ConseilsTI · benyboy84 · Mar 19, 2024 · Mar 19, 2024 · Mar 19, 2024 · Mar 19, 2024
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ instead of a user token.
 
 ### Hashicorp Vault Secrets Permissions
 
-To read and create secrets in Hashicorp Vault Secrets, provide a client ID and a key
+To manage secrets in Hashicorp Vault Secrets, provide a client ID and a key
 from a service principals with the secret `contributor` role.
 
 ### GitHub Permissions
@@ -84,7 +84,9 @@ GITHUB\_APP\_PEM\_FILE, and GITHUB\_OWNER environment variables to authenticate.
   * branches protection
   * repositories secrets
   * teams
-* Read and write secrets in Hashicorp Vault Secrets
+* Manages configuration and life-cycle of Hashicorp Vault Secrets
+  * app
+  * secrets
 
 ## Prerequisite
 
@@ -179,6 +181,7 @@ No optional inputs.
 The following resources are used by this module:
 
 - [github_actions_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) (resource)
+- [hcp_vault_secrets_app.this](https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_secrets_app) (resource)
 - [hcp_vault_secrets_secret.this](https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_secrets_secret) (resource)
 - [tfe_project.project](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/project) (resource)
 - [tfe_project_variable_set.this](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/project_variable_set) (resource)
@@ -197,6 +200,10 @@ The following resources are used by this module:
 
 The following outputs are exported:
 
+### <a name="output_manage_modules_team_token"></a> [manage\_modules\_team\_token](#output\_manage\_modules\_team\_token)
+
+Description: The token of the team with `manage-modules` access.
+
 ### <a name="output_modules_registry_github_contributors_team"></a> [modules\_registry\_github\_contributors\_team](#output\_modules\_registry\_github\_contributors\_team)
 
 Description: The id of the GitHub team who can contribute to the private modules registry.

diff --git a/docs/README_header.md b/docs/README_header.md
@@ -21,7 +21,7 @@ instead of a user token.
 
 ### Hashicorp Vault Secrets Permissions
 
-To read and create secrets in Hashicorp Vault Secrets, provide a client ID and a key
+To manage secrets in Hashicorp Vault Secrets, provide a client ID and a key
 from a service principals with the secret `contributor` role.
 
 ### GitHub Permissions
@@ -83,7 +83,9 @@ GITHUB_APP_PEM_FILE, and GITHUB_OWNER environment variables to authenticate.
   * branches protection
   * repositories secrets
   * teams
-* Read and write secrets in Hashicorp Vault Secrets
+* Manages configuration and life-cycle of Hashicorp Vault Secrets
+  * app
+  * secrets
 
 ## Prerequisite
 

diff --git a/locals.tf b/locals.tf
@@ -39,6 +39,9 @@ locals {
     }
   ]
 
+  # This local is used to defined the Hashicorp Vault Secrets app name where team token will be stored.
+  hcp_vault_secrets_app_name = "TerraformCloud"
+
   # This local is used to define teams at the organization level.
   tfc_organization_teams = [
     # `tfc_organization_teams` is a list of object.

diff --git a/outputs.tf b/outputs.tf
@@ -1,9 +1,15 @@
-output "modules_registry_github_owners_team" {
-  description = "The id of the GitHub team who owns the private modules registry."
-  value       = module.git_teams["TerraformCloud-ModulesRegistry-Owners"].id
+output "manage_modules_team_token" {
+  description = "The token of the team with `manage-modules` access."
+  value       = module.tfe_teams["manage-modules"].token
+  sensitive   = true
 }
 
 output "modules_registry_github_contributors_team" {
   description = "The id of the GitHub team who can contribute to the private modules registry."
   value       = module.git_teams["TerraformCloud-ModulesRegistry-Contributors"].id
-}
+}
+
+output "modules_registry_github_owners_team" {
+  description = "The id of the GitHub team who owns the private modules registry."
+  value       = module.git_teams["TerraformCloud-ModulesRegistry-Owners"].id
+}
diff --git a/resources_hcp_vault_secrets.tf b/resources_hcp_vault_secrets.tf
@@ -1,8 +1,14 @@
+# The following code block is used to create the Hashicorp Vault Secret app where team token will be stored.
+
+resource "hcp_vault_secrets_app" "this" {
+  app_name = local.hcp_vault_secrets_app_name
+}
+
 # The following code blode is used to create secret in Hashicorp Vault.
 
 resource "hcp_vault_secrets_secret" "this" {
   for_each     = nonsensitive({ for team in local.tfc_teams : team.name => team if try(team.token, false) == true })
-  app_name     = "TerraformCloud"
+  app_name     = local.hcp_vault_secrets_app_name
   secret_name  = lower(replace(each.value.name, "/\\W|_|\\s/", "_"))
   secret_value = module.tfe_teams[each.value.name].token
 }