Generate JWT token in Terraform

camptocamp · Nov 22, 2020 · d728680 · d728680
1 parent 9569db5
commit d728680
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 4 deletions.
diff --git a/modules/argocd-helm/main.tf b/modules/argocd-helm/main.tf
@@ -1,17 +1,25 @@
 locals {
-  iat = 1605854613 # An arbitrary Unix timestamp before than now
+  jwt_token_payload = {
+    jti = random_uuid.jti.result
+    iat = time_static.iat.unix
+    iss = "argocd"
+    nbf = time_static.iat.unix
+    sub = "pipeline"
+  }
 
   argocd_accounts_pipeline_tokens = jsonencode(
     [
       {
-        id  = random_uuid.accounts_pipeline_token_id.result
-        iat = local.iat
+        id  = random_uuid.jti.result
+        iat = time_static.iat.unix
       }
     ]
   )
 }
 
-resource "random_uuid" "accounts_pipeline_token_id" {}
+resource "time_static" "iat" {}
+
+resource "random_uuid" "jti" {}
 
 resource "helm_release" "argocd" {
   name              = "argocd"
@@ -31,3 +39,20 @@ resource "helm_release" "argocd" {
     EOT
   ]
 }
+
+data "kubernetes_secret" "argocd_secret" {
+  metadata {
+    name      = "argocd-secret"
+    namespace = helm_release.argocd.namespace
+  }
+
+  depends_on = [
+    helm_release.argocd,
+  ]
+}
+
+resource "jwt_hashed_token" "argocd" {
+  algorithm   = "HS256"
+  secret      = lookup(data.kubernetes_secret.argocd_secret.data, "server.secretkey")
+  claims_json = jsonencode(local.jwt_token_payload)
+}
diff --git a/modules/argocd-helm/outputs.tf b/modules/argocd-helm/outputs.tf
@@ -2,3 +2,8 @@ output "argocd_accounts_pipeline_tokens" {
   description = "The token created for the pipeline."
   value       = local.argocd_accounts_pipeline_tokens
 }
+
+output "argocd_auth_token" {
+  description = "The token to set in ARGOCD_AUTH_TOKEN environment variable."
+  value       = jwt_hashed_token.argocd.token
+}
diff --git a/modules/argocd-helm/versions.tf b/modules/argocd-helm/versions.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    helm = {
+      source = "hashicorp/helm"
+    }
+    jwt = {
+      source  = "camptocamp/jwt"
+      version = "~> 0.0.3"
+    }
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+    time = {
+      source = "hashicorp/time"
+    }
+  }
+  required_version = ">= 0.13"
+}
diff --git a/modules/k3os-libvirt/main.tf b/modules/k3os-libvirt/main.tf
@@ -17,6 +17,14 @@ provider "helm" {
   }
 }
 
+provider "kubernetes" {
+  host                   = local.kubernetes_host
+  username               = local.kubernetes_username
+  password               = local.kubernetes_password
+  cluster_ca_certificate = local.kubernetes_cluster_ca_certificate
+  load_config_file       = false
+}
+
 module "cluster" {
   source  = "camptocamp/k3os/libvirt"
   version = "0.2.4"

diff --git a/modules/k3s-docker/main.tf b/modules/k3s-docker/main.tf
@@ -17,6 +17,14 @@ provider "helm" {
   }
 }
 
+provider "kubernetes" {
+  host                   = local.kubernetes_host
+  username               = local.kubernetes_username
+  password               = local.kubernetes_password
+  cluster_ca_certificate = local.kubernetes_cluster_ca_certificate
+  load_config_file       = false
+}
+
 module "cluster" {
   source  = "camptocamp/k3s/docker"
   version = "0.3.2"