terraform-provider-github
terraform-provider-github copied to clipboard
integrations
[FEAT]: Switching Between PAT and GitHub App Authentication Without Modifying Terraform Code
Describe the need
Hello,
I'm trying to differentiate between authentication methods: using PAT (Personal Access Token) in my local environment and the GitHub App in the CI environment. However, after adding the app_auth block for the CI setup, I receive an error in the local environment indicating that id, installation_id, and pem_file are not set. Is there a way to toggle between authentication methods without changing the Terraform code?
Thank you for your assistance.
(Note: This message was translated with the assistance of a machine translation tool.)
SDK Version
No response
API Version
No response
Relevant log output
No response
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Hi! Unfortunately there is currently no way to do so. That would be an interesting feature to add!
You can do this by using the GitHub CLI (gh) to authenticate. To do this, leave the provider "github" block empty. Then, make sure you have your local credentials configured by doing gh auth login. In your CI you will need to generate an app installation token from the app's private key. The following is an example if you are using GitHub Actions:
name: CI
on:
push:
branches: [main]
jobs:
apply:
name: TF Apply
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Generate app token
id: generate-app-token
uses: tibdex/[email protected]
with:
app_id: ${{ vars.YOUR_APP_ID }}
private_key: ${{ secrets.YOUR_APP_PRIVATE_KEY }}
- name: Terraform apply
env:
GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }}
run: terraform apply -auto-approve
Using the app installation token directly is a good workaround when you run Terraform from GitHub actions, but what about using it from Atlantis? Installation token is short-lived, so it can't be used in Atlantis as a static secret, but providing app credentials instead requires having app_auth {} in the code.
A potential solution here without breaking the existing interface or adding new functionality might be to look for app env vars even when there is no empty app_auth {} block, i.e.
provider "github" {}
- First looks for the
GITHUB_TOKENenv var or credentials set bygh auth loginas it does now, so existing workflows don't break - Then it could check for the
GITHUB_APP_ID+GITHUB_APP_INSTALLATION_ID+GITHUB_APP_PEM_FILEtrio to use the app authentication (which would work in CI and Atlantis)
I see the docs say
When using environment variables, an empty app_auth block is required to allow provider configurations from environment variables to be specified. See: https://github.com/hashicorp/terraform-plugin-sdk/issues/142
~~But I don't quite understand the linked issue. How does it work with an empty provider "github" {} and the GITHUB_TOKEN env var, but doesn't work with the three app env vars?~~
But I think it's still achievable via introduction of new parameters (making the app_auth block redundant)
P.S. Also having empty app_auth {} fails validation:
│ Error: Missing required argument
│
│ on provider.tf line 22, in provider "github":
│ 22: app_auth {}
│
│ The argument "pem_file" is required, but no definition was found.
Hi! Unfortunately there is currently no way to do so. That would be an interesting feature to add!
Hello, do you know there has been any progress made on this issue ?
I took a stab at it in https://github.com/integrations/terraform-provider-github/pull/2174
Any feedback and help are appreciated!