name: "Generate .env file from Hashicorp Vault (jq tweak)" description: "Get secrets from Vault and write to a .env file" branding: icon: "lock" color: "purple" inputs: HC_VAULT_VERSION: description: "Hashicorp Vault version" required: true HC_VAULT_ADDR: description: "Vault url" required: true HC_VAULT_AUTH: description: "Specify preferred login method, e.g. token, userpass, etc." required: true HC_VAULT_USERNAME: description: "Vault login username" required: false HC_VAULT_PASSWORD: description: "Vault login password" required: false HC_VAULT_TOKEN: description: "Token for logging into and reading from Hashicorp Vault." required: false HC_VAULT_SECRETS_PATH: description: "Vault secrets path" required: true ENV_FILE_NAME: description: "Name of created env-file" required: false default: .env runs: using: "composite" steps: - name: Install Hashicorp Vault shell: bash run: | curl -sS -O https://releases.hashicorp.com/vault/${{ inputs.HC_VAULT_VERSION }}/vault_${{ inputs.HC_VAULT_VERSION }}_linux_amd64.zip unzip -u vault_${{ inputs.HC_VAULT_VERSION }}_linux_amd64.zip -d . chmod +x vault mv vault /usr/local/bin - name: Login to Hashicorp Vault with userpass shell: bash if: contains(inputs.HC_VAULT_AUTH,'userpass') env: VAULT_ADDR: ${{ inputs.HC_VAULT_ADDR }} VAULT_SKIP_VERIFY: "true" run: | vault login \ -no-print \ -method=userpass \ username=${{ inputs.HC_VAULT_USERNAME }} \ password=${{ inputs.HC_VAULT_PASSWORD }} - name: Create env-file from Hashicorp Vault config shell: bash env: VAULT_TOKEN: ${{ inputs.HC_VAULT_TOKEN }} VAULT_ADDR: ${{ inputs.HC_VAULT_ADDR }} VAULT_SKIP_VERIFY: "true" run: | vault kv get -format=json ${{ inputs.HC_VAULT_SECRETS_PATH }} \ | jq -r '.data.data' \ | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env \ > ${{ inputs.ENV_FILE_NAME }}