Skip to content

Commit

Permalink
Encrypted value needs to be in Base64 format
Browse files Browse the repository at this point in the history
  • Loading branch information
threeseed committed Jun 5, 2021
1 parent 01de2f6 commit cf96f25
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 26 deletions.
29 changes: 17 additions & 12 deletions github/resource_github_actions_organization_secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (

"github.com/google/go-github/v35/github"
"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
)

func resourceGithubActionsOrganizationSecret() *schema.Resource {
Expand All @@ -32,16 +33,19 @@ func resourceGithubActionsOrganizationSecret() *schema.Resource {
ValidateFunc: validateSecretNameFunc,
},
"encrypted_value": {
Type: schema.TypeString,
ForceNew: true,
Optional: true,
Sensitive: true,
Type: schema.TypeString,
ForceNew: true,
Optional: true,
Sensitive: true,
ConflictsWith: []string{"plaintext_value"},
ValidateFunc: validation.StringIsBase64,
},
"plaintext_value": {
Type: schema.TypeString,
ForceNew: true,
Optional: true,
Sensitive: true,
Type: schema.TypeString,
ForceNew: true,
Optional: true,
Sensitive: true,
ConflictsWith: []string{"encrypted_value"},
},
"visibility": {
Type: schema.TypeString,
Expand Down Expand Up @@ -76,7 +80,7 @@ func resourceGithubActionsOrganizationSecretCreateOrUpdate(d *schema.ResourceDat

secretName := d.Get("secret_name").(string)
plaintextValue := d.Get("plaintext_value").(string)
var encryptedValue []byte
var encryptedValue string

visibility := d.Get("visibility").(string)
selectedRepositories, hasSelectedRepositories := d.GetOk("selected_repository_ids")
Expand All @@ -103,12 +107,13 @@ func resourceGithubActionsOrganizationSecretCreateOrUpdate(d *schema.ResourceDat
}

if encryptedText, ok := d.GetOk("encrypted_value"); ok {
encryptedValue = []byte(encryptedText.(string))
encryptedValue = encryptedText.(string)
} else {
encryptedValue, err = encryptPlaintext(plaintextValue, publicKey)
encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
if err != nil {
return err
}
encryptedValue = base64.StdEncoding.EncodeToString(encryptedBytes)
}

// Create an EncryptedSecret and encrypt the plaintext value into it
Expand All @@ -117,7 +122,7 @@ func resourceGithubActionsOrganizationSecretCreateOrUpdate(d *schema.ResourceDat
KeyID: keyId,
Visibility: visibility,
SelectedRepositoryIDs: selectedRepositoryIDs,
EncryptedValue: base64.StdEncoding.EncodeToString(encryptedValue),
EncryptedValue: encryptedValue,
}

_, err = client.Actions.CreateOrUpdateOrgSecret(ctx, owner, eSecret)
Expand Down
27 changes: 15 additions & 12 deletions github/resource_github_actions_secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,18 @@ func resourceGithubActionsSecret() *schema.Resource {
ValidateFunc: validateSecretNameFunc,
},
"encrypted_value": {
Type: schema.TypeString,
ForceNew: true,
Optional: true,
Sensitive: true,
Type: schema.TypeString,
ForceNew: true,
Optional: true,
Sensitive: true,
ConflictsWith: []string{"plaintext_value"},
},
"plaintext_value": {
Type: schema.TypeString,
ForceNew: true,
Optional: true,
Sensitive: true,
Type: schema.TypeString,
ForceNew: true,
Optional: true,
Sensitive: true,
ConflictsWith: []string{"encrypted_value"},
},
"created_at": {
Type: schema.TypeString,
Expand All @@ -62,27 +64,28 @@ func resourceGithubActionsSecretCreateOrUpdate(d *schema.ResourceData, meta inte
repo := d.Get("repository").(string)
secretName := d.Get("secret_name").(string)
plaintextValue := d.Get("plaintext_value").(string)
var encryptedValue []byte
var encryptedValue string

keyId, publicKey, err := getPublicKeyDetails(owner, repo, meta)
if err != nil {
return err
}

if encryptedText, ok := d.GetOk("encrypted_value"); ok {
encryptedValue = []byte(encryptedText.(string))
encryptedValue = encryptedText.(string)
} else {
encryptedValue, err = encryptPlaintext(plaintextValue, publicKey)
encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
if err != nil {
return err
}
encryptedValue = base64.StdEncoding.EncodeToString(encryptedBytes)
}

// Create an EncryptedSecret and encrypt the plaintext value into it
eSecret := &github.EncryptedSecret{
Name: secretName,
KeyID: keyId,
EncryptedValue: base64.StdEncoding.EncodeToString(encryptedValue),
EncryptedValue: encryptedValue,
}

_, err = client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, eSecret)
Expand Down
2 changes: 1 addition & 1 deletion website/docs/r/actions_organization_secret.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ resource "github_actions_organization_secret" "example_secret" {
The following arguments are supported:

* `secret_name` - (Required) Name of the secret
* `encrypted_value` - (Optional) Encrypted value of the secret
* `encrypted_value` - (Optional) Encrypted value of the secret using the Github public key in Base64 format.
* `plaintext_value` - (Optional) Plaintext value of the secret to be encrypted
* `visiblity` - (Required) Configures the access that repositories have to the organization secret.
Must be one of `all`, `private`, `selected`. `selected_repository_ids` is required if set to `selected`.
Expand Down
2 changes: 1 addition & 1 deletion website/docs/r/actions_secret.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ The following arguments are supported:

* `repository` - (Required) Name of the repository
* `secret_name` - (Required) Name of the secret
* `encrypted_value` - (Optional) Encrypted value of the secret
* `encrypted_value` - (Optional) Encrypted value of the secret using the Github public key in Base64 format.
* `plaintext_value` - (Optional) Plaintext value of the secret to be encrypted

## Attributes Reference
Expand Down

0 comments on commit cf96f25

Please sign in to comment.