misurellig · misurellig · Feb 20, 2020 · Feb 20, 2020 · Feb 20, 2020
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.terraform
diff --git a/README.md b/README.md
@@ -1 +1,16 @@
-# hashitalks-demo
+# hashitalks-demo
+
+This repo contains an example on how to use [Vault reponse wrapping](https://www.vaultproject.io/docs/concepts/response-wrapping/) feature to fetch Vault secrets from a Jenkins pipeline.
+
+The example has been used during the [HashiTalks2020](https://events.hashicorp.com/hashitalks2020) "Vault Response Wrapping Makes Secret Zero Challenge A Piece Of Cake" presentation demo.
+
+## terraform folder
+
+Terraform configuration files to configure both the Jenkins pipeline AppRole and the wrapping policy.
+
+## Jenkinsfile
+
+Stages simplify the following workflow:
+
+![Vault Response Wrapping Jenkins Workflow](/images/vault-jenkins-response-wrapping.png)
+
diff --git a/images/vault-jenkins-response-wrapping.png b/images/vault-jenkins-response-wrapping.png
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -0,0 +1,56 @@
+resource "vault_mount" "hashitalks_kv" {
+  path = "kv"
+  type = "generic"
+}
+
+resource "vault_generic_secret" "demo_secrets" {
+  path = "kv/pipeline-secrets"
+
+  data_json = <<EOT
+{
+  "secret-1": "i_am_a_secret",
+  "secret-2": "give_me_the_piece_of_cake"
+}
+EOT
+ depends_on = [vault_mount.hashitalks_kv]
+}
+
+resource "vault_policy" "pipeline_policy" {
+  name = "pipeline-policy"
+
+  policy = <<EOT
+path "kv/data/pipeline-secrets" {
+  policy = "read"
+}
+
+path "kv/pipeline-secrets" {
+  policy = "read"
+}
+EOT
+}
+
+resource "vault_policy" "trusted_entity_policy" {
+  name = "trusted-entity"
+
+  policy = <<EOT
+path "auth/pipeline/role/pipeline-approle/secret-id" {
+  policy = "write"
+  min_wrapping_ttl   = "100s"
+  max_wrapping_ttl   = "300s"
+}
+EOT
+}
+
+resource "vault_auth_backend" "pipeline_access" {
+  type = "approle"
+  path = "pipeline"
+}
+
+resource "vault_approle_auth_backend_role" "pipeline_approle" {
+  backend            = vault_auth_backend.pipeline_access.path
+  role_name          = "pipeline-approle"
+  secret_id_num_uses = "1"
+  secret_id_ttl      = "300"
+  token_ttl          = "1800"
+  token_policies     = ["default", "pipeline-policy"]
+}
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -0,0 +1,11 @@
+output "pipeline_approle_roleid" {
+  value = vault_approle_auth_backend_role.pipeline_approle.role_id
+}
+
+output "pipeline_approle_path" {
+  value = vault_auth_backend.pipeline_access.path
+}
+
+output "pipeline_approle_rolename" {
+  value = vault_approle_auth_backend_role.pipeline_approle.role_name
+}
diff --git a/terraform/provider.tf b/terraform/provider.tf
@@ -0,0 +1,5 @@
+provider "vault" {
+  address     = var.vault_endpoint
+  namespace   = var.namespace
+  max_retries = 5
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -0,0 +1,7 @@
+variable "vault_endpoint" {
+  type    = string
+}
+
+variable "namespace" {
+  type    = string
+}