terraform-provider-github
terraform-provider-github copied to clipboard
integrations
feat: app-based authentication via env vars without app_auth block
Resolves #1877
This PR adds new provider configuration parameters that mirror those in the app_auth block and make it possible to switch between token-based and app-based authentication via environment variables without altering existing provider configuration code. This allows flexibility of using a GitHub app for provider authentication when running in CI (or another automated environment like Atlantis), and using a personal access token when developing locally.
Related:
- https://github.com/integrations/terraform-provider-github/issues/1537 should still work as described (since
app_authis not going anywhere)
Before the change?
app_auth {}block is required for app-based provider authentication- it's not possible to switch between token-based and app-based authentication without modifying provider configuration code
After the change?
- it's possible to use app-based authentication by setting
GITHUB_APP_*env vars without anapp_authblock in the code - same code can be used in different environments either with
GITHUB_TOKENorGITHUB_APP_*env vars
Example:
provider "github" {
owner = var.github_owner
}
- if
GITHUB_TOKENis set, provider will pick it up - otherwise, if
GITHUB_APP_*are set, provider will use app-based auth and generate an app installation token
Pull request checklist
- [ ] Tests for the changes have been added (for bug fixes / features)
- Some tests added, but need more work. See below for details ⬇️
- [x] Docs have been reviewed and added / updated if needed (for bug fixes / features)
Does this introduce a breaking change?
- [x] No
This was intended as a non-breaking change, so the app_auth block is kept and only new (redundant) parameters are added. Existing behavior is preserved.
Provider auth matrix
Here I want to show different configuration scenarios and outcomes before/after. The only new case is in the first line when the GITHUB_APP_* env vars are set but there's no app_auth block in the code: before it would be an error (app vars would be ignored), but now it works as an app-based configuration.
GITHUB_APP_* |
GITHUB_TOKEN |
app_auth {} |
Before | After | |
|---|---|---|---|---|---|
| ✔ | ❌ error | 🤖 app | new: no app_auth block needed |
||
| ✔️ | 🔑 token | 🔑 token | just token auth | ||
| ✔ | ✔ | 🔑 token | 🔑 token | prioritize token for compatibility | |
| ✔ | ✔ | ✔ | 🤖 app | 🤖 app | prioritize app auth for compatibility |
| ✔ | ✔ | 🤖 app | 🤖 app | app_auth {} is redundant |
|
| ✔ | ❌ error | ❌ error | only app_auth {} with no values |
Tests
I'm new to Go, so I need some help to write proper tests for this. I tried manual testing in examples/app_authentication and it worked.
I also added some tests in provider_test.go following the pattern of existing test cases. But in those tests parameters are set explicitly and I'm not sure how to test the behavior of picking up parameters from the environment variables (with an empty provider configuration).
I would love to add tests for all of the cases in the matrix above, but I don't know how to approach it code-wise. Guidance would be highly appreciated 🙏
Code review
The main code change in provider.go nested existing code in an if block, so it's much easier to see the actual change if you review it with whitespace changes ignored.
This would be a very nice feature indeed. Thanks for putting up this PR!
