Given this template :
#!/bin/sh
# Admin Console
{{- with secret "app/production/operations/cst/v1.0.0/privaas/external/userconsole" }}
export PRVS_CLIENT_ADMINCONSOLE_ORGURL="{{ .organization }}"
export PRVS_CLIENT_ADMINCONSOLE_USER="{{ .user }}"
export PRVS_CLIENT_ADMINCONSOLE_PASSWORD="{{ .password }}"
{{- end }}When invoking harp :
export VAULT_ADDR=<vault-url>
export VAULT_TOKEN="$(vault login -token-only -method='oidc')"
harp template --in privaas.env.sh.tmpl --out privaas.env.shIt will pull secrets from Vault and render privaas.env.sh.
You can also use a secret container as source of secrets by specifying the
--secrets-from flag.
harp template \
--in privaas.env.sh.tmpl \
--out privaas.env.sh \
--secrets-from privaas.container \
--secrets-from vault # Fallback to vault if secret value is not found.Given this template :
{{- $role := "sre" }}{{ if hasKey .Values "role" }}{{ $role = default "sre" .Values.role }}{{ end -}}
{{- range $key, $account := .Values.accounts.variable.account_id.default -}}
{{- $awsNamespace := "aws" }}{{ if hasPrefix "gov" $key}}{{ $awsNamespace = "aws-gov" }}{{ end -}}
{{- $awsProfile := "commercial" }}{{ if hasPrefix "gov-" $key }}{{ if hasSuffix "-public" $key }}{{ $awsProfile = "gov-public" }}{{ else }}{{ $awsProfile = "gov" }}{{ end }}{{ end -}}
[profile {{ $key }}]
role_arn = arn:{{ $awsNamespace }}:iam::{{ $account }}:role/xaccount/{{ $role }}
source_profile = {{ $awsProfile }}
{{ end -}}When invoking harp :
harp template
--in config.tpl \
--values path-to/accounts.tf:hcl2:accounts \
--set role=secengIt will generate the following output :
[profile com-ops]
role_arn = arn:aws:iam::12345678911234:role/xaccount/seceng
source_profile = commercial
[profile gov-main]
role_arn = arn:aws-gov:iam::31256489123112:role/xaccount/seceng
source_profile = gov-private
[profile gov-main-public]
role_arn = arn:aws-gov:iam::00645684152311:role/xaccount/seceng
source_profile = gov-public
...