vault-plugin-secrets-github icon indicating copy to clipboard operation
vault-plugin-secrets-github copied to clipboard

Published 20 hours ago verified publisher icon martinbaillie

Create a terraform provider

Open lsjostro opened this issue 4 years ago • 4 comments

Would be awesome to have a terraform provider to be able to configure the plugin, especially for config and permission sets. Could be a fun project for someone?! 😊 I don't have the bandwidth myself though.

lsjostro avatar Feb 23 '21 21:02 lsjostro

You actually don't need a special provider to configure it:

resource "vault_mount" "github" {   path = "github"   type = "github" }

resource "vault_generic_endpoint" "github-config" {   path = "${vault_mount.github.path}/config"   data_json = jsonencode({     app_id = ...     ins_id = ...   })   ignore_absent_fields = true }

data "vault_policy_document" "foo" {   rule {     path                = "${vault_mount.github.path}/token"     capabilities        = ["update"]     required_parameters = ["permissions", "repository_ids"]

    allowed_parameter {       key   = "repository_ids"       value = ["..."]     }

    allowed_parameter {       key   = "permissions"       value = ["contents=write"]     }   }

}

On February 23, 2021, GitHub [email protected] wrote:

Would be awesome to have a terraform provider to be able to configure

the plugin, especially for config and permission sets. Could be a fun

project for someone?! 😊 I don't have the bandwidth myself though.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <https://github.com/martinbaillie/vault-plugin-secrets- github/issues/23>, or unsubscribe <https://github.com/notifications/unsubscribe- auth/AAASXLDCBXTR2ROPUMNOHQTTAQNEPANCNFSM4YDH72KA>.

grahamc avatar Feb 25 '21 02:02 grahamc

Ah, true regarding the config. But the permission set you will need one. The policy you wrote is not working as it's a oneof. You will not be able to request both contents=read and pull_requests=write. That's where permission sets gets into the picture 👌😀

lsjostro avatar Feb 25 '21 06:02 lsjostro

@lsjostro permissionsets are also easily configured with terraform-provider-vault. We use something similar to the following to configure unique permissionsets for various clients:

resource "vault_generic_endpoint" "github_example_rw" {
  path                 = "github/permissionset/example-rw"
  ignore_absent_fields = true

  data_json = jsonencode({
    installation_id = var.github_example_installation_id
    permissions = {
      checks        = "write"
      contents      = "write"
      metadata      = "read"
      pull_requests = "write"
      statuses      = "write"
    }
    repository_ids = [...]
  })
  write_fields = ["installation_id", "permissions", "repository_ids"]
}

You can combine with AppRole metadata and policy templates to cleanly expose distinct permissionsets to different clients without too much management overhead.

Hope this helps.

isometry avatar Jun 06 '23 22:06 isometry

I can confirm that @isometry´s terraform code works good. I haven´t seen a need for a specific terraform provider.

Took a while for me to figure out that the permissionset with path github/permissionset/example-rw means that you should query the endpoint github/example-rw to get a token with those permissinoset rules.

perbly avatar Jan 24 '24 12:01 perbly