feat: HCP Vault Secrets provider (#238)

Signed-off-by: Leandro Carneiro <[email protected]>

README.md

@@ -19,6 +19,7 @@ It supports various backends including:
 - Pulumi State
 - Kubernetes
 - Conjur
+- HCP Vault Secrets
 
 - Use `vals eval -f refs.yaml` to replace all the `ref`s in the file to actual values and secrets.
 - Use `vals exec -f env.yaml -- <COMMAND>` to populate envvars and execute the command.
@@ -222,6 +223,7 @@ Please see the [relevant unit test cases](https://github.com/helmfile/vals/blob/
 - [Pulumi State](#pulumi-state)
 - [Kubernetes](#kubernetes)
 - [Conjur](#conjur)
+- [HCP Vault Secrets](#hcp-vault-secrets)
 
 Please see [pkg/providers](https://github.com/helmfile/vals/tree/master/pkg/providers) for the implementations of all the providers. The package names corresponds to the URI schemes.
 
@@ -767,6 +769,37 @@ Example:
 
 - `ref+conjur://branch/variable_name`
 
+### HCP Vault Secrets
+
+This provider retrieves the value of secrets stored in [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets).
+
+It is based on the [HashiCorp Cloud Platform Go SDK](https://github.com/hashicorp/hcp-sdk-go) lib.
+
+Environment variables:
+
+- `HCP_CLIENT_ID`: The service principal Client ID for the HashiCorp Cloud Platform.
+- `HCP_CLIENT_SECRET`: The service principal Client Secret for the HashiCorp Cloud Platform.
+- `HCP_ORGANIZATION_ID`: (Optional) The organization ID for the HashiCorp Cloud Platform. It can be omitted. If "Organization Name" is set, it will be used to fetch the organization ID, otherwise the organization ID will be set to the first organization ID found.
+- `HCP_ORGANIZATION_NAME`: (Optional) The organization name for the HashiCorp Cloud Platform to fetch the organization ID.
+- `HCP_PROJECT_ID`: (Optional) The project ID for the HashiCorp Cloud Platform. It can be omitted. If "Project Name" is set, it will be used to fetch the project ID, otherwise the project ID will be set to the first project ID found in the provided organization.
+- `HCP_PROJECT_NAME`: (Optional) The project name for the HashiCorp Cloud Platform to fetch the project ID.
+
+Parameters:
+
+Parameters are optional and can be passed as query parameters in the URI, taking precedence over environment variables.
+
+- `client_id`: The service principal Client ID for the HashiCorp Cloud Platform.
+- `client_secret`: The service principal Client Secret for the HashiCorp Cloud Platform.
+- `organization_id`: The organization ID for the HashiCorp Cloud Platform. It can be omitted. If "Organization Name" is set, it will be used to fetch the organization ID, otherwise the organization ID will be set to the first organization ID found.
+- `organization_name`: The organization name for the HashiCorp Cloud Platform to fetch the organization ID.
+- `project_id`: The project ID for the HashiCorp Cloud Platform. It can be omitted. If "Project Name" is set, it will be used to fetch the project ID, otherwise the project ID will be set to the first project ID found in the provided organization.
+- `project_name`: The project name for the HashiCorp Cloud Platform to fetch the project ID.
+- `version`: The version digit of the secret to fetch. If omitted or fail to parse, the latest version will be fetched.
+
+Example:
+
+`ref+hcpvaultsecrets://APPLICATION_NAME/SECRET_NAME[?client_id=HCP_CLIENT_ID&client_secret=HCP_CLIENT_SECRET&organization_id=HCP_ORGANIZATION_ID&organization_name=HCP_ORGANIZATION_NAME&project_id=HCP_PROJECT_ID&project_name=HCP_PROJECT_NAME&version=2]`
+
 ## Advanced Usages
 
 ### Discriminating config and secrets

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/cyberark/conjur-api-go v0.11.1
 	github.com/fujiwara/tfstate-lookup v1.1.6
 	github.com/getsops/sops/v3 v3.8.1
+	github.com/go-openapi/runtime v0.26.2
 	github.com/google/go-cmp v0.6.0
 	github.com/hashicorp/golang-lru v1.0.2
 	github.com/hashicorp/vault/api v1.12.0
@@ -28,6 +29,21 @@ require (
 	k8s.io/client-go v0.29.2
 )
 
+require (
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/go-openapi/analysis v0.21.5 // indirect
+	github.com/go-openapi/errors v0.21.0 // indirect
+	github.com/go-openapi/loads v0.21.3 // indirect
+	github.com/go-openapi/spec v0.20.12 // indirect
+	github.com/go-openapi/strfmt v0.21.10 // indirect
+	github.com/go-openapi/validate v0.22.4 // indirect
+	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	go.mongodb.org/mongo-driver v1.13.1 // indirect
+)
+
 require (
 	cloud.google.com/go v0.112.0 // indirect
 	cloud.google.com/go/compute v1.23.4 // indirect
@@ -87,9 +103,9 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/jsonpointer v0.20.1 // indirect
+	github.com/go-openapi/jsonreference v0.20.3 // indirect
+	github.com/go-openapi/swag v0.22.5 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
@@ -115,6 +131,7 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/go-tfe v1.2.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/hcp-sdk-go v0.85.0
 	github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect