For the last few days I have been playing with GitHub Actions to see how easy it was to deploy Terraform. One of the first problems that I ran into was with related to the use of the Vault provider in my Terraform code. Hashicorp has a Vault Secrets action that you can use, but I had some issues with it. It seems like it is designed more for retrieving specific secrets than setting the VAULT_TOKEN so that I could access Vault from Terraform.
I ended up writing my own steps to install and use Vault. First, I added a new environmental variable to the job called VAULT_VERSION so that I could easily change it in the future. I also added VAULT_ADDRESS to set the endpoint address.
env:
VAULT_VERSION: 1.5.4
VAULT_ADDRESS: https://myvault.example.com:8200
Next, I created a step that installed the Vault application. It checks to see if the bin directory exists and creates it if it does not. Then it changes to that directory, downloads the zipped binary, unzips it and makes it executable. Finally, it adds the bin directory to the path so it can be executed easily.
- name: Install Vault
run: |
[[ -d bin ]] || mkdir bin
cd bin
curl -s -o vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
gunzip -S .zip vault.zip
chmod -R 700 vault
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
Finally, I log into Vault and set the VAULT_TOKEN variable. I added a set of AppRole credentials to the secrets store for the repo and then use them in the step to generate a login token for Terraform to use. The first line creates the VAULT_TOKEN variable, then I add ::add-mask:: so that the password won’t show up in the GitHub Action logs. Finally, I added to the environment so that GitHub can use it in subsequent steps.
- name: Log Into Vault
run: |
VAULT_TOKEN=$(vault write -field=token auth/approle/login \
role_id=$%20secrets.ROLE_ID%20 \
secret_id=$%20secrets.SECRET_ID%20)
echo ::add-mask::$VAULT_TOKEN
echo "VAULT_TOKEN=$VAULT_TOKEN" >> $GITHUB_ENV
It seems pretty straightforward, but it took me a few hours to figure out. Hopefully, this will help somebody else save that time.
Comments