terraform-provider-github
terraform-provider-github copied to clipboard
Published
20 hours ago •
integrations
integrations
[BUG]: github_actions_envrionment_secret - 422 Bad request - validation failed due to an improperly encrypted secret []
Expected Behavior
The resource should created the secret in the envrionment.
Actual Behavior
Error when creating the secret using this resource.
Terraform Version
Terraform v1.9.2
Affected Resource(s)
- github_actions_envrionment_secret
Terraform Configuration Files
resource "github_actions_environment_secret" "my_token" {
environment = var.environment
repository = var.repository
secret_name = "my_token"
encrypted_value = "var.my_token"
}
Steps to Reproduce
terraform apply
Creating the secret using the exact same encrypted value works using the github_actions_secret resource.
Debug Output
github_actions_environment_secret.vault_token: Creating...
2024-07-12T10:18:37.019+0100 [INFO] Starting apply for github_actions_environment_secret.vault_token
2024-07-12T10:18:37.019+0100 [DEBUG] github_actions_environment_secret.vault_token: applying the planned Create change
2024-07-12T10:18:37.738+0100 [ERROR] provider.terraform-provider-github_v6.2.2: Response contains error diagnostic: diagnostic_severity=ERROR tf_provider_addr=provider @module=sdk.proto tf_req_id=4ffd5647-b659-8e86-5fe2-00942a436e82 tf_resource_type=github_actions_environment_secret tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_summary="PUT https://api.github.com/repositories/810738713/environments/pre-dev/secrets/VAULT_TOKEN: 422 Bad request - validation failed due to an improperly encrypted secret []" tf_proto_version=5.6 timestamp="2024-07-12T10:18:37.737+0100"
2024-07-12T10:18:37.740+0100 [DEBUG] State storage *remote.State declined to persist a state snapshot
2024-07-12T10:18:37.740+0100 [ERROR] vertex "github_actions_environment_secret.vault_token" error: PUT https://api.github.com/repositories/810738713/environments/pre-dev/secrets/VAULT_TOKEN: 422 Bad request - validation failed due to an improperly encrypted secret []
2024-07-12T10:18:37.740+0100 [DEBUG] states/remote: state read serial is: 26; serial is: 26
2024-07-12T10:18:37.740+0100 [DEBUG] states/remote: state read lineage is: aa8bdfa5-71df-66ae-a46d-80e6e6f69ad8; lineage is: aa8bdfa5-71df-66ae-a46d-80e6e6f69ad8
╷
│ Error: PUT https://api.github.com/repositories/810738713/environments/pre-dev/secrets/VAULT_TOKEN: 422 Bad request - validation failed due to an improperly encrypted secret []
│
│ with github_actions_environment_secret.vault_token,
│ on main.tf line 26, in resource "github_actions_environment_secret" "vault_token":
│ 26: resource "github_actions_environment_secret" "vault_token" {
│
╵
2024-07-12T10:18:38.077+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-07-12T10:18:38.079+0100 [INFO] provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/integrations/github/6.2.2/darwin_arm64/terraform-provider-github_v6.2.2 id=92412
2024-07-12T10:18:38.079+0100 [DEBUG] provider: plugin exited
### Panic Output
```shell
github_actions_environment_secret.vault_token: Creating...
2024-07-12T10:20:30.019+0100 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/integrations/github" is in the global cache
2024-07-12T10:20:30.019+0100 [INFO] Starting apply for github_actions_environment_secret.vault_token
2024-07-12T10:20:30.019+0100 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/integrations/github" is in the global cache
2024-07-12T10:20:30.019+0100 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/hashicorp/vault" is in the global cache
2024-07-12T10:20:30.019+0100 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/integrations/github" is in the global cache
2024-07-12T10:20:30.019+0100 [DEBUG] github_actions_environment_secret.vault_token: applying the planned Create change
2024-07-12T10:20:30.019+0100 [TRACE] GRPCProvider: ApplyResourceChange
2024-07-12T10:20:30.019+0100 [TRACE] GRPCProvider: GetProviderSchema
2024-07-12T10:20:30.019+0100 [TRACE] GRPCProvider: returning cached schema: EXTRA_VALUE_AT_END=registry.terraform.io/integrations/github
2024-07-12T10:20:30.020+0100 [TRACE] provider.terraform-provider-github_v6.2.2: Received request: @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:852 tf_req_id=6a38478e-5757-f0e2-a727-7e7b9f62e1ab tf_provider_addr=provider tf_resource_type=github_actions_environment_secret tf_rpc=ApplyResourceChange @module=sdk.proto tf_proto_version=5.6 timestamp="2024-07-12T10:20:30.020+0100"
2024-07-12T10:20:30.020+0100 [TRACE] provider.terraform-provider-github_v6.2.2: Sending request downstream: tf_req_id=6a38478e-5757-f0e2-a727-7e7b9f62e1ab tf_resource_type=github_actions_environment_secret tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:22 @module=sdk.proto tf_proto_version=5.6 tf_provider_addr=provider timestamp="2024-07-12T10:20:30.020+0100"
2024-07-12T10:20:30.020+0100 [TRACE] provider.terraform-provider-github_v6.2.2: Calling downstream: @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:936 tf_provider_addr=provider tf_req_id=6a38478e-5757-f0e2-a727-7e7b9f62e1ab tf_resource_type=github_actions_environment_secret @module=sdk.helper_schema tf_rpc=ApplyResourceChange timestamp="2024-07-12T10:20:30.020+0100"
2024-07-12T10:20:30.777+0100 [TRACE] provider.terraform-provider-github_v6.2.2: Called downstream: tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:938 @module=sdk.helper_schema tf_provider_addr=provider tf_req_id=6a38478e-5757-f0e2-a727-7e7b9f62e1ab tf_resource_type=github_actions_environment_secret timestamp="2024-07-12T10:20:30.774+0100"
2024-07-12T10:20:30.777+0100 [TRACE] provider.terraform-provider-github_v6.2.2: Received downstream response: diagnostic_warning_count=0 tf_provider_addr=provider @module=sdk.proto diagnostic_error_count=1 tf_proto_version=5.6 tf_req_duration_ms=754 tf_req_id=6a38478e-5757-f0e2-a727-7e7b9f62e1ab @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:42 tf_rpc=ApplyResourceChange tf_resource_type=github_actions_environment_secret timestamp="2024-07-12T10:20:30.775+0100"
2024-07-12T10:20:30.777+0100 [ERROR] provider.terraform-provider-github_v6.2.2: Response contains error diagnostic: tf_provider_addr=provider tf_req_id=6a38478e-5757-f0e2-a727-7e7b9f62e1ab diagnostic_detail="" diagnostic_severity=ERROR tf_proto_version=5.6 tf_resource_type=github_actions_environment_secret tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_summary="PUT https://api.github.com/repositories/810738713/environments/pre-dev/secrets/VAULT_TOKEN: 422 Bad request - validation failed due to an improperly encrypted secret []" timestamp="2024-07-12T10:20:30.775+0100"
2024-07-12T10:20:30.777+0100 [TRACE] provider.terraform-provider-github_v6.2.2: Served request: tf_provider_addr=provider tf_resource_type=github_actions_environment_secret tf_rpc=ApplyResourceChange @module=sdk.proto tf_proto_version=5.6 tf_req_id=6a38478e-5757-f0e2-a727-7e7b9f62e1ab @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:878 timestamp="2024-07-12T10:20:30.775+0100"
2024-07-12T10:20:30.777+0100 [TRACE] maybeTainted: github_actions_environment_secret.vault_token encountered an error during creation, so it is now marked as tainted
2024-07-12T10:20:30.777+0100 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/integrations/github" is in the global cache
2024-07-12T10:20:30.777+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for github_actions_environment_secret.vault_token
2024-07-12T10:20:30.777+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for github_actions_environment_secret.vault_token
2024-07-12T10:20:30.777+0100 [TRACE] evalApplyProvisioners: github_actions_environment_secret.vault_token is tainted, so skipping provisioning
2024-07-12T10:20:30.777+0100 [TRACE] maybeTainted: github_actions_environment_secret.vault_token was already tainted, so nothing to do
2024-07-12T10:20:30.777+0100 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/integrations/github" is in the global cache
2024-07-12T10:20:30.777+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for github_actions_environment_secret.vault_token
2024-07-12T10:20:30.777+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for github_actions_environment_secret.vault_token
2024-07-12T10:20:30.777+0100 [DEBUG] State storage *remote.State declined to persist a state snapshot
2024-07-12T10:20:30.778+0100 [ERROR] vertex "github_actions_environment_secret.vault_token" error: PUT https://api.github.com/repositories/810738713/environments/pre-dev/secrets/VAULT_TOKEN: 422 Bad request - validation failed due to an improperly encrypted secret []
2024-07-12T10:20:30.778+0100 [TRACE] vertex "github_actions_environment_secret.vault_token": visit complete, with errors
2024-07-12T10:20:30.778+0100 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/integrations/github\"] (close)" errored, so skipping
2024-07-12T10:20:30.778+0100 [TRACE] dag/walk: upstream of "root" errored, so skipping
2024-07-12T10:20:30.778+0100 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/integrations/github" is in the global cache
2024-07-12T10:20:30.778+0100 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/hashicorp/vault" is in the global cache
2024-07-12T10:20:30.778+0100 [DEBUG] states/remote: state read serial is: 27; serial is: 27
2024-07-12T10:20:30.778+0100 [DEBUG] states/remote: state read lineage is: aa8bdfa5-71df-66ae-a46d-80e6e6f69ad8; lineage is: aa8bdfa5-71df-66ae-a46d-80e6e6f69ad8
╷
│ Error: PUT https://api.github.com/repositories/810738713/environments/pre-dev/secrets/VAULT_TOKEN: 422 Bad request - validation failed due to an improperly encrypted secret []
│
│ with github_actions_environment_secret.vault_token,
│ on main.tf line 26, in resource "github_actions_environment_secret" "vault_token":
│ 26: resource "github_actions_environment_secret" "vault_token" {
│
╵
2024-07-12T10:20:31.111+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-07-12T10:20:31.113+0100 [INFO] provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/integrations/github/6.2.2/darwin_arm64/terraform-provider-github_v6.2.2 id=92603
2024-07-12T10:20:31.113+0100 [DEBUG] provider: plugin exited
### Code of Conduct
- [X] I agree to follow this project's Code of Conduct
@jackmorris-gh are you encrypting the value with the correct, per-env public key? (not the repo-wide public key) https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#get-an-environment-public-key
This happens to me. You can encrypt with GH CLI now >> https://github.com/cli/cli/issues/4388
Bonus: If you encrypt for org level... Make sure to specify it in command or it default at user level ''' gh secret set test99 --no-store --org MyOrgName '''
Once you properly specify the ORG it works fine (be sure to gh auth at org level too but i think gh CLI will tell you if needed). It s way more simple to encrypt with the new GH CLI option
this seems to be a typo in encrypted_value = "var.my_token" -> encrypted_value = var.my_token
the string "var.my_token" is not a valid encrypted value (it is not a valid base64-encoded string).
👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}