diff --git a/registry/coder/modules/vault-github/README.md b/registry/coder/modules/vault-github/README.md index 8e8fb230..55f1b348 100644 --- a/registry/coder/modules/vault-github/README.md +++ b/registry/coder/modules/vault-github/README.md @@ -14,7 +14,7 @@ This module lets you authenticate with [Hashicorp Vault](https://www.vaultprojec module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-github/coder" - version = "1.0.31" + version = "1.1.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" } @@ -46,7 +46,7 @@ To configure the Vault module, you must set up a Vault GitHub auth method. See t module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-github/coder" - version = "1.0.31" + version = "1.1.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" coder_github_auth_id = "my-github-auth-id" @@ -59,7 +59,7 @@ module "vault" { module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-github/coder" - version = "1.0.31" + version = "1.1.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" coder_github_auth_id = "my-github-auth-id" @@ -73,7 +73,7 @@ module "vault" { module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-github/coder" - version = "1.0.31" + version = "1.1.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" vault_cli_version = "1.15.0" diff --git a/registry/coder/modules/vault-github/main.tf b/registry/coder/modules/vault-github/main.tf index 286025a0..45fb2751 100644 --- a/registry/coder/modules/vault-github/main.tf +++ b/registry/coder/modules/vault-github/main.tf @@ -32,6 +32,12 @@ variable "vault_github_auth_path" { default = "github" } +variable "vault_namespace" { + type = string + description = "The Vault Enterprise namespace that contains the GitHub auth mount." + default = null +} + variable "vault_cli_version" { type = string description = "The version of Vault to install." @@ -52,6 +58,7 @@ resource "coder_script" "vault" { AUTH_PATH : var.vault_github_auth_path, GITHUB_EXTERNAL_AUTH_ID : data.coder_external_auth.github.id, INSTALL_VERSION : var.vault_cli_version, + VAULT_NAMESPACE : var.vault_namespace != null ? var.vault_namespace : "", }) run_on_start = true start_blocks_login = true @@ -63,6 +70,13 @@ resource "coder_env" "vault_addr" { value = var.vault_addr } +resource "coder_env" "vault_namespace" { + count = var.vault_namespace == null ? 0 : 1 + agent_id = var.agent_id + name = "VAULT_NAMESPACE" + value = var.vault_namespace +} + data "coder_external_auth" "github" { id = var.coder_github_auth_id } diff --git a/registry/coder/modules/vault-github/run.sh b/registry/coder/modules/vault-github/run.sh index 8ca96c0e..05ac48cb 100644 --- a/registry/coder/modules/vault-github/run.sh +++ b/registry/coder/modules/vault-github/run.sh @@ -4,6 +4,7 @@ INSTALL_VERSION=${INSTALL_VERSION} GITHUB_EXTERNAL_AUTH_ID=${GITHUB_EXTERNAL_AUTH_ID} AUTH_PATH=${AUTH_PATH} +VAULT_NAMESPACE=${VAULT_NAMESPACE} fetch() { dest="$1" @@ -104,6 +105,11 @@ if ! ( fi rm -rf "$TMP" +if [ -n "$${VAULT_NAMESPACE}" ]; then + export VAULT_NAMESPACE + printf "📁 Using Vault namespace: %s\n\n" "$${VAULT_NAMESPACE}" +fi + # Authenticate with Vault printf "🔑 Authenticating with Vault ...\n\n" GITHUB_TOKEN=$(coder external-auth access-token "$${GITHUB_EXTERNAL_AUTH_ID}") diff --git a/registry/coder/modules/vault-jwt/README.md b/registry/coder/modules/vault-jwt/README.md index 8b00f14c..8d422c09 100644 --- a/registry/coder/modules/vault-jwt/README.md +++ b/registry/coder/modules/vault-jwt/README.md @@ -14,7 +14,7 @@ This module lets you authenticate with [Hashicorp Vault](https://www.vaultprojec module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-jwt/coder" - version = "1.1.1" + version = "1.2.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" vault_jwt_role = "coder" # The Vault role to use for authentication @@ -42,7 +42,7 @@ curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/d module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-jwt/coder" - version = "1.1.1" + version = "1.2.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" vault_jwt_auth_path = "oidc" @@ -58,7 +58,7 @@ data "coder_workspace_owner" "me" {} module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-jwt/coder" - version = "1.1.1" + version = "1.2.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" vault_jwt_role = data.coder_workspace_owner.me.groups[0] @@ -71,7 +71,7 @@ module "vault" { module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-jwt/coder" - version = "1.1.1" + version = "1.2.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" vault_jwt_role = "coder" # The Vault role to use for authentication @@ -132,7 +132,7 @@ resource "jwt_signed_token" "vault" { module "vault" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/vault-jwt/coder" - version = "1.1.1" + version = "1.2.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" vault_jwt_role = "coder" # The Vault role to use for authentication diff --git a/registry/coder/modules/vault-jwt/main.tf b/registry/coder/modules/vault-jwt/main.tf index 17288e00..69ae9e07 100644 --- a/registry/coder/modules/vault-jwt/main.tf +++ b/registry/coder/modules/vault-jwt/main.tf @@ -38,6 +38,12 @@ variable "vault_jwt_role" { description = "The name of the Vault role to use for authentication." } +variable "vault_namespace" { + type = string + description = "The Vault Enterprise namespace that contains the JWT auth mount." + default = null +} + variable "vault_cli_version" { type = string description = "The version of Vault to install." @@ -57,6 +63,7 @@ resource "coder_script" "vault" { VAULT_JWT_AUTH_PATH : var.vault_jwt_auth_path, VAULT_JWT_ROLE : var.vault_jwt_role, VAULT_CLI_VERSION : var.vault_cli_version, + VAULT_NAMESPACE : var.vault_namespace != null ? var.vault_namespace : "", }) run_on_start = true start_blocks_login = true @@ -68,4 +75,11 @@ resource "coder_env" "vault_addr" { value = var.vault_addr } +resource "coder_env" "vault_namespace" { + count = var.vault_namespace == null ? 0 : 1 + agent_id = var.agent_id + name = "VAULT_NAMESPACE" + value = var.vault_namespace +} + data "coder_workspace_owner" "me" {} diff --git a/registry/coder/modules/vault-jwt/run.sh b/registry/coder/modules/vault-jwt/run.sh index d95b45a2..6769afe2 100644 --- a/registry/coder/modules/vault-jwt/run.sh +++ b/registry/coder/modules/vault-jwt/run.sh @@ -4,6 +4,7 @@ VAULT_CLI_VERSION=${VAULT_CLI_VERSION} VAULT_JWT_AUTH_PATH=${VAULT_JWT_AUTH_PATH} VAULT_JWT_ROLE=${VAULT_JWT_ROLE} +VAULT_NAMESPACE=${VAULT_NAMESPACE} CODER_OIDC_ACCESS_TOKEN=${CODER_OIDC_ACCESS_TOKEN} fetch() { @@ -105,6 +106,11 @@ if ! ( fi rm -rf "$TMP" +if [ -n "$${VAULT_NAMESPACE}" ]; then + export VAULT_NAMESPACE + printf "📁 Using Vault namespace: %s\n\n" "$${VAULT_NAMESPACE}" +fi + # Authenticate with Vault printf "🔑 Authenticating with Vault ...\n\n" echo "$${CODER_OIDC_ACCESS_TOKEN}" | vault write -field=token auth/"$${VAULT_JWT_AUTH_PATH}"/login role="$${VAULT_JWT_ROLE}" jwt=- | vault login - diff --git a/registry/coder/modules/vault-token/README.md b/registry/coder/modules/vault-token/README.md index 4561a170..c3e34f7f 100644 --- a/registry/coder/modules/vault-token/README.md +++ b/registry/coder/modules/vault-token/README.md @@ -19,7 +19,7 @@ variable "vault_token" { module "vault" { source = "registry.coder.com/coder/vault-token/coder" - version = "1.2.2" + version = "1.3.0" agent_id = coder_agent.example.id vault_token = var.token # optional vault_addr = "https://vault.example.com" @@ -73,7 +73,7 @@ variable "vault_token" { module "vault" { source = "registry.coder.com/coder/vault-token/coder" - version = "1.2.2" + version = "1.3.0" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" vault_token = var.token diff --git a/registry/coder/modules/vault-token/main.tf b/registry/coder/modules/vault-token/main.tf index 51c3a935..be18b238 100644 --- a/registry/coder/modules/vault-token/main.tf +++ b/registry/coder/modules/vault-token/main.tf @@ -50,6 +50,7 @@ resource "coder_script" "vault" { icon = "/icon/vault.svg" script = templatefile("${path.module}/run.sh", { INSTALL_VERSION : var.vault_cli_version, + VAULT_NAMESPACE : var.vault_namespace != null ? var.vault_namespace : "", }) run_on_start = true start_blocks_login = true @@ -73,4 +74,4 @@ resource "coder_env" "vault_namespace" { agent_id = var.agent_id name = "VAULT_NAMESPACE" value = var.vault_namespace -} \ No newline at end of file +} diff --git a/registry/coder/modules/vault-token/run.sh b/registry/coder/modules/vault-token/run.sh index 9b83f32f..dd18d809 100644 --- a/registry/coder/modules/vault-token/run.sh +++ b/registry/coder/modules/vault-token/run.sh @@ -2,6 +2,7 @@ # Convert all templated variables to shell variables INSTALL_VERSION=${INSTALL_VERSION} +VAULT_NAMESPACE=${VAULT_NAMESPACE} fetch() { dest="$1" @@ -101,3 +102,8 @@ if ! ( exit 1 fi rm -rf "$TMP" + +if [ -n "$${VAULT_NAMESPACE}" ]; then + export VAULT_NAMESPACE + printf "📁 Using Vault namespace: %s\n\n" "$${VAULT_NAMESPACE}" +fi