-
Notifications
You must be signed in to change notification settings - Fork 763
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github_actions_secret: document how to obtain encrypted_value #888
Comments
until this is better supported, there are 2 other non-terraform options to generate an encrypted secret:
GitHub CLI
{
"encrypted_value": "7hYpwbtVZ...==",
"visibility": "private",
"key_id": "56825..."
} Generate Locally
dev:~$ GITHUB_USERNAME="my-username"; \
GITHUB_TOKEN="ghp_..."; \
GITHUB_ORGANISATION="my-organisation"; \
curl -u $GITHUB_USERNAME:$GITHUB_TOKEN \
https://api.github.com/orgs/$GITHUB_ORGANISATION/actions/secrets/public-key 3... encrypt with a tool of your choice or using the provider code or gh cli code |
Hi, I feel there is a lack of information on how to implement an encrypted secret via Terraform. Any update on this case? Or other alternative? Thank you, guys! Daniel Vincenzi |
HI @shrink, Thank you for your alternatives. It's correctly say to after generate my encrypted secret by Thank you! Daniel Vincenzi |
Hi @danielvincenzi. Since my previous comment, Add gh secret encrypt command to encrypt a secret locally without sending to GitHub #4388 has been resolved by - Add new flag --no-store to print the encoded secret in "secret set" #4423 so you're now able to generate this value more easily: $ gh secret set example_secret_name --no-store
? Paste your secret *************
cbKs5pvmBaTNrWqDEQAgMg0MklLlIdx5mjZ+YW6OQmeMlHglDafcaL/6Ybp6bNhbG7Psaif0pa65K1wCSA== The correct approach depends on your specific needs, but ideally your terraform files should not contain secrets and instead they should be sourced from a
variable "my_encrypted_secret_value" {
type = "string"
}
data "github_actions_public_key" "example_public_key" {
repository = "example_repository"
}
resource "github_actions_secret" "example_secret" {
repository = "example_repository"
secret_name = "example_secret_name"
encrypted_value = var.my_encrypted_secret_value
}
my_encrypted_secret_value = "cbKs5pvmBaTNrWqDEQAgMg0MklLlIdx5mjZ+YW6OQmeMlHglDafcaL/6Ybp6bNhbG7Psaif0pa65K1wCSA==" |
How would this work for a value generated by another resource in Terraform? For instance, I have a config that creates an Azure service principal: resource "azuread_service_principal" "gh_actions" {
application_id = azuread_application.gh_actions.application_id
owners = [data.azuread_client_config.current.object_id]
}
resource "azuread_service_principal_password" "gh_actions" {
service_principal_id = azuread_service_principal.gh_actions.object_id
} And I want to store the service principal password in my GitHub secrets for a repository. How would I get the encrypted value within the same configuration? Or do I have to create the resource first, use the null resource to invoke a local provisioner with the gh cli, and then use the resulting value? Since the service principal password will be stored in my state data anyway, is there really an advantage to using the |
I don't think there is an advantage. I default to plaintext: I only make use of |
Thanks @shrink! This came up b/c Checkov has started flagging the |
@ned1313 I think the Checkov maintainers have been a little overzealous with their implementation and misinterpreted the GitHub terraform provider documentation: the comment describing why this warns isn't accurate. I'll submit an issue describing the nuance so that the check can be reviewed. |
@ned1313 Just in case you're not tracking the issue, it looks there was a very fast turnaround: the Checkov team have merged bridgecrewio/checkov#2383 and released the change in version 2.0.830 so you shouldn't get warnings anymore for using |
I was waiting for some solution in here but now I ended up with writing my own provider to do the job
|
👋 Hey Friends, this issue has been automatically marked as |
I can't add a label, but my original comment still holds - the page does not contain any documentation on how to obtain encrypted_value. |
Affected Resource(s)
github_actions_secret page does not contain any documentation on how to produce the
encrypted_value
.There are two alternatives on how to create
encrypted_value
from the plaintext value:TF_LOG=debug terraform apply
to observe what"encrypted_secret"
value is sent as JSON in the GitHub API call, as @jcudit outlined in a PR Added encrypted_value to Actions + Organizations's secrets #807 comment, although this is missing instructions necessary to avoid storing theplaintext_secret
in a remote backend.https://api.github.com/repos/ORG/REPO/actions/secrets/public-key
and write a helper script using the example code in GitHub reference for "Create or update a repository secret".Both of these are too cumbersome in my opinion.
But at the very least, a way to do this should be documented on
github_actions_secret
documentation.The text was updated successfully, but these errors were encountered: