terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard

Published 20 hours ago verified publisher icon integrations

[FEAT]: Add a provider function to handle encrypting secrets

Open greg-swift-yohana opened this issue 4 months ago • 0 comments

Describe the need

Aside from the lack of documentation (#888), there is a lack of practical usage considering Vault, AWS SSM, Azure Key Vault, 1Password, etc.

Requirements:

  • When pulling a secret from a data source, one should be able to encrypt that data to meet the GitHub API's requirements without running local commands, writing their own customer provider, or any other mechanism.

Recommendation:

As of Terraform 1.8 it is possible for a provider to distribute a custom function that can be leveraged in HCL. This provider should implement that.

How the usage might look (based on example in #888 )

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = ">= 6.3.0"
    }
    vault = {
      source  = "hashicorp/vault"
      version = "4.4.0"
    }
  }
}

provider "github" {
  owner = var.repo_owner
  token = var.github_token
}

data "github_actions_public_key" "main" {
  repository = var.repo_name
}

data "vault_kv_secret_v2" "main" {
  mount = "secret"
  name  = "secret/github/repo"
}

resource "github_actions_secret" "main" {
  repository  = var.repo_name
  secret_name = "SECRET_KEY"
  encrypted_value = provider::github::encrypt(
    data.github_actions_public_key.main.key,
    lookup(data.vault_kv_secret_v2.main[0].data, "mysecret", "")
  )
}

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

greg-swift-yohana avatar Oct 04 '24 17:10 greg-swift-yohana