Added configuration to import secrets from hcp vault secrets

azure/terraform-azure/infra-secrets.tf

@@ -1,60 +1,59 @@
-# data "hcp_iam_policy" "infra" {
-#   bindings = [
-#     {
-#       role = "roles/secrets.app-secret-reader"
-#       principals = [
-#         data.hcp_service_principal.infra_reader
-#       ]
-#     }
-#   ]
-# }
+data "hcp_project" "main" {
+  project = var.project_id
+}
+
+resource "hcp_service_principal" "secret_reader" {
+  name   = "secret-reader"
+  parent = data.hcp_project.main.resource_name
+}
 
-resource "hcp_service_principal" "infra_reader" {
-  name = "secret-reader"
+resource "hcp_service_principal_key" "key" {
+  service_principal = hcp_service_principal.secret_reader.resource_name
 }
 
-resource "hcp_vault_secrets_app_iam_binding" "infra_reader" {
-  resource_name = data.hcp_vault_secrets_app.infra.app_name
-  principal_id  = hcp_service_principal.infra_reader.resource_id
-  role          = "roles/secrets.app-secret-reader"
+resource "hcp_vault_secrets_app" "infra" {
+  app_name    = "infra"
+  description = "App containing infra secrets"
+  project_id  = data.hcp_project.main.resource_id
+}
+
+resource "hcp_project_iam_binding" "secret_reader" {
+  project_id   = data.hcp_project.main.resource_id
+  principal_id = hcp_service_principal.secret_reader.resource_id
+  role         = "roles/secrets.app-secret-reader"
 }
 
 data "hcp_vault_secrets_secret" "azure_client_id" {
-  app_name    = data.hcp_vault_secrets_app.infra.app_name
+  app_name    = hcp_vault_secrets_app.infra.app_name
   secret_name = "client_id"
 }
 
 data "hcp_vault_secrets_secret" "azure_client_password" {
-  app_name    = data.hcp_vault_secrets_app.infra.app_name
+  app_name    = hcp_vault_secrets_app.infra.app_name
   secret_name = "client_password"
 }
 
 data "hcp_vault_secrets_secret" "subscription_id" {
-  app_name    = data.hcp_vault_secrets_app.infra.app_name
+  app_name    = hcp_vault_secrets_app.infra.app_name
   secret_name = "subscription_id"
 }
 
 data "hcp_vault_secrets_secret" "tenant_id" {
-  app_name    = data.hcp_vault_secrets_app.infra.app_name
+  app_name    = hcp_vault_secrets_app.infra.app_name
   secret_name = "tenant_id"
 }
 
 data "hcp_vault_secrets_secret" "docker_username" {
-  app_name    = data.hcp_vault_secrets_app.infra.app_name
+  app_name    = hcp_vault_secrets_app.infra.app_name
   secret_name = "docker_username"
 }
 
 data "hcp_vault_secrets_secret" "docker_password" {
-  app_name    = data.hcp_vault_secrets_app.infra.app_name
+  app_name    = hcp_vault_secrets_app.infra.app_name
   secret_name = "docker_password"
 }
 
 data "hcp_vault_secrets_secret" "terraform_token" {
-  app_name    = data.hcp_vault_secrets_app.infra.app_name
+  app_name    = hcp_vault_secrets_app.infra.app_name
   secret_name = "terraform_token"
 }
-
-# resource "hcp_vault_secrets_app_iam_policy" "infra" {
-#   resource_name = data.hcp_vault_secrets_app.infra.app_name
-#   policy_data   = data.hcp_iam_policy.infra.policy_data
-# }

azure/terraform-azure/main.tf

@@ -17,11 +17,11 @@ terraform {
 provider "hcp" {
   client_id     = var.HCP_CLIENT_ID
   client_secret = var.HCP_CLIENT_SECRET
-  project_id    = "f8647d4c-9bf3-44d0-8c84-18a5ab9ee572"
+  project_id    = var.project_id
 }
 
 data "hcp_vault_secrets_app" "infra" {
-  app_name = "infra-secrets"
+  app_name = "infra"
 }
 
 provider "azurerm" {

azure/terraform-azure/variables.tf

@@ -25,3 +25,8 @@ variable "kubernetes_version" {
 variable "orchestrator_version" {
   default = "1.29.4"
 }
+
+variable "project_id" {
+  type    = string
+  default = "f8647d4c-9bf3-44d0-8c84-18a5ab9ee572"
+}