Skip to content

Commit d0788bb

Browse files
evgeniy-scherbinaevgeniy-scherbina
committed
Add build-time secrets injection
1 parent 2fe34b5 commit d0788bb

File tree

5 files changed

+547
-364
lines changed

5 files changed

+547
-364
lines changed

coderd/provisionerdserver/provisionerdserver.go

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -682,6 +682,33 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
682682
}
683683
}
684684

685+
s.Logger.Info(
686+
ctx,
687+
"before calling ListUserSecrets",
688+
slog.F("workspace_id", workspace.ID),
689+
slog.F("workspace_owner_id", workspace.OwnerID),
690+
)
691+
userSecrets, err := s.Database.ListUserSecrets(dbauthz.AsSystemRestricted(ctx), workspace.OwnerID)
692+
if err != nil {
693+
s.Logger.Error(
694+
ctx,
695+
"failed to list user secrets",
696+
slog.Error(err),
697+
slog.F("workspace_id", workspace.ID),
698+
slog.F("workspace_owner_id", workspace.OwnerID),
699+
)
700+
return nil, err
701+
}
702+
userSecretsProto := make([]*sdkproto.Secret, 0)
703+
for _, userSecret := range userSecrets {
704+
userSecretsProto = append(userSecretsProto, &sdkproto.Secret{
705+
Name: userSecret.Name,
706+
EnvName: userSecret.EnvName,
707+
FilePath: userSecret.FilePath,
708+
Value: userSecret.Value,
709+
})
710+
}
711+
685712
protoJob.Type = &proto.AcquiredJob_WorkspaceBuild_{
686713
WorkspaceBuild: &proto.AcquiredJob_WorkspaceBuild{
687714
WorkspaceBuildId: workspaceBuild.ID.String(),
@@ -713,6 +740,7 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
713740
WorkspaceOwnerRbacRoles: ownerRbacRoles,
714741
RunningAgentAuthTokens: runningAgentAuthTokens,
715742
PrebuiltWorkspaceBuildStage: input.PrebuiltWorkspaceBuildStage,
743+
UserSecrets: userSecretsProto,
716744
},
717745
LogLevel: input.LogLevel,
718746
},

provisioner/terraform/provision.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -299,6 +299,20 @@ func provisionEnv(
299299
env = append(env, provider.ExternalAuthAccessTokenEnvironmentVariable(extAuth.Id)+"="+extAuth.AccessToken)
300300
}
301301

302+
for _, userSecrets := range metadata.UserSecrets {
303+
env = append(env, userSecrets.EnvName+"="+userSecrets.Value)
304+
}
305+
306+
envInJSON, err := json.Marshal(env)
307+
if err != nil {
308+
return nil, err
309+
}
310+
fmt.Printf("envInJSON: %s\n", envInJSON)
311+
312+
for _, userSecrets := range metadata.UserSecrets {
313+
fmt.Printf("%v=%v\n", userSecrets.EnvName, userSecrets.Value)
314+
}
315+
302316
if config.ProvisionerLogLevel != "" {
303317
// TF_LOG=JSON enables all kind of logging: trace-debug-info-warn-error.
304318
// The idea behind using TF_LOG=JSON instead of TF_LOG=debug is ensuring the proper log format.

0 commit comments

Comments
 (0)