feat: add support for encrypted secrets

Nathan Parraga Thiesen · Nathan Parraga Thiesen · commit cb49cec471f3 · 2022-02-18T13:08:50.000+01:00
diff --git a/README.md b/README.md
@@ -809,22 +809,45 @@ This is due to some terraform limitation and we will update the module once terr
 - [**`plaintext_secrets`**](#var-plaintext_secrets): *(Optional `map(string)`)*<a name="var-plaintext_secrets"></a>
 
   This map allows you to create and manage secrets for repositories in your organization.
+
   Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:
 
-  ```
+  When applied, a secret with the given key and value will be created in the repositories.
+
+  The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it.
+
+  **Attention:** You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction.
+
+  Default is `{}`.
+
+  Example:
+
+  ```hcl
   plaintext_secrets = {
-  SECRET_NAME_1 = "secret_value_1"
-  SECRET_NAME_2 = "secret_value_2"
-  ...
+    SECRET_NAME_1 = "plaintext_secret_value_1"
+    SECRET_NAME_2 = "plaintext_secret_value_2"
   }
   ```
 
+- [**`encrypted_secrets`**](#var-encrypted_secrets): *(Optional `map(string)`)*<a name="var-encrypted_secrets"></a>
+
+  This map allows you to create and manage encrypted secrets for repositories in your organization.
+
+  Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b
+
   When applied, a secret with the given key and value will be created in the repositories.
-  The value of the secrets must be given in plain text, github provider is in charge of encrypting it.
-  **Attention:** You might want to get secrets via a data source from a secure vault and not add them in plain text to your source files; so you do not commit plaintext secrets into the git repository managing your github account.
 
   Default is `{}`.
 
+  Example:
+
+  ```hcl
+  encrypted_secrets = {
+    SECRET_NAME_1 = "c2VjcmV0X3ZhbHVlXzE="
+    SECRET_NAME_2 = "c2VjcmV0X3ZhbHVlXzI="
+  }
+  ```
+
 - [**`required_approving_review_count`**](#var-required_approving_review_count): *(Optional `number`)*<a name="var-required_approving_review_count"></a>
 
   Require x number of approvals to satisfy branch protection requirements.
@@ -852,7 +875,7 @@ This is due to some terraform limitation and we will update the module once terr
 
 ### Module Configuration
 
-- [**`module_depends_on`**](#var-module_depends_on): *(Optional `list(any)`)*<a name="var-module_depends_on"></a>
+- [**`module_depends_on`**](#var-module_depends_on): *(Optional `list(dependency)`)*<a name="var-module_depends_on"></a>
 
   Due to the fact, that terraform does not offer `depends_on` on modules as of today (v0.12.24)
   we might hit race conditions when dealing with team names instead of ids.
diff --git a/README.tfdoc.hcl b/README.tfdoc.hcl
@@ -1055,19 +1055,40 @@ section {
           default     = {}
           description = <<-END
             This map allows you to create and manage secrets for repositories in your organization.
+
             Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:
 
-            ```
+            When applied, a secret with the given key and value will be created in the repositories.
+
+            The value of the secrets must be given in plain text, GitHub provider is in charge of encrypting it.
+
+            **Attention:** You should treat state as sensitive always. It is also advised that you do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable as, while encrypted in state, these will be easily accessible in your code. See below for an example of this abstraction.
+          END
+
+          readme_example = <<-END
             plaintext_secrets = {
-            SECRET_NAME_1 = "secret_value_1"
-            SECRET_NAME_2 = "secret_value_2"
-            ...
+              SECRET_NAME_1 = "plaintext_secret_value_1"
+              SECRET_NAME_2 = "plaintext_secret_value_2"
             }
-            ```
+          END
+        }
+
+        variable "encrypted_secrets" {
+          type        = map(string)
+          default     = {}
+          description = <<-END
+            This map allows you to create and manage encrypted secrets for repositories in your organization.
+
+            Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding encrypted value of the secret using the Github public key in Base64 format.b
 
             When applied, a secret with the given key and value will be created in the repositories.
-            The value of the secrets must be given in plain text, github provider is in charge of encrypting it.
-            **Attention:** You might want to get secrets via a data source from a secure vault and not add them in plain text to your source files; so you do not commit plaintext secrets into the git repository managing your github account.
+          END
+
+          readme_example = <<-END
+            encrypted_secrets = {
+              SECRET_NAME_1 = "c2VjcmV0X3ZhbHVlXzE="
+              SECRET_NAME_2 = "c2VjcmV0X3ZhbHVlXzI="
+            }
           END
         }
 
@@ -1115,7 +1136,7 @@ section {
       title = "Module Configuration"
 
       variable "module_depends_on" {
-        type        = list(any)
+        type        = list(dependency)
         default     = []
         description = <<-END
           Due to the fact, that terraform does not offer `depends_on` on modules as of today (v0.12.24)
diff --git a/main.tf b/main.tf
@@ -456,18 +456,6 @@ resource "github_repository_webhook" "repository_webhook" {
   }
 }
 
-# ---------------------------------------------------------------------------------------------------------------------
-# Action Secrets
-# ---------------------------------------------------------------------------------------------------------------------
-
-resource "github_actions_secret" "repository_secret" {
-  for_each = var.plaintext_secrets
-
-  repository      = github_repository.repository.name
-  secret_name     = each.key
-  plaintext_value = each.value
-}
-
 # ---------------------------------------------------------------------------------------------------------------------
 # Autolink References
 # ---------------------------------------------------------------------------------------------------------------------
diff --git a/secrets.tf b/secrets.tf
@@ -0,0 +1,19 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# Action Secrets
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  plaintext_secrets = { for name, value in var.plaintext_secrets : name => { plaintext = value } }
+  encrypted_secrets = { for name, value in var.encrypted_secrets : name => { encrypted = value } }
+
+  secrets = merge(local.plaintext_secrets, local.encrypted_secrets)
+}
+
+resource "github_actions_secret" "repository_secret" {
+  for_each = local.secrets
+
+  repository      = github_repository.repository.name
+  secret_name     = each.key
+  plaintext_value = try(each.value.plaintext, null)
+  encrypted_value = try(each.value.encrypted, null)
+}
diff --git a/test/unit-complete/main.tf b/test/unit-complete/main.tf
@@ -60,6 +60,10 @@ module "repository" {
     (var.secret_name) = var.secret_text
   }
 
+  encrypted_secrets = {
+    (var.encrypted_secret_name) = var.encrypted_secret_text
+  }
+
   pages = {
     branch = "main"
     path   = "/"
diff --git a/test/unit-complete/variables.tf b/test/unit-complete/variables.tf
@@ -195,6 +195,18 @@ variable "secret_text" {
   default     = "42"
 }
 
+variable "encrypted_secret_name" {
+  description = "The name of the secret."
+  type        = string
+  default     = "ENCRYPTEDSECRET"
+}
+
+variable "encrypted_secret_text" {
+  description = "Secret value in Base64 format."
+  type        = string
+  default     = "NDI="
+}
+
 variable "webhook_url" {
   description = "Send events to this URL"
   type        = string
diff --git a/variables.tf b/variables.tf
@@ -462,18 +462,31 @@ variable "webhooks" {
 }
 
 variable "plaintext_secrets" {
-  description = "(Optional) Configuring actions secrets. For details please check: https://www.terraform.io/docs/providers/github/r/actions_secret.html"
+  description = "(Optional) Configuring actions secrets. For details please check: https://www.terraform.io/docs/providers/github/r/actions_secret"
   type        = map(string)
 
   # Example:
-  # secrets = {
+  # plaintext_secrets = {
   #     "MY_SECRET" = "42"
   #     "OWN_TOKEN" = "12345"
   # }
 
   default = {}
 }
 
+variable "encrypted_secrets" {
+  description = "(Optional) Configuring encrypted actions secrets. For details please check: https://www.terraform.io/docs/providers/github/r/actions_secret"
+  type        = map(string)
+
+  # Example:
+  # encrypted_secrets = {
+  #     "MY_ENCRYPTED_SECRET" = "MTIzNDU="
+  # }
+
+  default = {}
+}
+
+
 variable "autolink_references" {
   description = "(Optional) Configuring autolink references. For details please check: https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_autolink_reference"
   type = list(object({
