Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/oulman/tfvaultenv
A utility for configuring Terraform provider environment variables from HashiCorp Vault secrets
https://github.com/oulman/tfvaultenv
golang terraform vault
Last synced: about 1 month ago
JSON representation
A utility for configuring Terraform provider environment variables from HashiCorp Vault secrets
- Host: GitHub
- URL: https://github.com/oulman/tfvaultenv
- Owner: oulman
- License: apache-2.0
- Created: 2021-10-28T15:35:10.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2024-01-29T15:30:54.000Z (11 months ago)
- Last Synced: 2024-08-02T00:26:41.341Z (4 months ago)
- Topics: golang, terraform, vault
- Language: Go
- Homepage:
- Size: 195 KB
- Stars: 47
- Watchers: 1
- Forks: 6
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Roadmap: ROADMAP.md
Awesome Lists containing this project
- awesome-tf - tfvaultenv - tfvaultenv reads secrets from HashiCorp Vault and outputs environment variables for various Terraform providers with those secrets. (Tools / Community providers)
README
# tfvaultenv
## Overview
tfvaultenv reads secrets from HashiCorp Vault and outputs environment variables for various Terraform providers with those secrets.
This project is a work in progress and additional Secrets Engines, Providers, and features are planned. Please see the project [roadmap](ROADMAP.md) for more details.
Currently supported are:
### Secrets Engines
- [Active Directory](https://www.vaultproject.io/docs/secrets/ad) (Password Rotation)
- [Kv2](https://www.vaultproject.io/docs/secrets/kv/kv-v2)
- [AWS](https://www.vaultproject.io/docs/secrets/aws) (STS only currently)
- [Azure](https://www.vaultproject.io/docs/secrets/azure)### Terraform Providers
- [vSphere](https://registry.terraform.io/providers/hashicorp/vsphere/latest/docs)
- [F5 BIG IP](https://registry.terraform.io/providers/F5Networks/bigip/latest)
- [Infoblox](https://registry.terraform.io/providers/infobloxopen/infoblox/latest)
- [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest)
- [AzureRM](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)
- Other Terraform providers via the kv_secret `generic` provider## Installation
- Download the release for your platform from [Releases](https://github.com/oulman/tfvaultenv/releases)
- untar or unzip the file and move tfvaultenv into your $PATH
- Create a .tfvaultenv.config.hcl file in your Terraform project. (see Configuration below and the examples directory)## Configuration
The configuration is written in [HCL](https://github.com/hashicorp/hcl) and the default name is `.tfvaultenv.config.hcl`. Unless overridden, tfvaultenv will look in the current working directory for the config file. You can optionally set the `--config` and `--configdepth` arguments to change the config file name or search up to N parent directories. This is useful in nested Terraform directory structure scenarios.
Configuration is set in blocks representing supported secrets engines and authentication methods.
### Secrets Engines
Currently all secrets engines use the same Vault client and because of that `tfvaultenv` only supports a single Vault backend configured via `VAULT_ADDR` environment variables. A feature is planned to be able to support multiple Vault backends and Namespaces.
#### AWS##### Example
```hcl
aws "sts" {
method = "assumed_role"
role = "rolename"
role_arn = "arn:aws:iam::00000000000:role/TerraformRole"
extra_env_vars = {
"AWS_DEFAULT_REGION" = "us-east-2"
}
ttl = 900
}
```##### Arguments
- `method`: (Required) Name of the [AWS Secrets Engine Method](https://www.vaultproject.io/docs/secrets/aws) Currently only `assumed_role` is supported
- `role`: (Required) AWS Secrets Engine role name
- `role_arn`: (Optional) Role ARN to assume when method is set to `assumed_role`
- `extra_env_vars`: (Optional) Map of additional environment variables to set
- `mount`: (Optional) Path to the mounted AWS secrets engine. Default: `aws`
- `ttl`: (Optional) TTL to set on the token or iam_user#### Azure
##### Example```hcl
azure "sub1" {
role = "sub1-rw"
extra_env_vars = {
"ARM_TENANT_ID" = "194dd302-295b-4993-b29e-2ca2d37b9031"
"ARM_SUBSCRIPTION_ID" = "9b9c4322-74a2-474e-ad94-c5e6890713c9"
}
}
```##### Arguments
- `role`: (Required) Azure Secrets Engine role name
- `extra_env_vars`: (Optional) Map of additional environment variables to set
- `mount`: (Optional) Path to the mounted Azure secrets engine. Default: `azure`#### Active Directory
##### Example
```hcl
ad "vsphere" {
role = "rolename"
target_provider = "vsphere"
extra_env_vars = {
"VSPHERE_SERVER" = "vcenter.example.com"
}
}
``````hcl
ad "generic" {
role = "tf-svc"
target_provider = "generic"
username_env_var = "TF_VAR_AD_USERNAME"
password_env_var = "TF_VAR_AD_PASSWORD"
}
```##### Arguments
- `role`: (Required) Name of the [Vault Active Directory Secrets Engine role name](https://www.vaultproject.io/docs/secrets/ad)
- `target_provider`: (Required) Name of the Terraform provider to generate environment variables for
- `extra_env_vars`: (Optional) Map of additional environment variables to set
- `username_env_var`: (Optional/Required for generic provider) Environment variable to set to username
- `password_env_var`: (Optional/Required for generic provider) Environment variable to set to password
- `path`: (Optional) Path to the mounted AD secrets engine. Default: `ad`#### Kv2 Secret
##### Example
```hcl
kv_secret "infoblox" {
path = "infoblox/terraform"
target_provider = "infoblox"
attribute_map = {
"ib_user" = "username"
"ib_password" = "password"
}
extra_env_vars = {
"FOO" = "bar"
}
}
```##### Arguments
- `path`: (Required) Path to the secret under the secrets engine mount
- `mount`: (Optional) Mount name of the secrets engine. Default: "secrets"
- `attribute_map`: (Optional) Map of kv2 secret attribute names to provider values. Defaults to username and password
- `target_provider`: (Required) Name of the Terraform provider to generate environment variables for
- `extra_env_vars`: (Optional) Map of additional environment variables to set
- `expand_env_vars`: (Optional) Perform shell expansion of variables in the string. This only applies to values in `extra_env_vars`#### Kv2 Secret (Generic)
You can use the "generic" target_provider when tfvaultenv doesnt directly support your Terraform provider.
##### Example
```hcl
kv_secret "generic" {
path = "teams/ops/db/pgsql"
target_provider = "generic"
attribute_map = {
"PGUSER" = "psql_user"
"PGPASSWORD" = "psql_pass"
}
extra_env_vars = {
"PGHOST" = "foo.bar.com"
"PGPORT" = "12345"
}
}
```##### Arguments
- `path`: (Required) Path to the secret under the secrets engine mount
- `mount`: (Optional) Mount name of the secrets engine. Default: "secrets"
- `attribute_map`: (Optional) Map of kv2 secret attribute names to environment vasriable keys.
- `target_provider`: (Required) generic
- `extra_env_vars`: (Optional) Map of additional environment variables to set
- `expand_env_vars`: (Optional) Perform shell expansion of variables in the string. This only applies to values in `extra_env_vars`
### Auth MethodsBy default `tfvaultenv` creates an implicit auth method that supports token based authentication in the form of VAULT_TOKEN, ~/.vault-token, and token helpers. Supported auth methods such as JWT (see below) can be used and can override token auth by configuring a priority of 1 or above. Auth methods can be conditionally activated using `when {}` blocks based on environment variables or other supported conditions. When multiple auth methods are defined you can specify priorities to ensure that the preferred fallback auth method is used.
#### Common arguments
- `method`: (Required) Name of the Vault authentication method
- `path`: (Required) Path to the auth engine mount
- `priority`: (Required) Priority - set > 0 to override implicit token based auth
- `when`: (Optional) Conditional block methods to determine if the auth method should be used. Currently only `env_present` is supported.
- `export_vault_token`: (Optional) Print the token to the `VAULT_TOKEN` environment variable.#### JWT
```hcl
auth "gitlab" {
method = "jwt"
path = "gitlab"
priority = 100jwt {
role = env("VAULT_ROLE")
token = env("CI_JOB_JWT")
}when {
env_present = "CI_JOB_JWT"
}
}
```##### Arguments
- `role`: (Required) Name of the JWT auth engine role
- `token`: (Required) JWT token to pass to Vault API## Usage
### Setting environment variables
```
$ export `tfvaultenv get`
$ env | grep AWS_
AWS_ACCESS_KEY_ID=ASIA
AWS_ACCESS_SECRET_KEY=nJJFD/
AWS_ACCESS_SESSION_TOKEN=
```### Printing to stdout
```
$ tfvaultenv get
AWS_ACCESS_KEY_ID=ASIA
AWS_ACCESS_SECRET_KEY=nJJFD/
AWS_ACCESS_SESSION_TOKEN=
```### Specifying an alternate configuration file
```
$ tfvaultenv get --config /path/to/config.hcl
```