-
-
Save jrnt30/e7829b9d1934419063b6 to your computer and use it in GitHub Desktop.
Example Chef extension to extract secrets from HashiCorp's Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Please see the following blog post for more information: | |
| # | |
| # https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html | |
| # | |
| resource_name :vault_secret | |
| property :path, String, name_property: true | |
| property :destination, String | |
| action :read do | |
| destination ||= path | |
| lease_id = node[destination] | |
| begin | |
| # Attempt to renew the lease. | |
| Vault.sys.renew(lease_id) | |
| # If the renew succeeded, do not fire notifications because the secret is | |
| # already persisted on the notified resource(s). | |
| updated_by_last_action(false) | |
| # Done | |
| return | |
| rescue Vault::HTTPClientError => e | |
| # Renewal failed - this could mean that the lease has been manually | |
| # revoked or we did not renew in time. In any case, we will log a message | |
| # and attempt to read a new secret. | |
| Chef::Log.warn("Failed to renew `#{lease_id}', attempting a fresh read") | |
| end if lease_id | |
| # Attempt to read the secret. If this fails, an error is raised. | |
| secret = Vault.logical.read(path) | |
| if secret.nil? | |
| raise "Could not read secret `#{path}'!" | |
| end | |
| # If the secret is renewable, save the lease_id so we can renew it later. | |
| if secret.renewable? | |
| node.set[destination] = secret.lease_id | |
| end | |
| # Persist the secret in-memory for the rest of this Chef run. | |
| node.run_state[destination] = secret | |
| # Tell notifications to fire. | |
| updated_by_last_action(true) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment