This is an example stack configuration for the private preview of Terraform Stacks. Language constructs and features are subject to change given feedback received during this preview. Do not use Stacks for production workloads at this time.
An example Terraform Stack that uses a datasource to fetch a static GitHub token from HCP Vault Secrets (using OIDC authentication to Vault) and passes the token to another component for provisioning resources with the GitHub provider (in this case, a respository).
We do not recommend using this example within production accounts.
Prerequisites: You must have a Terraform Cloud account with access to the private preview of Terraform Stacks, a GitHub account, and an HCP account with HCP Vault Secrets containing a valid GitHub personal access token. Details of all of this are found in the provided Stacks User Guide.
- Configure Vault Secrets authentication by using the HCP API or Terraform itself: https://registry.terraform.io/modules/chrisarcand/workload-identity/hcp/latest
You must configure Terraform Cloud as a workload identity provider, create a service principal for that provider, and create an IAM binding to give the service principal permission to the Project your Vault Secrets application is in. There currently is no user interface in the HCP Platform to do this. - Fork this repository to your own GitHub account, such that you can edit this stack configuration for your purposes.
- Edit your forked stack configuration and change
deployments.tfdeploy.hclto use the correct values. - Create a new stack in Terraform Cloud and connect it to your forked configuration repository.
- Provision away! Once applied, you should have a new GitHub respository created in the account you provided a token for.