Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

github_actions_secret: document how to obtain encrypted_value #888

Open
hoxu opened this issue Aug 20, 2021 · 12 comments
Open

github_actions_secret: document how to obtain encrypted_value #888

hoxu opened this issue Aug 20, 2021 · 12 comments
Labels
Provider r/actions_secret Status: Pinned A way to keep old or long lived issues around Type: Documentation Improvements or additions to documentation

Comments

@hoxu
Copy link
Contributor

hoxu commented Aug 20, 2021

Affected Resource(s)

  • github_actions_secret

github_actions_secret page does not contain any documentation on how to produce the encrypted_value.

There are two alternatives on how to create encrypted_value from the plaintext value:

  1. One using TF_LOG=debug terraform apply to observe what "encrypted_secret" value is sent as JSON in the GitHub API call, as @jcudit outlined in a PR Added encrypted_value to Actions + Organizations's secrets #807 comment, although this is missing instructions necessary to avoid storing the plaintext_secret in a remote backend.
  2. Make an API call to https://api.github.com/repos/ORG/REPO/actions/secrets/public-key and write a helper script using the example code in GitHub reference for "Create or update a repository secret".

Both of these are too cumbersome in my opinion.

But at the very least, a way to do this should be documented on github_actions_secret documentation.

@jcudit jcudit added Provider Type: Documentation Improvements or additions to documentation r/actions_secret labels Aug 31, 2021
@shrink
Copy link
Contributor

shrink commented Sep 29, 2021

until this is better supported, there are 2 other non-terraform options to generate an encrypted secret:

  1. Using the GitHub CLI
  2. Download the Actions public key locally and encrypt yourself

GitHub CLI

  1. Download the GitHub CLI (e.g: brew install gh)
  2. Authenticate with the admin:org scope, e.g: gh auth login -s admin:org
  3. Set a secret with DEBUG=api which will output the raw request data and extract from that, e.g:
{
    "encrypted_value": "7hYpwbtVZ...==",
    "visibility": "private",
    "key_id": "56825..."
}

Generate Locally

  1. Create a new Personal Access Token with the admin:org scope
  2. Download the public key:
dev:~$ GITHUB_USERNAME="my-username"; \
GITHUB_TOKEN="ghp_..."; \
GITHUB_ORGANISATION="my-organisation"; \
curl -u $GITHUB_USERNAME:$GITHUB_TOKEN \
https://api.github.com/orgs/$GITHUB_ORGANISATION/actions/secrets/public-key

3... encrypt with a tool of your choice or using the provider code or gh cli code

@danielvincenzi
Copy link

Hi,

I feel there is a lack of information on how to implement an encrypted secret via Terraform.

Any update on this case? Or other alternative?

Thank you, guys!

Daniel Vincenzi

@danielvincenzi
Copy link

until this is better supported, there are 2 other non-terraform options to generate an encrypted secret:

  1. Using the GitHub CLI
  2. Download the Actions public key locally and encrypt yourself

GitHub CLI

  1. Download the GitHub CLI (e.g: brew install gh)
  2. Authenticate with the admin:org scope, e.g: gh auth login -s admin:org
  3. Set a secret with DEBUG=api which will output the raw request data and extract from that, e.g:
{
    "encrypted_value": "7hYpwbtVZ...==",
    "visibility": "private",
    "key_id": "56825..."
}

Generate Locally

  1. Create a new Personal Access Token with the admin:org scope
  2. Download the public key:
dev:~$ GITHUB_USERNAME="my-username"; \
GITHUB_TOKEN="ghp_..."; \
GITHUB_ORGANISATION="my-organisation"; \
curl -u $GITHUB_USERNAME:$GITHUB_TOKEN \
https://api.github.com/orgs/$GITHUB_ORGANISATION/actions/secrets/public-key

3... encrypt with a tool of your choice or using the provider code or gh cli code

HI @shrink,

Thank you for your alternatives. It's correctly say to after generate my encrypted secret by gh command, I put it on my Terraform file?

Thank you!

Daniel Vincenzi

@shrink
Copy link
Contributor

shrink commented Jan 12, 2022

Hi @danielvincenzi.

Since my previous comment, Add gh secret encrypt command to encrypt a secret locally without sending to GitHub #4388 has been resolved by - Add new flag --no-store to print the encoded secret in "secret set" #4423 so you're now able to generate this value more easily:

$ gh secret set example_secret_name --no-store
? Paste your secret *************

cbKs5pvmBaTNrWqDEQAgMg0MklLlIdx5mjZ+YW6OQmeMlHglDafcaL/6Ybp6bNhbG7Psaif0pa65K1wCSA==

The correct approach depends on your specific needs, but ideally your terraform files should not contain secrets and instead they should be sourced from a .tfvars file or the environment. The Protect Sensitive Input Variables article from Hashicorp Learn gives a good rundown and using the example from the Terraform documentation for this provider, you'd end up with something like:

github.tf:

variable "my_encrypted_secret_value" {
  type = "string"
}

data "github_actions_public_key" "example_public_key" {
  repository = "example_repository"
}

resource "github_actions_secret" "example_secret" {
  repository       = "example_repository"
  secret_name      = "example_secret_name"
  encrypted_value  = var.my_encrypted_secret_value
}

secrets.tfvars:

my_encrypted_secret_value = "cbKs5pvmBaTNrWqDEQAgMg0MklLlIdx5mjZ+YW6OQmeMlHglDafcaL/6Ybp6bNhbG7Psaif0pa65K1wCSA=="

@ned1313
Copy link

ned1313 commented Feb 8, 2022

How would this work for a value generated by another resource in Terraform? For instance, I have a config that creates an Azure service principal:

resource "azuread_service_principal" "gh_actions" {
  application_id = azuread_application.gh_actions.application_id
  owners         = [data.azuread_client_config.current.object_id]
}

resource "azuread_service_principal_password" "gh_actions" {
  service_principal_id = azuread_service_principal.gh_actions.object_id
}

And I want to store the service principal password in my GitHub secrets for a repository. How would I get the encrypted value within the same configuration? Or do I have to create the resource first, use the null resource to invoke a local provisioner with the gh cli, and then use the resulting value?

Since the service principal password will be stored in my state data anyway, is there really an advantage to using the encrypted_value argument?

@shrink
Copy link
Contributor

shrink commented Feb 8, 2022

Since the service principal password will be stored in my state data anyway, is there really an advantage to using the encrypted_value argument?

I don't think there is an advantage. I default to plaintext: I only make use of encrypted_value for secrets that I specifically do not want to persist in the terraform state because they have a lifecycle that is independent of the infrastructure, and so would be difficult to rotate if the state file was compromised from an old backup I accidentally leave in a public s3 bucket 2 years from now. Put another way, I use encrypted_value for a secret that has to remain secret after I've run terraform destroy.

@ned1313
Copy link

ned1313 commented Feb 8, 2022

Thanks @shrink! This came up b/c Checkov has started flagging the plaintext_value as a possibly unsecure argument to use (CKV_GIT_4) and I wanted to see if that was the case. Seems like I can safely add it to the skipped checks list for my configuration.

@shrink
Copy link
Contributor

shrink commented Feb 8, 2022

@ned1313 I think the Checkov maintainers have been a little overzealous with their implementation and misinterpreted the GitHub terraform provider documentation: the comment describing why this warns isn't accurate. I'll submit an issue describing the nuance so that the check can be reviewed.

@shrink
Copy link
Contributor

shrink commented Feb 13, 2022

@ned1313 Just in case you're not tracking the issue, it looks there was a very fast turnaround: the Checkov team have merged bridgecrewio/checkov#2383 and released the change in version 2.0.830 so you shouldn't get warnings anymore for using plaintext_value :)

@killmeplz
Copy link

killmeplz commented Jun 24, 2022

I was waiting for some solution in here but now I ended up with writing my own provider to do the job
https://github.com/killmeplz/terraform-provider-sodium

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = ">= 4.5.2"
    }
    sodium = {
      source  = "killmeplz/sodium"
      version = ">= 0.0.3"
    }
  }
}

provider "github" {
  owner = var.repo_owner
  token = var.github_token
}

data "github_actions_public_key" "gh_actions_public_key" {
  repository = var.repo_name
}

data "sodium_encrypted_item" "encrypted_key" {
    public_key_base64 = data.github_actions_public_key.gh_actions_public_key.key
    content_base64 = base64encode("secretpassword")
}

resource "github_actions_secret" "gh_actions_secret" {
  repository       = var.repo_name
  secret_name      = "SECRET_KEY"
  encrypted_value  = data.sodium_encrypted_item.encrypted_key.encrypted_value_base64
}

@github-actions
Copy link

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

@github-actions github-actions bot added the Status: Stale Used by stalebot to clean house label Mar 22, 2023
@hoxu
Copy link
Contributor Author

hoxu commented Mar 22, 2023

I can't add a label, but my original comment still holds - the page does not contain any documentation on how to obtain encrypted_value.

@github-actions github-actions bot removed the Status: Stale Used by stalebot to clean house label Mar 23, 2023
@kfcampbell kfcampbell added the Status: Pinned A way to keep old or long lived issues around label Apr 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Provider r/actions_secret Status: Pinned A way to keep old or long lived issues around Type: Documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

7 participants