From cf96f25c90ea0cb6dbcc2da0183420a57e8c95cc Mon Sep 17 00:00:00 2001
From: Naden <naden@mac.com>
Date: Sat, 5 Jun 2021 13:52:26 +1000
Subject: [PATCH] Encrypted value needs to be in Base64 format

---
 ...urce_github_actions_organization_secret.go | 29 +++++++++++--------
 github/resource_github_actions_secret.go      | 27 +++++++++--------
 .../actions_organization_secret.html.markdown |  2 +-
 website/docs/r/actions_secret.html.markdown   |  2 +-
 4 files changed, 34 insertions(+), 26 deletions(-)

diff --git a/github/resource_github_actions_organization_secret.go b/github/resource_github_actions_organization_secret.go
index e638db1f21..4e23ae5f3e 100644
--- a/github/resource_github_actions_organization_secret.go
+++ b/github/resource_github_actions_organization_secret.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/google/go-github/v35/github"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 )
 
 func resourceGithubActionsOrganizationSecret() *schema.Resource {
@@ -32,16 +33,19 @@ func resourceGithubActionsOrganizationSecret() *schema.Resource {
 				ValidateFunc: validateSecretNameFunc,
 			},
 			"encrypted_value": {
-				Type:      schema.TypeString,
-				ForceNew:  true,
-				Optional:  true,
-				Sensitive: true,
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"plaintext_value"},
+				ValidateFunc:  validation.StringIsBase64,
 			},
 			"plaintext_value": {
-				Type:      schema.TypeString,
-				ForceNew:  true,
-				Optional:  true,
-				Sensitive: true,
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"encrypted_value"},
 			},
 			"visibility": {
 				Type:         schema.TypeString,
@@ -76,7 +80,7 @@ func resourceGithubActionsOrganizationSecretCreateOrUpdate(d *schema.ResourceDat
 
 	secretName := d.Get("secret_name").(string)
 	plaintextValue := d.Get("plaintext_value").(string)
-	var encryptedValue []byte
+	var encryptedValue string
 
 	visibility := d.Get("visibility").(string)
 	selectedRepositories, hasSelectedRepositories := d.GetOk("selected_repository_ids")
@@ -103,12 +107,13 @@ func resourceGithubActionsOrganizationSecretCreateOrUpdate(d *schema.ResourceDat
 	}
 
 	if encryptedText, ok := d.GetOk("encrypted_value"); ok {
-		encryptedValue = []byte(encryptedText.(string))
+		encryptedValue = encryptedText.(string)
 	} else {
-		encryptedValue, err = encryptPlaintext(plaintextValue, publicKey)
+		encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
 		if err != nil {
 			return err
 		}
+		encryptedValue = base64.StdEncoding.EncodeToString(encryptedBytes)
 	}
 
 	// Create an EncryptedSecret and encrypt the plaintext value into it
@@ -117,7 +122,7 @@ func resourceGithubActionsOrganizationSecretCreateOrUpdate(d *schema.ResourceDat
 		KeyID:                 keyId,
 		Visibility:            visibility,
 		SelectedRepositoryIDs: selectedRepositoryIDs,
-		EncryptedValue:        base64.StdEncoding.EncodeToString(encryptedValue),
+		EncryptedValue:        encryptedValue,
 	}
 
 	_, err = client.Actions.CreateOrUpdateOrgSecret(ctx, owner, eSecret)
diff --git a/github/resource_github_actions_secret.go b/github/resource_github_actions_secret.go
index f519a51f05..034734d48a 100644
--- a/github/resource_github_actions_secret.go
+++ b/github/resource_github_actions_secret.go
@@ -31,16 +31,18 @@ func resourceGithubActionsSecret() *schema.Resource {
 				ValidateFunc: validateSecretNameFunc,
 			},
 			"encrypted_value": {
-				Type:      schema.TypeString,
-				ForceNew:  true,
-				Optional:  true,
-				Sensitive: true,
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"plaintext_value"},
 			},
 			"plaintext_value": {
-				Type:      schema.TypeString,
-				ForceNew:  true,
-				Optional:  true,
-				Sensitive: true,
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"encrypted_value"},
 			},
 			"created_at": {
 				Type:     schema.TypeString,
@@ -62,7 +64,7 @@ func resourceGithubActionsSecretCreateOrUpdate(d *schema.ResourceData, meta inte
 	repo := d.Get("repository").(string)
 	secretName := d.Get("secret_name").(string)
 	plaintextValue := d.Get("plaintext_value").(string)
-	var encryptedValue []byte
+	var encryptedValue string
 
 	keyId, publicKey, err := getPublicKeyDetails(owner, repo, meta)
 	if err != nil {
@@ -70,19 +72,20 @@ func resourceGithubActionsSecretCreateOrUpdate(d *schema.ResourceData, meta inte
 	}
 
 	if encryptedText, ok := d.GetOk("encrypted_value"); ok {
-		encryptedValue = []byte(encryptedText.(string))
+		encryptedValue = encryptedText.(string)
 	} else {
-		encryptedValue, err = encryptPlaintext(plaintextValue, publicKey)
+		encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
 		if err != nil {
 			return err
 		}
+		encryptedValue = base64.StdEncoding.EncodeToString(encryptedBytes)
 	}
 
 	// Create an EncryptedSecret and encrypt the plaintext value into it
 	eSecret := &github.EncryptedSecret{
 		Name:           secretName,
 		KeyID:          keyId,
-		EncryptedValue: base64.StdEncoding.EncodeToString(encryptedValue),
+		EncryptedValue: encryptedValue,
 	}
 
 	_, err = client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, eSecret)
diff --git a/website/docs/r/actions_organization_secret.html.markdown b/website/docs/r/actions_organization_secret.html.markdown
index 800d1e026d..1f62725fdb 100644
--- a/website/docs/r/actions_organization_secret.html.markdown
+++ b/website/docs/r/actions_organization_secret.html.markdown
@@ -60,7 +60,7 @@ resource "github_actions_organization_secret" "example_secret" {
 The following arguments are supported:
 
 * `secret_name`             - (Required) Name of the secret
-* `encrypted_value`         - (Optional) Encrypted value of the secret
+* `encrypted_value`         - (Optional) Encrypted value of the secret using the Github public key in Base64 format.
 * `plaintext_value`         - (Optional) Plaintext value of the secret to be encrypted
 * `visiblity`               - (Required) Configures the access that repositories have to the organization secret.
                               Must be one of `all`, `private`, `selected`. `selected_repository_ids` is required if set to `selected`.
diff --git a/website/docs/r/actions_secret.html.markdown b/website/docs/r/actions_secret.html.markdown
index a47cf14628..dd4adca7b2 100644
--- a/website/docs/r/actions_secret.html.markdown
+++ b/website/docs/r/actions_secret.html.markdown
@@ -45,7 +45,7 @@ The following arguments are supported:
 
 * `repository`      - (Required) Name of the repository
 * `secret_name`     - (Required) Name of the secret
-* `encrypted_value` - (Optional) Encrypted value of the secret
+* `encrypted_value` - (Optional) Encrypted value of the secret using the Github public key in Base64 format.
 * `plaintext_value` - (Optional) Plaintext value of the secret to be encrypted
 
 ## Attributes Reference