secrets/coder"
  version    = "1.0.33"
  agent_id   = coder_agent.example.id
  app_name   = "demo-app"
  project_id = "aaa-bbb-ccc"
}

Fetch Selective Secrets

To fetch selective secrets from the HCP Vault Secrets app, set the secrets input.

module "vault" {
  source     = "registry.coder.com/coder/hcp-vault-secrets/coder"
  version    = "1.0.33"
  agent_id   = coder_agent.example.id
  app_name   = "demo-app"
  project_id = "aaa-bbb-ccc"
  secrets    = ["MY_SECRET_1", "MY_SECRET_2"]
}

Set Client ID and Client Secret as Inputs

Set client_id and client_secret as module inputs.

module "vault" {
  source        = "registry.coder.com/coder/hcp-vault-secrets/coder"
  version       = "1.0.33"
  agent_id      = coder_agent.example.id
  app_name      = "demo-app"
  project_id    = "aaa-bbb-ccc"
  client_id     = "HCP_CLIENT_ID"
  client_secret = "HCP_CLIENT_SECRET"
}
1terraform {
2  required_version = ">= 1.0"
3
4  required_providers {
5    coder = {
6      source  = "coder/coder"
7      version = ">= 0.12.4"
8    }
9    hcp = {
10      source  = "hashicorp/hcp"
11      version = ">= 0.82.0"
12    }
13  }
14}
15
16provider "hcp" {
17  client_id     = var.client_id
18  client_secret = var.client_secret
19  project_id    = var.project_id
20}
21
22provider "coder" {}
23
24variable "agent_id" {
25  type        = string
26  description = "The ID of a Coder agent."
27}
28
29variable "project_id" {
30  type        = string
31  description = "The ID of the HCP project."
32}
33
34variable "client_id" {
35  type        = string
36  description = <<-EOF
37  The client ID for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_ID is set as an environment variable.)
38  EOF
39  default     = null
40  sensitive   = true
41}
42
43variable "client_secret" {
44  type        = string
45  description = <<-EOF
46  The client secret for the HCP Vault Secrets service principal. (Optional if HCP_CLIENT_SECRET is set as an environment variable.)
47  EOF
48  default     = null
49  sensitive   = true
50}
51
52variable "app_name" {
53  type        = string
54  description = "The name of the secrets app in HCP Vault Secrets"
55}
56
57variable "secrets" {
58  type        = list(string)
59  description = "The names of the secrets to retrieve from HCP Vault Secrets"
60  default     = null
61}
62
63data "hcp_vault_secrets_app" "secrets" {
64  app_name = var.app_name
65}
66
67resource "coder_env" "hvs_secrets" {
68  # https://support.hashicorp.com/hc/en-us/articles/4538432032787-Variable-has-a-sensitive-value-and-cannot-be-used-as-for-each-arguments
69  for_each = var.secrets != null ? toset(var.secrets) : nonsensitive(toset(keys(data.hcp_vault_secrets_app.secrets.secrets)))
70  agent_id = var.agent_id
71  name     = each.key
72  value    = data.hcp_vault_secrets_app.secrets.secrets[each.key]
73}