From a3c00f6d10fa27970a9768dbd9f42732628fb045 Mon Sep 17 00:00:00 2001 From: Ilija Matoski Date: Tue, 15 Oct 2024 09:29:44 +0200 Subject: [PATCH] examples: some examples of terraform for the vault plugin --- .../.gitignore | 5 + .../README.md | 74 ++++++++ .../main.tf | 58 ++++++ .../versions.tf | 7 + .../terraform-with-patch-values/.gitignore | 5 + .../terraform-with-patch-values/README.md | 171 ++++++++++++++++++ examples/terraform-with-patch-values/main.tf | 78 ++++++++ .../terraform-with-patch-values/versions.tf | 7 + 8 files changed, 405 insertions(+) create mode 100644 examples/terraform-vault-manages-gitlab-token/.gitignore create mode 100644 examples/terraform-vault-manages-gitlab-token/README.md create mode 100644 examples/terraform-vault-manages-gitlab-token/main.tf create mode 100644 examples/terraform-vault-manages-gitlab-token/versions.tf create mode 100644 examples/terraform-with-patch-values/.gitignore create mode 100644 examples/terraform-with-patch-values/README.md create mode 100644 examples/terraform-with-patch-values/main.tf create mode 100644 examples/terraform-with-patch-values/versions.tf diff --git a/examples/terraform-vault-manages-gitlab-token/.gitignore b/examples/terraform-vault-manages-gitlab-token/.gitignore new file mode 100644 index 0000000..148e088 --- /dev/null +++ b/examples/terraform-vault-manages-gitlab-token/.gitignore @@ -0,0 +1,5 @@ +/.terraform +/.terraform.lock.hcl +/.envrc +/plan +/terraform.tfstate* \ No newline at end of file diff --git a/examples/terraform-vault-manages-gitlab-token/README.md b/examples/terraform-vault-manages-gitlab-token/README.md new file mode 100644 index 0000000..fd57e23 --- /dev/null +++ b/examples/terraform-vault-manages-gitlab-token/README.md @@ -0,0 +1,74 @@ +Terraform with Patch Values +--------------------------- + +```shell +export TF_VAR_gitlab_base_url="http://localhost:8080" +export TF_VAR_gitlab_token="glpat-secret-random-token" +export VAULT_ADDR=http://127.0.0.1:8200 +export VAULT_TOKEN=root +``` + +```shell +❯ terraform plan -out plan + +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # vault_generic_endpoint.mount_default_config will be created + + resource "vault_generic_endpoint" "mount_default_config" { + + data_json = (sensitive value) + + disable_delete = true + + disable_read = false + + id = (known after apply) + + ignore_absent_fields = true + + path = "gitlab/config/default" + + write_data = (known after apply) + + write_data_json = (known after apply) + + write_fields = [ + + "base_url", + + "auto_rotate_token", + + "auto_rotate_before", + + "type", + + "scopes", + ] + } + +Plan: 1 to add, 0 to change, 0 to destroy. + +────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + +Saved the plan to: plan + +To perform exactly these actions, run the following command to apply: + terraform apply "plan" +❯ terraform apply plan +vault_generic_endpoint.mount_default_config: Creating... +vault_generic_endpoint.mount_default_config: Creation complete after 0s [id=gitlab/config/default] + +Apply complete! Resources: 1 added, 0 changed, 0 destroyed. +``` + +After that we have a configuration endpoint in Vault + +```shell +❯ vault list gitlab/config +Keys +---- +default + +❯ vault read gitlab/config/default +Key Value +--- ----- +auto_rotate_before 48h0m0s +auto_rotate_token true +base_url http://localhost:8080 +name default +scopes api, read_api, read_user, sudo, admin_mode, create_runner, k8s_proxy, read_repository, write_repository, ai_features, read_service_ping +token_created_at 2024-07-11T18:53:26Z +token_expires_at 2025-07-11T00:00:00Z +token_id 1 +token_sha1_hash 9441e6e07d77a2d5601ab5d7cac5868d358d885c +type self-managed +``` diff --git a/examples/terraform-vault-manages-gitlab-token/main.tf b/examples/terraform-vault-manages-gitlab-token/main.tf new file mode 100644 index 0000000..86e799c --- /dev/null +++ b/examples/terraform-vault-manages-gitlab-token/main.tf @@ -0,0 +1,58 @@ +variable "gitlab_base_url" { + description = "GitLab base URL, eg. https://gitlab.com" + type = string +} + +variable "gitlab_token" { + description = "GitLab Token" + type = string + sensitive = true +} + +variable "gitlab_type" { + description = "GitLab Type can be saas, self-managed or dedicated" + type = string + default = "self-managed" +} + +variable "gitlab_auto_rotate_token" { + type = bool + default = true +} + +variable "gitlab_auto_rotate_before" { + type = string + default = "48h" +} + +locals { + vault_config_default_data = { + token = var.gitlab_token + base_url = var.gitlab_base_url + auto_rotate_token = var.gitlab_auto_rotate_token + auto_rotate_before = var.gitlab_auto_rotate_before + type = var.gitlab_type + } +} + +resource "vault_generic_endpoint" "mount_default_config" { + path = "gitlab/config/default" + disable_delete = true + ignore_absent_fields = true + + write_fields = [ + "base_url", + "auto_rotate_token", + "auto_rotate_before", + "type", + "scopes", + ] + + data_json = jsonencode(local.vault_config_default_data) + + lifecycle { + ignore_changes = [ + data_json + ] + } +} diff --git a/examples/terraform-vault-manages-gitlab-token/versions.tf b/examples/terraform-vault-manages-gitlab-token/versions.tf new file mode 100644 index 0000000..ca210f3 --- /dev/null +++ b/examples/terraform-vault-manages-gitlab-token/versions.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + vault = {} + null = {} + } +} + diff --git a/examples/terraform-with-patch-values/.gitignore b/examples/terraform-with-patch-values/.gitignore new file mode 100644 index 0000000..148e088 --- /dev/null +++ b/examples/terraform-with-patch-values/.gitignore @@ -0,0 +1,5 @@ +/.terraform +/.terraform.lock.hcl +/.envrc +/plan +/terraform.tfstate* \ No newline at end of file diff --git a/examples/terraform-with-patch-values/README.md b/examples/terraform-with-patch-values/README.md new file mode 100644 index 0000000..8c0111b --- /dev/null +++ b/examples/terraform-with-patch-values/README.md @@ -0,0 +1,171 @@ +Terraform with Patch Values +--------------------------- + +```shell +export TF_VAR_gitlab_base_url="http://localhost:8080" +export TF_VAR_gitlab_token="glpat-secret-random-token" +export VAULT_ADDR=http://127.0.0.1:8200 +export VAULT_TOKEN=root +``` + +```shell +❯ terraform plan -out plan + +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # null_resource.mount_default_config_patch["auto_rotate_before"] will be created + + resource "null_resource" "mount_default_config_patch" { + + id = (known after apply) + + triggers = { + + "auto_rotate_before" = "48h" + } + } + + # null_resource.mount_default_config_patch["auto_rotate_token"] will be created + + resource "null_resource" "mount_default_config_patch" { + + id = (known after apply) + + triggers = { + + "auto_rotate_token" = "true" + } + } + + # null_resource.mount_default_config_patch["base_url"] will be created + + resource "null_resource" "mount_default_config_patch" { + + id = (known after apply) + + triggers = { + + "base_url" = "http://localhost:8080" + } + } + + # null_resource.mount_default_config_patch["type"] will be created + + resource "null_resource" "mount_default_config_patch" { + + id = (known after apply) + + triggers = { + + "type" = "self-managed" + } + } + + # vault_generic_endpoint.mount_default_config will be created + + resource "vault_generic_endpoint" "mount_default_config" { + + data_json = (sensitive value) + + disable_delete = true + + disable_read = false + + id = (known after apply) + + ignore_absent_fields = true + + path = "gitlab/config/default" + + write_data = (known after apply) + + write_data_json = (known after apply) + + write_fields = [ + + "base_url", + + "auto_rotate_token", + + "auto_rotate_before", + + "type", + + "scopes", + ] + } + +Plan: 5 to add, 0 to change, 0 to destroy. + +❯ terraform apply plan +vault_generic_endpoint.mount_default_config: Creating... +vault_generic_endpoint.mount_default_config: Creation complete after 0s [id=gitlab/config/default] +null_resource.mount_default_config_patch["base_url"]: Creating... +null_resource.mount_default_config_patch["auto_rotate_token"]: Creating... +null_resource.mount_default_config_patch["auto_rotate_before"]: Creating... +null_resource.mount_default_config_patch["type"]: Creating... +null_resource.mount_default_config_patch["base_url"]: Provisioning with 'local-exec'... +null_resource.mount_default_config_patch["base_url"] (local-exec): Executing: ["bash" "-c" " vault patch gitlab/config/default base_url=http://localhost:8080 >/dev/null\n"] +null_resource.mount_default_config_patch["auto_rotate_before"]: Provisioning with 'local-exec'... +null_resource.mount_default_config_patch["type"]: Provisioning with 'local-exec'... +null_resource.mount_default_config_patch["auto_rotate_token"]: Provisioning with 'local-exec'... +null_resource.mount_default_config_patch["auto_rotate_before"] (local-exec): Executing: ["bash" "-c" " vault patch gitlab/config/default auto_rotate_before=48h >/dev/null\n"] +null_resource.mount_default_config_patch["type"] (local-exec): Executing: ["bash" "-c" " vault patch gitlab/config/default type=self-managed >/dev/null\n"] +null_resource.mount_default_config_patch["auto_rotate_token"] (local-exec): Executing: ["bash" "-c" " vault patch gitlab/config/default auto_rotate_token=true >/dev/null\n"] +null_resource.mount_default_config_patch["type"]: Creation complete after 0s [id=8417009586748670144] +null_resource.mount_default_config_patch["base_url"]: Creation complete after 0s [id=3051316335689864969] +null_resource.mount_default_config_patch["auto_rotate_before"]: Creation complete after 0s [id=3174774997957690363] +null_resource.mount_default_config_patch["auto_rotate_token"]: Creation complete after 0s [id=2586021087863779131] +``` + +After that we have a configuration endpoint in Vault + +```shell +❯ vault list gitlab/config +Keys +---- +default + +❯ vault read gitlab/config/default +Key Value +--- ----- +auto_rotate_before 48h0m0s +auto_rotate_token true +base_url http://localhost:8080 +name default +scopes api, read_api, read_user, sudo, admin_mode, create_runner, k8s_proxy, read_repository, write_repository, ai_features, read_service_ping +token_created_at 2024-07-11T18:53:26Z +token_expires_at 2025-07-11T00:00:00Z +token_id 1 +token_sha1_hash 9441e6e07d77a2d5601ab5d7cac5868d358d885c +type self-managed +``` + +Now if we change the value + +```shell +❯ terraform plan -out plan -var "gitlab_type=saas" +vault_generic_endpoint.mount_default_config: Refreshing state... [id=gitlab/config/default] +null_resource.mount_default_config_patch["auto_rotate_before"]: Refreshing state... [id=3174774997957690363] +null_resource.mount_default_config_patch["base_url"]: Refreshing state... [id=3051316335689864969] +null_resource.mount_default_config_patch["auto_rotate_token"]: Refreshing state... [id=2586021087863779131] +null_resource.mount_default_config_patch["type"]: Refreshing state... [id=8417009586748670144] + +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: +-/+ destroy and then create replacement + +Terraform will perform the following actions: + + # null_resource.mount_default_config_patch["type"] must be replaced +-/+ resource "null_resource" "mount_default_config_patch" { + ~ id = "8417009586748670144" -> (known after apply) + ~ triggers = { # forces replacement + ~ "type" = "self-managed" -> "saas" + } + } + +Plan: 1 to add, 0 to change, 1 to destroy. + +────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + +Saved the plan to: plan + +To perform exactly these actions, run the following command to apply: + terraform apply "plan" + +❯ terraform apply plan +null_resource.mount_default_config_patch["type"]: Destroying... [id=8417009586748670144] +null_resource.mount_default_config_patch["type"]: Destruction complete after 0s +null_resource.mount_default_config_patch["type"]: Creating... +null_resource.mount_default_config_patch["type"]: Provisioning with 'local-exec'... +null_resource.mount_default_config_patch["type"] (local-exec): Executing: ["bash" "-c" " vault patch gitlab/config/default type=saas >/dev/null\n"] +null_resource.mount_default_config_patch["type"]: Creation complete after 0s [id=7287861734270135244] + +Apply complete! Resources: 1 added, 0 changed, 1 destroyed. + +❯ vault read gitlab/config/default +Key Value +--- ----- +auto_rotate_before 48h0m0s +auto_rotate_token true +base_url http://localhost:8080 +name default +scopes api, read_api, read_user, sudo, admin_mode, create_runner, k8s_proxy, read_repository, write_repository, ai_features, read_service_ping +token_created_at 2024-07-11T18:53:26Z +token_expires_at 2025-07-11T00:00:00Z +token_id 1 +token_sha1_hash 9441e6e07d77a2d5601ab5d7cac5868d358d885c +type saas +``` \ No newline at end of file diff --git a/examples/terraform-with-patch-values/main.tf b/examples/terraform-with-patch-values/main.tf new file mode 100644 index 0000000..929c3be --- /dev/null +++ b/examples/terraform-with-patch-values/main.tf @@ -0,0 +1,78 @@ +variable "gitlab_base_url" { + description = "GitLab base URL, eg. https://gitlab.com" + type = string +} + +variable "gitlab_token" { + description = "GitLab Token" + type = string + sensitive = true +} + +variable "gitlab_type" { + description = "GitLab Type can be saas, self-managed or dedicated" + type = string + default = "self-managed" +} + +variable "gitlab_auto_rotate_token" { + type = bool + default = true +} + +variable "gitlab_auto_rotate_before" { + type = string + default = "48h" +} + +locals { + vault_config_default_data = { + token = var.gitlab_token + base_url = var.gitlab_base_url + auto_rotate_token = var.gitlab_auto_rotate_token + auto_rotate_before = var.gitlab_auto_rotate_before + type = var.gitlab_type + } + + vault_config_default_patch_data = { + for k, v in local.vault_config_default_data : k => v if k != "token" + } +} + +resource "vault_generic_endpoint" "mount_default_config" { + path = "gitlab/config/default" + disable_delete = true + ignore_absent_fields = true + + write_fields = [ + "base_url", + "auto_rotate_token", + "auto_rotate_before", + "type", + "scopes", + ] + + data_json = jsonencode(local.vault_config_default_data) + + lifecycle { + ignore_changes = [ + data_json + ] + } +} + +resource "null_resource" "mount_default_config_patch" { + for_each = local.vault_config_default_patch_data + triggers = { (each.key) = each.value } + + provisioner "local-exec" { + command = </dev/null + EOT + interpreter = ["bash", "-c"] + } + + depends_on = [ + vault_generic_endpoint.mount_default_config, + ] +} \ No newline at end of file diff --git a/examples/terraform-with-patch-values/versions.tf b/examples/terraform-with-patch-values/versions.tf new file mode 100644 index 0000000..ca210f3 --- /dev/null +++ b/examples/terraform-with-patch-values/versions.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + vault = {} + null = {} + } +} +