lightcode/.gitlab-ci.yml

## .gitlab-ci.yml
demo:
  image: vault:1.6.0
  script:
    - export VAULT_ADDR=https://vault.example.com
    - export VAULT_TOKEN="$(vault write -field=token auth/gitlab-jwt/login role=read-secret-demo jwt=$CI_JOB_JWT)"
    - USERNAME="$(vault kv get -field=username kv/demo/hello)"
    - PASSWORD="$(vault kv get -field=password kv/demo/hello)"
    - echo "The secret is ${USERNAME}:${PASSWORD}"
  only:
    refs: ["master"]

## main.tf
# Input variables
variable vault_url {
  type        = string
  description = "URL to Vault (example: https://vault.example.com)"
}
variable gitlab_url {
  type        = string
  description = "URL to Gitlab (example: https://gitlab.example.com)"
}
variable gitlab_host {
  type        = string
  description = "Host of Gitlab (example: gitlab.example.com)"
}
variable gitlab_project_id {
  type        = string
  description = "ID of the Gitlab project"
}

# Enable JWT backend
resource "vault_auth_backend" "jwt" {
  type = "jwt"
}

# Configure JWT backend with the Gitlab URL
resource "vault_jwt_auth_backend" "gitlab" {
  path         = "gitlab-jwt"
  jwks_url     = "${var.gitlab_url}/-/jwks"
  bound_issuer = var.gitlab_host
}

# Role for our demo pipeline
resource "vault_jwt_auth_backend_role" "read_secret_demo" {
  backend        = vault_jwt_auth_backend.gitlab.path
  role_name      = "read-secret-demo"
  role_type      = "jwt"
  token_policies = [vault_policy.read_secret_demo.name]
  user_claim     = "user_email"
  bound_claims = {
    project_id = var.gitlab_project_id
    ref        = "master"
    ref_type   = "branch"
  }
}

# Policy to allow our role to read secrets in kv/demo/*
resource "vault_policy" "read_secret_demo" {
  name   = "read-secret-demo"
  policy = <<EOT
path "kv/demo/*" {
  capabilities = ["read"]
}
EOT
}

# Demo secret in the KV store
resource "vault_generic_secret" "demo_secret" {
  path      = "kv/demo/hello"
  data_json = <<EOT
{
  "username": "foo",
  "password": "bar"
}
EOT
}
	demo:
	image: vault:1.6.0
	script:
	- export VAULT_ADDR=https://vault.example.com
	- export VAULT_TOKEN="$(vault write -field=token auth/gitlab-jwt/login role=read-secret-demo jwt=$CI_JOB_JWT)"
	- USERNAME="$(vault kv get -field=username kv/demo/hello)"
	- PASSWORD="$(vault kv get -field=password kv/demo/hello)"
	- echo "The secret is ${USERNAME}:${PASSWORD}"
	only:
	refs: ["master"]
	# Input variables
	variable vault_url {
	type = string
	description = "URL to Vault (example: https://vault.example.com)"
	}
	variable gitlab_url {
	type = string
	description = "URL to Gitlab (example: https://gitlab.example.com)"
	}
	variable gitlab_host {
	type = string
	description = "Host of Gitlab (example: gitlab.example.com)"
	}
	variable gitlab_project_id {
	type = string
	description = "ID of the Gitlab project"
	}

	# Enable JWT backend
	resource "vault_auth_backend" "jwt" {
	type = "jwt"
	}

	# Configure JWT backend with the Gitlab URL
	resource "vault_jwt_auth_backend" "gitlab" {
	path = "gitlab-jwt"
	jwks_url = "${var.gitlab_url}/-/jwks"
	bound_issuer = var.gitlab_host
	}

	# Role for our demo pipeline
	resource "vault_jwt_auth_backend_role" "read_secret_demo" {
	backend = vault_jwt_auth_backend.gitlab.path
	role_name = "read-secret-demo"
	role_type = "jwt"
	token_policies = [vault_policy.read_secret_demo.name]
	user_claim = "user_email"
	bound_claims = {
	project_id = var.gitlab_project_id
	ref = "master"
	ref_type = "branch"
	}
	}

	# Policy to allow our role to read secrets in kv/demo/*
	resource "vault_policy" "read_secret_demo" {
	name = "read-secret-demo"
	policy = <<EOT
	path "kv/demo/*" {
	capabilities = ["read"]
	}
	EOT
	}

	# Demo secret in the KV store
	resource "vault_generic_secret" "demo_secret" {
	path = "kv/demo/hello"
	data_json = <<EOT
	{
	"username": "foo",
	"password": "bar"
	}
	EOT
	}