• Stars
    star
    391
  • Rank 110,003 (Top 3 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 5 years ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A GitHub Action that simplifies using HashiCorp Vault™ secrets as build variables.

Vault GitHub Action


Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault or this Vault Action, please responsibly disclose by contacting us at [email protected].


A helper action for easily pulling secrets from HashiCorp Vault™.

Example Usage

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Import Secrets
              id: import-secrets
              uses: hashicorp/vault-action@v2
              with:
                url: https://vault.mycompany.com:8200
                token: ${{ secrets.VAULT_TOKEN }}
                caCertificate: ${{ secrets.VAULT_CA_CERT }}
                secrets: |
                    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
                    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
                    secret/data/ci npm_token
            # ...

Retrieved secrets are available as environment variables or outputs for subsequent steps:

#...
            - name: Step following 'Import Secrets'
              run: |
                ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
                SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
            # ...

If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format. For example, a common pattern is to save all the secrets in a JSON file:

#...
            - name: Step following 'Import Secrets'
              run: |
                touch secrets.json
                echo "${{ toJson(steps.import-secrets.outputs) }}" >> secrets.json
            # ...

Which with our example would yield a file containing:

{
  "ACCESS_KEY_ID": "MY_KEY_ID",
  "SECRET_ACCESS_KEY": "MY_SECRET_KEY",
  "NPM_TOKEN": "MY_NPM_TOKEN"
}

Note that all secrets are masked so programs need to read the file themselves otherwise all values will be replaced with a *** placeholder.

Authentication Methods

Consider using a Vault authentication method such as the JWT auth method with GitHub OIDC tokens or the AppRole auth method. You can configure which by using the method parameter.

JWT with GitHub OIDC Tokens

You can configure trust between a GitHub Actions workflow and Vault using the GitHub's OIDC provider. Each GitHub Actions workflow receives an auto-generated OIDC token with claims to establish the identity of the workflow.

Vault Configuration

Click to toggle instructions for configuring Vault.

Set up Vault with the JWT auth method. Pass the following parameters to your auth method configuration:

  • oidc_discovery_url: https://token.actions.githubusercontent.com
  • bound_issuer: https://token.actions.githubusercontent.com

Configure a Vault role for the auth method.

  • role_type: jwt

  • bound_audiences: "https://github.com/<org>". Update this parameter if you change the aud claim in the GitHub OIDC token via the jwtGithubAudience parameter in the action config.

  • user_claim: Set this to a claim name (e.g., repository) in the GitHub OIDC token.

  • bound_claims OR bound_subject: match on GitHub subject claims.

    • For wildcard (non-exact) matches, use bound_claims.

      • bound_claims_type: glob

      • bound_claims: JSON object. Maps one or more claim names to corresponding wildcard values.

        {"sub": "repo:<orgName>/*"}
    • For exact matches, use bound_subject.

      • bound_claims_type: string

      • bound_subject: Must exactly match the sub claim in the OIDC token.

        repo:<orgName/repoName>:ref:refs/heads/branchName
        

GitHub Actions Workflow

In the GitHub Actions workflow, the workflow needs permissions to read contents and write the ID token.

jobs:
    retrieve-secret:
        permissions:
            contents: read
            id-token: write

In the action, provide the name of the Vault role you created to the role parameter. You can optionally set the jwtGithubAudience parameter to change the aud claim from its default.

with:
  url: https://vault.mycompany.com:8200
  caCertificate: ${{ secrets.VAULT_CA_CERT }}
  role: <Vault JWT Auth Role Name>
  method: jwt
  jwtGithubAudience: sigstore # set the GitHub token's aud claim

AppRole

The AppRole auth method allows your GitHub Actions workflow to authenticate to Vault with a pre-defined role. Set the role ID and secret ID as GitHub secrets and pass them to the roleId and secretId parameters.

with:
  url: https://vault.mycompany.com:8200
  caCertificate: ${{ secrets.VAULT_CA_CERT }}
  method: approle
  roleId: ${{ secrets.VAULT_ROLE_ID }}
  secretId: ${{ secrets.VAULT_SECRET_ID }}

Token

For the default method of authenticating to Vault, use a Vault token. Set the Vault token as a GitHub secret and pass it to the token parameter.

with:
  url: https://vault.mycompany.com:8200
  caCertificate: ${{ secrets.VAULT_CA_CERT }}
  token: ${{ secrets.VAULT_TOKEN }}

GitHub

The GitHub auth method requires read:org permissions for authentication. The auto-generated GITHUB_TOKEN created for projects does not have these permissions and GitHub does not allow this token's permissions to be modified. A new GitHub Token secret must be created with read:org permissions to use this authentication method.

Pass the GitHub token as a GitHub secret into the githubToken parameter.

with:
  url: https://vault.mycompany.com:8200
  caCertificate: ${{ secrets.VAULT_CA_CERT }}
  method: github
  githubToken: ${{ secrets.GITHUB_TOKEN }}

JWT with OIDC Provider

You can configure trust between your own OIDC Provider and Vault with the JWT auth method. Provide a role & jwtPrivateKey parameters, additionally you can pass jwtKeyPassword & jwtTtl parameters

with:
  url: https://vault.mycompany.com:8200
  caCertificate: ${{ secrets.VAULT_CA_CERT }}
  method: jwt
  role: <Vault JWT Auth Role Name>
  jwtPrivateKey: ${{ secrets.JWT_PRIVATE_KEY }}
  jwtKeyPassword: ${{ secrets.JWT_KEY_PASS }}
  jwtTtl: 3600 # 1 hour, default value

Kubernetes

Consider the Kubernetes auth method when using self-hosted runners on Kubernetes. You must provide the role parameter for the Vault role associated with the Kubernetes auth method. You can optionally override the kubernetesTokenPath parameter for custom-mounted serviceAccounts.

with:
  url: https://vault.mycompany.com:8200
  caCertificate: ${{ secrets.VAULT_CA_CERT }}
  method: kubernetes
  role: <Vault Kubernetes Auth Role Name>
  kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token # default token path

Userpass

The Userpass auth method allows your GitHub Actions workflow to authenticate to Vault with a username and password. Set the username and password as GitHub secrets and pass them to the username and password parameters.

This is not the same as ldap or okta auth methods.

with:
  url: https://vault.mycompany.com:8200
  caCertificate: ${{ secrets.VAULT_CA_CERT }}
  method: userpass
  username: ${{ secrets.VAULT_USERNAME }}
  password: ${{ secrets.VAULT_PASSWORD }}

Ldap

The LDAP auth method allows your GitHub Actions workflow to authenticate to Vault with a username and password inturn verfied with ldap servers. Set the username and password as GitHub secrets and pass them to the username and password parameters.

with:
  url: https://vault.mycompany.com:8200
  caCertificate: ${{ secrets.VAULT_CA_CERT }}
  method: ldap
  username: ${{ secrets.VAULT_USERNAME }}
  password: ${{ secrets.VAULT_PASSWORD }}

Other Auth Methods

If any other method is specified and you provide an authPayload, the action will attempt to POST to auth/${method}/login with the provided payload and parse out the client token.

Key Syntax

The secrets parameter is a set of multiple secret requests separated by the ; character.

Each secret request consists of the path and the key of the desired secret, and optionally the desired Env Var output name. Note that the selector is using JSONata and certain characters in keys may need to be escaped.

{{ Secret Path }} {{ Secret Key or Selector }} | {{ Env/Output Variable Name }}

Simple Key

To retrieve a key npmToken from path secret/data/ci that has value somelongtoken from vault you could do:

with:
    secrets: secret/data/ci npmToken

vault-action will automatically normalize the given secret selector key, and set the follow as environment variables for the following steps in the current job:

NPMTOKEN=somelongtoken

You can also access the secret via outputs:

steps:
    # ...
    - name: Import Secrets
      id: secrets
      # Import config...
    - name: Sensitive Operation
      run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"

Note: If you'd like to only use outputs and disable automatic environment variables, you can set the exportEnv option to false.

Set Output Variable Name

However, if you want to set it to a specific name, say NPM_TOKEN, you could do this instead:

with:
    secrets: secret/data/ci npmToken | NPM_TOKEN

With that, vault-action will now use your requested name and output:

NPM_TOKEN=somelongtoken
steps:
  # ...
  - name: Import Secrets
    id: secrets
    # Import config...
  - name: Sensitive Operation
    run: "my-cli --token '${{ steps.secrets.outputs.NPM_TOKEN }}'"

Multiple Secrets

This action can take multi-line input, so say you had your AWS keys stored in a path and wanted to retrieve both of them. You can do:

with:
    secrets: |
        secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
        secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY

Other Secret Engines

Vault Action currently supports retrieving secrets from any engine where secrets are retrieved via GET requests. This means secret engines such as PKI are currently not supported due to their requirement of sending parameters along with the request (such as common_name).

For example, to request a secret from the cubbyhole secret engine:

with:
    secrets: |
        /cubbyhole/foo foo ;
        /cubbyhole/foo zip | MY_KEY ;

Resulting in:

FOO=bar
MY_KEY=zap
steps:
  # ...
  - name: Import Secrets
    id: secrets
    # Import config...
  - name: Sensitive Operation
    run: "my-cli --token '${{ steps.secrets.outputs.foo }}'"
  - name: Another Sensitive Operation
    run: "my-cli --token '${{ steps.secrets.outputs.MY_KEY }}'"

Adding Extra Headers

If you ever need to add extra headers to the vault request, say if you need to authenticate with a firewall, all you need to do is set extraHeaders:

with:
    secrets: |
        secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
        secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
    extraHeaders: |
      X-Secure-Id: ${{ secrets.SECURE_ID }}
      X-Secure-Secret: ${{ secrets.SECURE_SECRET }}

This will automatically add the x-secure-id and x-secure-secret headers to every request to Vault.

HashiCorp Cloud Platform or Vault Enterprise

If you are using HCP Vault or Vault Enterprise, you may need additional parameters in your GitHub Actions workflow.

Namespace

If you need to retrieve secrets from a specific Vault namespace, set the namespace parameter specifying the namespace. In HCP Vault, the namespace defaults to admin.

steps:
    # ...
    - name: Import Secrets
      uses: hashicorp/vault-action
      with:
        url: https://vault-enterprise.mycompany.com:8200
        caCertificate: ${{ secrets.VAULT_CA_CERT }}
        method: token
        token: ${{ secrets.VAULT_TOKEN }}
        namespace: admin
        secrets: |
            secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
            secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
            secret/ci npm_token

Reference

Here are all the inputs available through with:

Input Description Default Required
url The URL for the vault endpoint
secrets A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details
namespace The Vault namespace from which to query secrets. Vault Enterprise only, unset by default
method The method to use to authenticate with Vault. token
role Vault role for specified auth method
path Custom vault path, if the auth method was enabled at a different path
token The Vault Token to be used to authenticate with Vault
roleId The Role Id for App Role authentication
secretId The Secret Id for App Role authentication
githubToken The Github Token to be used to authenticate with Vault
jwtPrivateKey Base64 encoded Private key to sign JWT
jwtKeyPassword Password for key stored in jwtPrivateKey (if needed)
jwtGithubAudience Identifies the recipient ("aud" claim) that the JWT is intended for sigstore
jwtTtl Time in seconds, after which token expires 3600
kubernetesTokenPath The path to the service-account secret with the jwt token for kubernetes based authentication /var/run/secrets/kubernetes.io/serviceaccount/token
username The username of the user to log in to Vault as. Available to both Userpass and LDAP auth methods
password The password of the user to log in to Vault as. Available to both Userpass and LDAP auth methods
authPayload The JSON payload to be sent to Vault when using a custom authentication method.
extraHeaders A string of newline separated extra headers to include on every request.
exportEnv Whether or not export secrets as environment variables. true
exportToken Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). false
outputToken Whether or not to set the vault_token output to contain the Vault token after authentication. false
caCertificate Base64 encoded CA certificate the server certificate was signed with.
clientCertificate Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled.
clientKey Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled.
tlsSkipVerify When set to true, disables verification of server certificates when testing the action. false

Masking - Hiding Secrets from Logs

This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs. This only obscures secrets from output logs. If someone has the ability to edit your workflows, then they are able to read and therefore write secrets to somewhere else just like normal GitHub Secrets.

Normalization

To make it simpler to consume certain secrets as env vars, if no Env/Output Var Name is specified vault-action will replace and . chars with __, remove any other non-letter or number characters. If you're concerned about the result, it's recommended to provide an explicit Output Var Key.

Contributing

If you wish to contribute to this project, the following dependencies are recommended for local development:

  • npm to install dependencies, build project and run tests
  • docker to run the pre-configured vault containers for acceptance tests
  • docker-compose to spin up the pre-configured vault containers for acceptance tests
  • act to run the vault-action locally

Build

Use npm to install dependencies and build the project:

$ npm install && npm run build

Vault test instance

The Github Action needs access to a working Vault instance to function. Multiple docker configurations are available via the docker-compose.yml file to run containers compatible with the various acceptance test suites.

$ docker-compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run

Instead of using one of the dockerized instance, you can also use your own local or remote Vault instance by exporting these environment variables:

$ export VAULT_HOST=<YOUR VAULT CLUSTER LOCATION> # localhost if undefined
$ export VAULT_PORT=<YOUR VAULT PORT> # 8200 if undefined
$ export VAULT_TOKEN=<YOUR VAULT TOKEN> # testtoken if undefined

Running unit tests

Unit tests can be executed at any time with no dependencies or prior setup.

$ npm test

Running acceptance tests

With a succesful build to take your local changes into account and a working Vault instance configured, you can now run acceptance tests to validate if any regressions were introduced.

$ npm run test:integration:basic # Choose one of: basic, enterprise, e2e, e2e-tls

Running the action locally

You can use the act command to test your changes locally.

Edit the ./.github/workflows/local-test.yaml file and add any steps necessary to test your changes. You may have to additionally edit the Vault url, token and secret path if you are not using one of the provided containerized instances. The local-test job will call the ./integrationTests/e2e/setup.js script to bootstrap your local Vault instance with secrets.

Run your feature branch locally:

act workflow_dispatch -j local-test

Or use the provided make target which will also spin up a Vault container:

make local-test

More Repositories

1

terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
Go
42,550
star
2

vault

A tool for secrets management, encryption as a service, and privileged access management
Go
30,858
star
3

consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
Go
28,256
star
4

vagrant

Vagrant is a tool for building and distributing development environments.
Ruby
26,132
star
5

packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
Go
15,086
star
6

nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
Go
14,809
star
7

terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
Go
9,761
star
8

raft

Golang implementation of the Raft consensus protocol
Go
7,383
star
9

serf

Service orchestration and management tool.
Go
5,692
star
10

hcl

HCL is the HashiCorp configuration language.
Go
5,236
star
11

go-plugin

Golang plugin system over RPC.
Go
4,874
star
12

terraform-cdk

Define infrastructure resources using programming constructs and provision them using HashiCorp Terraform
TypeScript
4,868
star
13

waypoint

A tool to build, deploy, and release any application on any platform.
Go
4,789
star
14

consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
Go
4,750
star
15

terraform-provider-azurerm

Terraform provider for Azure Resource Manager
Go
4,528
star
16

otto

Development and deployment made easy.
HTML
4,282
star
17

golang-lru

Golang LRU cache
Go
4,221
star
18

boundary

Boundary enables identity-based access management for dynamic infrastructure.
Go
3,850
star
19

memberlist

Golang package for gossip based membership and failure detection
Go
3,303
star
20

go-memdb

Golang in-memory database built on immutable radix trees
Go
2,937
star
21

next-mdx-remote

Load mdx content from anywhere through getStaticProps in next.js
TypeScript
2,405
star
22

terraform-provider-google

Terraform Provider for Google Cloud Platform
Go
2,325
star
23

go-multierror

A Go (golang) package for representing a list of errors as a single error.
Go
2,029
star
24

yamux

Golang connection multiplexing library
Go
2,003
star
25

envconsul

Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.
Go
1,967
star
26

go-retryablehttp

Retryable HTTP client in Go
Go
1,702
star
27

terraform-provider-kubernetes

Terraform Kubernetes provider
Go
1,580
star
28

go-getter

Package for downloading things from a string URL using a variety of protocols.
Go
1,541
star
29

best-practices

HCL
1,490
star
30

go-version

A Go (golang) library for parsing and verifying versions and version constraints.
Go
1,459
star
31

go-metrics

A Golang library for exporting performance and runtime metrics to external metrics systems (i.e. statsite, statsd)
Go
1,453
star
32

setup-terraform

Sets up Terraform CLI in your GitHub Actions workflow.
JavaScript
1,352
star
33

terraform-guides

Example usage of HashiCorp Terraform
HCL
1,324
star
34

mdns

Simple mDNS client/server library in Golang
Go
1,020
star
35

terraform-provider-helm

Terraform Helm provider
Go
997
star
36

vault-guides

Example usage of HashiCorp Vault secrets management
Shell
990
star
37

go-immutable-radix

An immutable radix tree implementation in Golang
Go
926
star
38

vault-helm

Helm chart to install Vault and other associated components.
Shell
904
star
39

terraform-ls

Terraform Language Server
Go
896
star
40

vscode-terraform

HashiCorp Terraform VSCode extension
TypeScript
870
star
41

levant

An open source templating and deployment tool for HashiCorp Nomad jobs
Go
825
star
42

vault-k8s

First-class support for Vault and Kubernetes.
Go
697
star
43

terraform-exec

Terraform CLI commands via Go.
Go
675
star
44

consul-k8s

First-class support for Consul Service Mesh on Kubernetes
Go
665
star
45

terraform-aws-vault

A Terraform Module for how to run Vault on AWS using Terraform and Packer
HCL
659
star
46

terraform-github-actions

Terraform GitHub Actions
Shell
624
star
47

terraform-provider-vsphere

Terraform Provider for VMware vSphere
Go
617
star
48

raft-boltdb

Raft backend implementation using BoltDB
Go
585
star
49

nextjs-bundle-analysis

A github action that provides detailed bundle analysis on PRs for next.js apps
JavaScript
562
star
50

go-discover

Discover nodes in cloud environments
Go
562
star
51

consul-replicate

Consul cross-DC KV replication daemon.
Go
504
star
52

next-mdx-enhanced

A Next.js plugin that enables MDX pages, layouts, and front matter
JavaScript
500
star
53

docker-vault

Official Docker images for Vault
Shell
492
star
54

terraform-provider-kubernetes-alpha

A Terraform provider for Kubernetes that uses dynamic resource types and server-side apply. Supports all Kubernetes resources.
Go
490
star
55

vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
Go
466
star
56

terraform-k8s

Terraform Cloud Operator for Kubernetes
Go
454
star
57

puppet-bootstrap

A collection of single-file scripts to bootstrap your machines with Puppet.
Shell
444
star
58

cap

A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP
Go
443
star
59

terraform-provider-vault

Terraform Vault provider
Go
431
star
60

damon

A terminal UI (TUI) for HashiCorp Nomad
Go
427
star
61

nomad-autoscaler

Nomad Autoscaler brings autoscaling to your Nomad workloads.
Go
424
star
62

consul-helm

Helm chart to install Consul and other associated components.
Shell
422
star
63

terraform-provider-azuread

Terraform provider for Azure Active Directory
Go
419
star
64

vault-ssh-helper

Vault SSH Agent is used to enable one time keys and passwords
Go
404
star
65

terraform-provider-scaffolding

Quick start repository for creating a Terraform provider
Go
402
star
66

terraform-aws-consul

A Terraform Module for how to run Consul on AWS using Terraform and Packer
HCL
401
star
67

docker-consul

Official Docker images for Consul.
Dockerfile
399
star
68

nomad-pack

Go
393
star
69

hil

HIL is a small embedded language for string interpolations.
Go
392
star
70

learn-terraform-provision-eks-cluster

HCL
389
star
71

terraform-plugin-sdk

Terraform Plugin SDK enables building plugins (providers) to manage any service providers or custom in-house solutions
Go
383
star
72

terraform-config-inspect

A helper library for shallow inspection of Terraform configurations
Go
380
star
73

hcl2

Former temporary home for experimental new version of HCL
Go
375
star
74

errwrap

Errwrap is a Go (golang) library for wrapping and querying errors.
Go
373
star
75

go-cleanhttp

Go
366
star
76

design-system

Helios Design System
TypeScript
358
star
77

logutils

Utilities for slightly better logging in Go (Golang).
Go
356
star
78

vault-ruby

The official Ruby client for HashiCorp's Vault
Ruby
336
star
79

vault-rails

A Rails plugin for easily integrating Vault secrets
Ruby
334
star
80

next-remote-watch

Decorated local server for next.js that enables reloads from remote data changes
JavaScript
325
star
81

waypoint-examples

Example Apps that can be deployed with Waypoint
PHP
325
star
82

go-hclog

A common logging package for HashiCorp tools
Go
319
star
83

vault-csi-provider

HashiCorp Vault Provider for Secret Store CSI Driver
Go
308
star
84

nomad-guides

Example usage of HashiCorp Nomad
HCL
281
star
85

consul-haproxy

Consul HAProxy connector for real-time configuration
Go
279
star
86

terraform-provider-google-beta

Terraform Provider for Google Cloud Platform (Beta)
Go
265
star
87

consul-esm

External service monitoring for Consul
Go
262
star
88

http-echo

A tiny go web server that echos what you start it with!
Makefile
257
star
89

terraform-provider-awscc

Terraform AWS Cloud Control provider
HCL
256
star
90

terraform-aws-nomad

A Terraform Module for how to run Nomad on AWS using Terraform and Packer
HCL
254
star
91

faas-nomad

OpenFaaS plugin for Nomad
Go
252
star
92

go-sockaddr

IP Address/UNIX Socket convenience functions for Go
Go
250
star
93

terraform-foundational-policies-library

Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. This repository contains a library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform.
HCL
233
star
94

nomad-driver-podman

A nomad task driver plugin for sandboxing workloads in podman containers
Go
226
star
95

vagrant-vmware-desktop

Official provider for VMware desktop products: Fusion, Player, and Workstation.
Go
225
star
96

go-tfe

HCP Terraform/Enterprise API Client/SDK in Golang
Go
224
star
97

nomad-pack-community-registry

A repo for Packs written and maintained by Nomad community members
HCL
221
star
98

boundary-reference-architecture

Example reference architecture for a high availability Boundary deployment on AWS.
HCL
211
star
99

terraform-plugin-framework

A next-generation framework for building Terraform providers.
Go
204
star
100

vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
Go
192
star