Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/oulman/tfvaultenv

A utility for configuring Terraform provider environment variables from HashiCorp Vault secrets
https://github.com/oulman/tfvaultenv

golang terraform vault

Last synced: 7 days ago
JSON representation

A utility for configuring Terraform provider environment variables from HashiCorp Vault secrets

Host: GitHub
URL: https://github.com/oulman/tfvaultenv
Owner: oulman
License: apache-2.0
Created: 2021-10-28T15:35:10.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2024-01-29T15:30:54.000Z (9 months ago)
Last Synced: 2024-08-02T00:26:41.341Z (3 months ago)
Topics: golang, terraform, vault
Language: Go
Homepage:
Size: 195 KB
Stars: 47
Watchers: 1
Forks: 6
Open Issues: 4
Metadata Files:
- Readme: README.md
- License: LICENSE
- Roadmap: ROADMAP.md

Awesome Lists containing this project

awesome-tf - tfvaultenv - tfvaultenv reads secrets from HashiCorp Vault and outputs environment variables for various Terraform providers with those secrets. (Tools / Community providers)

README

        # tfvaultenv

## Overview

tfvaultenv reads secrets from HashiCorp Vault and outputs environment variables for various Terraform providers with those secrets.

This project is a work in progress and additional Secrets Engines, Providers, and features are planned. Please see the project [roadmap](ROADMAP.md) for more details.

Currently supported are:

### Secrets Engines

- [Active Directory](https://www.vaultproject.io/docs/secrets/ad) (Password Rotation)

- [Kv2](https://www.vaultproject.io/docs/secrets/kv/kv-v2)

- [AWS](https://www.vaultproject.io/docs/secrets/aws) (STS only currently)

- [Azure](https://www.vaultproject.io/docs/secrets/azure)

### Terraform Providers

- [vSphere](https://registry.terraform.io/providers/hashicorp/vsphere/latest/docs)

- [F5 BIG IP](https://registry.terraform.io/providers/F5Networks/bigip/latest)

- [Infoblox](https://registry.terraform.io/providers/infobloxopen/infoblox/latest)

- [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest)

- [AzureRM](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)

- Other Terraform providers via the kv_secret `generic` provider

## Installation

- Download the release for your platform from [Releases](https://github.com/oulman/tfvaultenv/releases)

- untar or unzip the file and move tfvaultenv into your $PATH

- Create a .tfvaultenv.config.hcl file in your Terraform project. (see Configuration below and the examples directory)

## Configuration

The configuration is written in [HCL](https://github.com/hashicorp/hcl) and the default name is `.tfvaultenv.config.hcl`. Unless overridden, tfvaultenv will look in the current working directory for the config file. You can optionally set the `--config` and `--configdepth` arguments to change the config file name or search up to N parent directories. This is useful in nested Terraform directory structure scenarios.

Configuration is set in blocks representing supported secrets engines and authentication methods.

### Secrets Engines

Currently all secrets engines use the same Vault client and because of that `tfvaultenv` only supports a single Vault backend configured via `VAULT_ADDR` environment variables. A feature is planned to be able to support multiple Vault backends and Namespaces.

 

#### AWS

##### Example

```hcl

aws "sts" {

   method = "assumed_role"

   role = "rolename"

   role_arn = "arn:aws:iam::00000000000:role/TerraformRole"

   extra_env_vars = {

       "AWS_DEFAULT_REGION" = "us-east-2"

   }

   ttl = 900

}

```

##### Arguments

- `method`: (Required) Name of the [AWS Secrets Engine Method](https://www.vaultproject.io/docs/secrets/aws) Currently only `assumed_role` is supported

- `role`: (Required) AWS Secrets Engine role name

- `role_arn`: (Optional) Role ARN to assume when method is set to `assumed_role`

- `extra_env_vars`: (Optional) Map of additional environment variables to set

- `mount`: (Optional) Path to the mounted AWS secrets engine. Default: `aws`

- `ttl`: (Optional) TTL to set on the token or iam_user

#### Azure

##### Example

```hcl

azure "sub1" {

   role = "sub1-rw"

   extra_env_vars = {

       "ARM_TENANT_ID" = "194dd302-295b-4993-b29e-2ca2d37b9031"

       "ARM_SUBSCRIPTION_ID" = "9b9c4322-74a2-474e-ad94-c5e6890713c9"

   }

}

```

##### Arguments

- `role`: (Required) Azure Secrets Engine role name

- `extra_env_vars`: (Optional) Map of additional environment variables to set

- `mount`: (Optional) Path to the mounted Azure secrets engine. Default: `azure`

#### Active Directory

##### Example

```hcl

ad "vsphere" {

   role = "rolename"

   target_provider = "vsphere"

   extra_env_vars = {

       "VSPHERE_SERVER" = "vcenter.example.com"

   }

}

```

```hcl

ad "generic" {

   role = "tf-svc"

   target_provider = "generic"

   username_env_var = "TF_VAR_AD_USERNAME"

   password_env_var = "TF_VAR_AD_PASSWORD"

}

```

##### Arguments

- `role`: (Required) Name of the [Vault Active Directory Secrets Engine role name](https://www.vaultproject.io/docs/secrets/ad)

- `target_provider`: (Required) Name of the Terraform provider to generate environment variables for

- `extra_env_vars`: (Optional) Map of additional environment variables to set

- `username_env_var`: (Optional/Required for generic provider) Environment variable to set to username

- `password_env_var`: (Optional/Required for generic provider) Environment variable to set to password

- `path`: (Optional) Path to the mounted AD secrets engine. Default: `ad`

#### Kv2 Secret

##### Example

```hcl

kv_secret "infoblox" {

   path = "infoblox/terraform"

   target_provider = "infoblox"

   attribute_map = {

       "ib_user"     = "username"

       "ib_password" = "password"

   }

   extra_env_vars = {

       "FOO" = "bar"

   }

}

```

##### Arguments

- `path`: (Required) Path to the secret under the secrets engine mount

- `mount`: (Optional) Mount name of the secrets engine. Default: "secrets"

- `attribute_map`: (Optional) Map of kv2 secret attribute names to provider values. Defaults to username and password

- `target_provider`: (Required) Name of the Terraform provider to generate environment variables for

- `extra_env_vars`: (Optional) Map of additional environment variables to set

- `expand_env_vars`: (Optional) Perform shell expansion of variables in the string. This only applies to values in `extra_env_vars`

#### Kv2 Secret (Generic)

You can use the "generic" target_provider when tfvaultenv doesnt directly support your Terraform provider.

##### Example

```hcl

kv_secret "generic" {

   path = "teams/ops/db/pgsql"

   target_provider = "generic"

   attribute_map = {

       "PGUSER" = "psql_user"

       "PGPASSWORD" = "psql_pass"

   }

   extra_env_vars = {

       "PGHOST" = "foo.bar.com"

       "PGPORT" = "12345"

   } 

}

```

##### Arguments

- `path`: (Required) Path to the secret under the secrets engine mount

- `mount`: (Optional) Mount name of the secrets engine. Default: "secrets"

- `attribute_map`: (Optional) Map of kv2 secret attribute names to environment vasriable keys. 

- `target_provider`: (Required) generic

- `extra_env_vars`: (Optional) Map of additional environment variables to set

- `expand_env_vars`: (Optional) Perform shell expansion of variables in the string. This only applies to values in `extra_env_vars`

### Auth Methods

By default `tfvaultenv` creates an implicit auth method that supports token based authentication in the form of VAULT_TOKEN, ~/.vault-token, and token helpers. Supported auth methods such as JWT (see below) can be used and can override token auth by configuring a priority of 1 or above. Auth methods can be conditionally activated using `when {}` blocks based on environment variables or other supported conditions. When multiple auth methods are defined you can specify priorities to ensure that the preferred fallback auth method is used.

#### Common arguments

- `method`: (Required) Name of the Vault authentication method

- `path`: (Required) Path to the auth engine mount

- `priority`: (Required) Priority - set > 0 to override implicit token based auth

- `when`: (Optional) Conditional block methods to determine if the auth method should be used. Currently only `env_present` is supported.

- `export_vault_token`: (Optional) Print the token to the `VAULT_TOKEN` environment variable.

#### JWT

```hcl

auth "gitlab" {

  method = "jwt"

  path = "gitlab"

  priority = 100

  jwt {

    role = env("VAULT_ROLE")

    token = env("CI_JOB_JWT")

  }

  when {

    env_present = "CI_JOB_JWT"

  }

}

```

##### Arguments

- `role`: (Required) Name of the JWT auth engine role

- `token`: (Required) JWT token to pass to Vault API

## Usage

### Setting environment variables

```

$ export `tfvaultenv get`

$ env | grep AWS_

AWS_ACCESS_KEY_ID=ASIA

AWS_ACCESS_SECRET_KEY=nJJFD/

AWS_ACCESS_SESSION_TOKEN=

```

### Printing to stdout

```

$ tfvaultenv get

AWS_ACCESS_KEY_ID=ASIA

AWS_ACCESS_SECRET_KEY=nJJFD/

AWS_ACCESS_SESSION_TOKEN=

```

### Specifying an alternate configuration file

```

$ tfvaultenv get --config /path/to/config.hcl

```