terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard

Published 20 hours ago verified publisher icon integrations

Add ability to provide RSA public encrypted secrets for actions_secret

Open patrickmarabeas opened this issue 4 years ago • 0 comments

Throwing things at the wall to see what sticks. Trying to solve the problem of secrets management with as little overhead as possible. This should be viewed as a POC at present.

CC @jcudit @anGie44 #468

Provides the ability to supply a publicly RSA encrypted value and env var of where to find the private pem string to the github_actions_secret resource.

Values are decrypted and then encrypted once again by the resource. This will result in no secrets being stored in plain text in either the repository or state file.

Adds:

  • encrypted_value parameter
  • private_key_env parameter

One of either plaintext_value or encrypted_value is required.

Setup

openssl genrsa -f4 -out private.pem 2048

# The resulting string is placed in a env var (in this example it's PEM)

openssl rsa -in private.pem -outform PEM -pubout -out key.pub

# The resulting public key file is committed to the config repository for use

Use

Developers run the following command to encrypt a value

echo "my secret" | openssl rsautl -encrypt -inkey key.pub -pubin | base64

> prYKYFUcfMaCHxyJ9pcf6H7UJKMoPrITC9/AHxVJh0nXDrpyWGh . . .

Encrypted value used in encrypted_value parameter

resource "github_actions_secret" "example_secret" {
  repository       = "test"
  secret_name      = "TEST"
  encrypted_value  = "prYKYFUcfMaCHxyJ9pcf6H7UJKMoPrITC9/AHxVJh0nXDrpyWGh . . ."
  private_key_env  = "PEM"
}

Output

Terraform state created

{
  . . .
  "resources": [
    {
      "mode": "managed",
      "type": "github_actions_secret",
      "name": "example_secret",
      "provider": "provider.github",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "created_at": "default",
            "encrypted_value": "prYKYFUcfMaCHxyJ9pcf6H7UJKMoPrITC9/AHxVJh0nXDrpyWGh . . .",
            "id": "test:TEST",
            "plaintext_value": "",
            "private_key_env": "PEM",
            "repository": "test",
            "secret_name": "TEST",
            "updated_at": "default"
          },
          "private": ""
        }
      ]
    }
  ]
  . . .
}

A Github Workflow with the following config

on:
  push:
    branches: [master]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - run: |
          echo "my secret"
          echo "you can't see my secret"
        env:
          TEST: ${{ secrets.TEST }}

Produces

***
you can't see ***

patrickmarabeas avatar Jun 18 '20 14:06 patrickmarabeas