From fd52faf8c5bb0845d6166f06eb5a90097180288c Mon Sep 17 00:00:00 2001 From: Theo Bob Massard Date: Sat, 4 Dec 2021 17:00:02 +0100 Subject: [PATCH 1/2] feat: manage github actions secrets Add support for plaintext secrets Signed-off-by: Theo Bob Massard --- README.md | 5 ++++- data.tf | 2 +- locals.tf | 6 ++++++ main.tf | 7 +++++++ variables.tf | 12 ++++++++++++ 5 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 locals.tf create mode 100644 main.tf diff --git a/README.md b/README.md index 3d5bcf2..5fa51fe 100644 --- a/README.md +++ b/README.md @@ -71,13 +71,16 @@ No modules. | Name | Type | |------|------| -| [github_repository.repo](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source | +| [github_actions_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource | +| [github_repository.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [environment\_secrets](#input\_environment\_secrets) | A map of environment-scoped secrets | `map(any)` | `{}` | no | | [repository](#input\_repository) | The full name of the repository in the form org/repo | `string` | n/a | yes | +| [secrets](#input\_secrets) | A map of secret definitions | `map(any)` | `{}` | no | ## Outputs diff --git a/data.tf b/data.tf index bbaef95..5cd3830 100644 --- a/data.tf +++ b/data.tf @@ -1,3 +1,3 @@ -data "github_repository" "repo" { +data "github_repository" "this" { full_name = var.repository } diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..a102139 --- /dev/null +++ b/locals.tf @@ -0,0 +1,6 @@ +locals { + secrets = { + for key, value in var.secrets : + key => value + } +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..3e5f289 --- /dev/null +++ b/main.tf @@ -0,0 +1,7 @@ +resource "github_actions_secret" "this" { + for_each = local.secrets + + repository = data.github_repository.this.name + secret_name = each.value.name + plaintext_value = each.value.plaintext +} diff --git a/variables.tf b/variables.tf index bd3c990..c2aef64 100644 --- a/variables.tf +++ b/variables.tf @@ -2,3 +2,15 @@ variable "repository" { type = string description = "The full name of the repository in the form org/repo" } + +variable "secrets" { + type = map(any) + description = "A map of secret definitions" + default = {} +} + +variable "environment_secrets" { + type = map(any) + description = "A map of environment-scoped secrets" + default = {} +} From e251b12b34c479035d60b4d0ba909c25f1cebd7c Mon Sep 17 00:00:00 2001 From: Theo Bob Massard Date: Sat, 4 Dec 2021 17:00:47 +0100 Subject: [PATCH 2/2] chore: add base example with common secrets - Create Environments - Create Github Actions Secrets Signed-off-by: Theo Bob Massard --- example/main.tf | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 example/main.tf diff --git a/example/main.tf b/example/main.tf new file mode 100644 index 0000000..2343a02 --- /dev/null +++ b/example/main.tf @@ -0,0 +1,32 @@ +module "env" { + source = "tbobm/environments/github" + version = "1.0.0" + + repository = "tbobm/terraform-github-secrets" + + environments = { + "staging" = {} + "production" = {} + } +} + +module "secrets" { + source = "../" + + repository = "tbobm/terraform-github-secrets" + + secrets = { + deploy_key = { + name = "DEPLOY_KEY" + plaintext = "ABCDEF" + } + registry_username = { + name = "DOCKERHUB_USERNAME" + plaintext = "sampleuser" + } + registry_password = { + name = "DOCKERHUB_PASSWORD" + plaintext = "samplepass" + } + } +}