do not bake kms in image

to account for workspaces

Author: joecorall

Dockerfile

@@ -6,20 +6,11 @@ RUN apt-get update && apt-get install -y wget unzip
 RUN wget -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
 RUN unzip vault_${VAULT_VERSION}_linux_amd64.zip
 
-FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 as config
-ARG KMS_KEY_RING=vault-server
-ARG KMS_CRYPTO_KEY=vault
-COPY vault-server.hcl.tmpl /tmp/vault-server.hcl.tmpl
-RUN sed \
-  -e "s/__KMS_KEY_RING__/${KMS_KEY_RING}/g" \
-  -e "s/__KMS_CRYPTO_KEY__/${KMS_CRYPTO_KEY}/g" \
-  /tmp/vault-server.hcl.tmpl > /tmp/config.hcl
-
-FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 as certs
+FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
 RUN apk --update add ca-certificates
-
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+RUN mkdir -p /etc/vault
 COPY --from=builder /vault .
-COPY --from=config /tmp/config.hcl /etc/vault/config.hcl
-ENTRYPOINT ["/vault", "server", "-config", "/etc/vault/config.hcl"]
+COPY vault-server.hcl.tmpl /etc/vault/config.hcl.tmpl
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+ENTRYPOINT ["/docker-entrypoint.sh"]

README.md

@@ -20,6 +20,14 @@ The GCP project needs the following non-standard APIs enabled:
 
 After this module has been ran, the Vault server is up and running and has been initialized. The root token is encrypted in a GCS bucket.
 
+The Vault image now renders its seal config at container startup from the
+runtime `KMS_KEY_RING` and `KMS_CRYPTO_KEY` environment variables. That keeps
+the KMS binding out of the built image so multiple environments can safely
+share the same module code and repository without image-content drift.
+The module also forces the Vault image build to `linux/amd64` so Cloud Run
+always receives a compatible image even when Terraform runs from Apple Silicon
+or another non-amd64 host.
+
 If you list the GCS storage bucket you will see a new set of directories created by Vault:
 
 ```
@@ -116,7 +124,7 @@ HA Enabled               false
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vault"></a> [vault](#module\_vault) | git::https://github.com/libops/terraform-cloudrun-v2 | 0.5.1 |
+| <a name="module_vault"></a> [vault](#module\_vault) | git::https://github.com/libops/terraform-cloudrun-v2 | 0.5.2 |
 
 ## Resources
 
@@ -165,4 +173,4 @@ HA Enabled               false
 | <a name="output_key_bucket"></a> [key\_bucket](#output\_key\_bucket) | n/a |
 | <a name="output_repo"></a> [repo](#output\_repo) | n/a |
 | <a name="output_vault-url"></a> [vault-url](#output\_vault-url) | The URL to the Vault instance. |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

docker-entrypoint.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -eu
+
+: "${KMS_KEY_RING:?KMS_KEY_RING is required}"
+: "${KMS_CRYPTO_KEY:?KMS_CRYPTO_KEY is required}"
+
+escape_sed_replacement() {
+  printf '%s' "$1" | sed 's/[&|]/\\&/g'
+}
+
+config_path="${VAULT_CONFIG_PATH:-/tmp/vault-config.hcl}"
+
+sed \
+  -e "s|__KMS_KEY_RING__|$(escape_sed_replacement "$KMS_KEY_RING")|g" \
+  -e "s|__KMS_CRYPTO_KEY__|$(escape_sed_replacement "$KMS_CRYPTO_KEY")|g" \
+  /etc/vault/config.hcl.tmpl > "$config_path"
+
+exec /vault server -config "$config_path"

main.tf

@@ -25,6 +25,7 @@ locals {
   gsa          = "${local.account_id}@${var.project}.iam.gserviceaccount.com"
   vault_image_context_sha = sha1(join("", [
     filesha1("${path.module}/Dockerfile"),
+    filesha1("${path.module}/docker-entrypoint.sh"),
     filesha1("${path.module}/vault-server.hcl.tmpl"),
   ]))
   data_bucket_name = trimspace(var.data_bucket_name) != "" ? trimspace(var.data_bucket_name) : lower(
@@ -95,22 +96,17 @@ resource "google_artifact_registry_repository" "private" {
 # docker build vault server image
 resource "docker_image" "vault" {
   name = local.image_name
+  platform = "linux/amd64"
 
   build {
     context    = path.module
     dockerfile = "Dockerfile"
-    build_args = {
-      KMS_KEY_RING   = var.kms_key_ring_name
-      KMS_CRYPTO_KEY = var.kms_key_name
-    }
   }
 
   keep_locally = false
 
   triggers = {
     dir_sha = local.vault_image_context_sha
-    ring    = var.kms_key_ring_name
-    key     = var.kms_key_name
   }
 }
 
@@ -122,8 +118,6 @@ resource "docker_registry_image" "vault" {
 
   triggers = {
     dir_sha = local.vault_image_context_sha
-    ring    = var.kms_key_ring_name
-    key     = var.kms_key_name
   }
 }
 
@@ -200,6 +194,14 @@ module "vault" {
       name  = "GOOGLE_PROJECT"
       value = var.project
     },
+    {
+      name  = "KMS_KEY_RING"
+      value = var.kms_key_ring_name
+    },
+    {
+      name  = "KMS_CRYPTO_KEY"
+      value = var.kms_key_name
+    },
     {
       name  = "GOOGLE_STORAGE_BUCKET"
       value = google_storage_bucket.vault["data"].name