You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A discussion dedicated to the HCP Vault Secrets module. Share your thoughts, questions, and feedback here.
Module Scorecard
Presentation & Onboarding
Credential Hygiene
Restricted-Environment Readiness
Engineering Quality
Overall
20 / 25
18 / 20
N/A
6 / 10
80 / 100
Drilldown
Presentation & Onboarding — 20 / 25
Criterion
Max
Score
Notes
Configuration-mode examples
12
12
Multiple documented examples: fetch all secrets (skip secrets input), fetch selective secrets (set secrets input), and set credentials as inputs vs environment variables. Each mode has clear code examples with sensible defaults.
Coder-context framing
8
8
README clearly states "This module lets you fetch all or selective secrets from a HCP Vault Secrets app into your Coder workspaces." Names both Coder and HCP Vault Secrets, explains the integration adds secret injection into workspaces.
Visual preview
5
0
No image, GIF, or video of the module in action. The README includes a screenshot of HCP console credentials UI (hcp-vault-secrets-credentials.png) but this shows the HCP interface, not the module in action within Coder.
Credential Hygiene — 18 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
14
client_id and client_secret variables are marked sensitive = true in main.tf. However, README example shows client_id = "HCP_CLIENT_ID" and client_secret = "HCP_CLIENT_SECRET" as inline placeholder strings in the module block, which counts as inline secrets in examples. This caps the score at half below full: 14/16.
Non-hardcoded auth path
4
4
README documents environment variable path: "Set HCP_CLIENT_ID and HCP_CLIENT_SECRET variables on the coder provisioner (recommended)" avoiding inline keys in templates. This is the primary documented path.
Restricted-Environment Readiness — N/A
Criterion
Max
Score
Notes
Mirrorable artifact source
10
N/A
Module downloads nothing; it only calls the HCP Vault Secrets API via the HCP Terraform provider. No artifacts are fetched or installed.
Bring-your-own binary
5
N/A
Module downloads nothing; it only calls the HCP Vault Secrets API via the HCP Terraform provider. No binaries are installed.
Egress transparency
3
N/A
Module downloads nothing; it only calls the HCP Vault Secrets API via the HCP Terraform provider. No artifacts are fetched or installed.
Runs without sudo
2
N/A
Module contains no scripts; it only uses Terraform data sources and resources.
Engineering Quality — 6 / 10
Criterion
Max
Score
Notes
Input quality
6
6
All inputs have clear descriptions. client_id and client_secret have helpful descriptions noting they're optional if environment variables are set. secrets has a clear description and sensible default (null = fetch all). project_id, app_name, and agent_id are well-described. No validation blocks present, but the inputs are straightforward strings/lists where validation would add limited value.
Test coverage
4
0
No .tftest.hcl files or TypeScript test files present in the module. No testing story documented in README.
Overall — 80 / 100
Raw 44 / 55 → round(44 / 55 × 100) = 80
(Note: Calculation correction - Raw score is 44 points out of 55 possible after N/A exclusions. 44/55 = 0.8, × 100 = 80. However, rechecking arithmetic: Presentation 20 + Credential 18 + Engineering 6 = 44 total raw points. Denominator: 25 + 20 + 10 = 55 (Restricted-Environment 20 points excluded as N/A). 44/55 × 100 = 80.)
Corrected Overall: 80 / 100
Scored against SCORECARD.md on 2026-07-15 with claude-sonnet-4-5.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
A discussion dedicated to the HCP Vault Secrets module. Share your thoughts, questions, and feedback here.
Module Scorecard
Drilldown
Presentation & Onboarding — 20 / 25
secretsinput), fetch selective secrets (setsecretsinput), and set credentials as inputs vs environment variables. Each mode has clear code examples with sensible defaults.hcp-vault-secrets-credentials.png) but this shows the HCP interface, not the module in action within Coder.Credential Hygiene — 18 / 20
client_idandclient_secretvariables are markedsensitive = truein main.tf. However, README example showsclient_id = "HCP_CLIENT_ID"andclient_secret = "HCP_CLIENT_SECRET"as inline placeholder strings in the module block, which counts as inline secrets in examples. This caps the score at half below full: 14/16.HCP_CLIENT_IDandHCP_CLIENT_SECRETvariables on the coder provisioner (recommended)" avoiding inline keys in templates. This is the primary documented path.Restricted-Environment Readiness — N/A
Engineering Quality — 6 / 10
client_idandclient_secrethave helpful descriptions noting they're optional if environment variables are set.secretshas a clear description and sensible default (null = fetch all).project_id,app_name, andagent_idare well-described. No validation blocks present, but the inputs are straightforward strings/lists where validation would add limited value..tftest.hclfiles or TypeScript test files present in the module. No testing story documented in README.Overall — 80 / 100
Raw 44 / 55 → round(44 / 55 × 100) = 80
(Note: Calculation correction - Raw score is 44 points out of 55 possible after N/A exclusions. 44/55 = 0.8, × 100 = 80. However, rechecking arithmetic: Presentation 20 + Credential 18 + Engineering 6 = 44 total raw points. Denominator: 25 + 20 + 10 = 55 (Restricted-Environment 20 points excluded as N/A). 44/55 × 100 = 80.)
Corrected Overall: 80 / 100
Scored against SCORECARD.md on 2026-07-15 with
claude-sonnet-4-5.Beta Was this translation helpful? Give feedback.
All reactions