Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to provide RSA public encrypted secrets for actions_secret #495

Closed
wants to merge 1 commit into from
Closed

Add ability to provide RSA public encrypted secrets for actions_secret #495

wants to merge 1 commit into from

Conversation

patrickmarabeas
Copy link
Contributor

@patrickmarabeas patrickmarabeas commented Jun 18, 2020
edited
Loading

Throwing things at the wall to see what sticks. Trying to solve the problem of secrets management with as little overhead as possible. This should be viewed as a POC at present.

CC @jcudit @anGie44 #468

Provides the ability to supply a publicly RSA encrypted value and env
var of where to find the private pem string to the github_actions_secret
resource.

Values are decrypted and then encrypted once again by the resource. This
will result in no secrets being stored in plain text in either the
repository or state file.

Adds:

  • encrypted_value parameter
  • private_key_env parameter

One of either plaintext_value or encrypted_value is required.

Setup

openssl genrsa -f4 -out private.pem 2048

# The resulting string is placed in a env var (in this example it's PEM)

openssl rsa -in private.pem -outform PEM -pubout -out key.pub

# The resulting public key file is committed to the config repository for use

Use

Developers run the following command to encrypt a value

echo "my secret" | openssl rsautl -encrypt -inkey key.pub -pubin | base64

> prYKYFUcfMaCHxyJ9pcf6H7UJKMoPrITC9/AHxVJh0nXDrpyWGh . . .

Encrypted value used in encrypted_value parameter

resource "github_actions_secret" "example_secret" {
  repository       = "test"
  secret_name      = "TEST"
  encrypted_value  = "prYKYFUcfMaCHxyJ9pcf6H7UJKMoPrITC9/AHxVJh0nXDrpyWGh . . ."
  private_key_env  = "PEM"
}

Output

Terraform state created

{
  . . .
  "resources": [
    {
      "mode": "managed",
      "type": "github_actions_secret",
      "name": "example_secret",
      "provider": "provider.github",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "created_at": "default",
            "encrypted_value": "prYKYFUcfMaCHxyJ9pcf6H7UJKMoPrITC9/AHxVJh0nXDrpyWGh . . .",
            "id": "test:TEST",
            "plaintext_value": "",
            "private_key_env": "PEM",
            "repository": "test",
            "secret_name": "TEST",
            "updated_at": "default"
          },
          "private": ""
        }
      ]
    }
  ]
  . . .
}

A Github Workflow with the following config

on:
  push:
    branches: [master]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - run: |
          echo "my secret"
          echo "you can't see my secret"
        env:
          TEST: ${{ secrets.TEST }}

Produces

***
you can't see ***

@patrickmarabeas
Add ability to provide RSA public encrypted secrets for actions_secret
c3d3547 
Provides the ability to supply a publicly RSA encrypted value and env
var of where to find the private pem string to the github_actions_secret
resource.

Values are decrypted and then encrypted once again by the resource. This
will result in no secrets being stored in plain text in either the
repository or state file.

Adds:
* encrypted_value parameter
* private_key_env parameter

One of either plaintext_value or encrypted_value is required.
@ghost ghost added size/L Type: Documentation Improvements or additions to documentation labels Jun 18, 2020
@patrickmarabeas patrickmarabeas mentioned this pull request Jun 18, 2020
Closed
@nickfloyd nickfloyd added the Status: Stale Used by stalebot to clean house label Nov 30, 2022
@nickfloyd
Copy link
Contributor

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

@github-actions github-actions bot removed the Status: Stale Used by stalebot to clean house label Dec 9, 2022
@github-actions
Copy link

github-actions bot commented Sep 6, 2023

👋 Hey Friends, this pull request has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

@github-actions github-actions bot added the Status: Stale Used by stalebot to clean house label Sep 6, 2023
@github-actions github-actions bot closed this Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
size/L Status: Stale Used by stalebot to clean house Type: Documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@patrickmarabeas @nickfloyd