Forem: Roman Tsisyk The latest articles on Forem by Roman Tsisyk (@rtsisyk). https://forem.com/rtsisyk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1048595%2F57862343-90f6-4f62-9b41-09193531333d.jpg Forem: Roman Tsisyk https://forem.com/rtsisyk en Managing GitHub Actions Secrets via Git + Terraform Roman Tsisyk Tue, 21 Mar 2023 09:09:18 +0000 https://forem.com/rtsisyk/managing-github-actions-secrets-via-git-terraform-2f81 https://forem.com/rtsisyk/managing-github-actions-secrets-via-git-terraform-2f81 <p><a href="https://docs.github.com/en/actions/security-guides/encrypted-secrets" rel="noopener noreferrer">GitHub Actions Secrets</a> are encrypted environment variables that you create in an organization or repository on GitHub. Secrets can be used to store things like API keys, access tokens, passwords, and other sensitive information. Secrets can be managed through the GitHub UI or API. </p> <p>Unfortunately, GitHub doesn't provide any way to manage encrypted secrets via <code>git</code>. Yes, this sounds really strange that you need something other than <code>git</code> on GitHub, but it is. This article closes this gap by leveraging Terraform to populate GitHub Actions Secrets directly from the GitHub repository. GitHub uses a <a href="https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes" rel="noopener noreferrer">libsodium sealed box</a> to encrypt secrets, and there is absolutely no risk in storing encrypted secrets in the repo itself.</p> <h2> Prerequisites </h2> <ol> <li>GitHub repository</li> <li> <a href="https://developer.hashicorp.com/terraform/downloads" rel="noopener noreferrer">Terraform</a> (version 1.3.7 was tested)</li> <li> <a href="https://cli.github.com/" rel="noopener noreferrer">GitHub CLI</a> a.k.a. <code>gh</code> (version 2.23.0 was tested)</li> </ol> <h2> Create Terraform stack </h2> <p><code>in-vars.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"github_owner"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"GitHub user name"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"github_repository"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"GitHub repository name"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>github_owner</code> will be your GitHub account name, like <code>torvalds</code>.</li> <li> <code>github_repository</code> will be your GitHub repository name, like <code>linux</code>.</li> </ul> <p>This example uses <a href="https://registry.terraform.io/providers/integrations/github/latest" rel="noopener noreferrer">Terraform's GitHub</a> integration to manage GitHub resources via Terraform. </p> <p><code>providers.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"~&gt; 1.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">github</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"integrations/github"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.18"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">owner</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">github_owner</span> <span class="p">}</span> </code></pre> </div> <p>The next file is the primary Terraform configuration file that instructs Terraform to update GitHub Actions Secrets from <code>secrets.yaml</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"github_user"</span> <span class="s2">"current"</span> <span class="p">{</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"github_repository"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">full_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">github_owner</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">github_repository</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"github_actions_environment_secret"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">([</span><span class="nx">for</span> <span class="nx">environment</span><span class="p">,</span> <span class="nx">secrets</span> <span class="nx">in</span> <span class="nx">yamldecode</span><span class="p">(</span><span class="nx">file</span><span class="p">(</span><span class="s2">"secrets.yaml"</span><span class="p">))[</span><span class="s2">"secrets"</span><span class="p">]</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span> <span class="nx">in</span> <span class="nx">secrets</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">environment</span><span class="k">}</span><span class="s2">:</span><span class="k">${</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">environment</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">name</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">value</span> <span class="p">}</span> <span class="p">}]...)</span> <span class="nx">repository</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">github_repository</span><span class="p">.</span><span class="nx">example</span><span class="p">.</span><span class="nx">name</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">secret_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">encrypted_value</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <p>All secrets will be stored encrypted in <code>secrets.yaml</code> file:</p> <p><code>secrets.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">#</span> <span class="c1"># This file contains encrypted secrets for GitHub Actions</span> <span class="c1">#</span> <span class="c1"># All values in this file are encrypted by using public-key cryptography.</span> <span class="c1"># GitHub uses different public key per each environment per each repository.</span> <span class="c1"># To add a new secret, please run `gh secret set --no-store -e dev|stage|prod` in the root of this repo.</span> <span class="c1"># Please make ensure that you are in the right repository and have the right value of `-e` flag.</span> <span class="c1">#</span> <span class="c1"># To apply values to GitHub, please run `terraform apply`.</span> <span class="c1">#</span> <span class="na">secrets</span><span class="pi">:</span> <span class="c1"># dev:</span> <span class="c1"># HELLO: &lt;encrypted value&gt;</span> <span class="c1"># WORLD: &lt;encrypted value&gt;</span> <span class="na">dev</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">stage</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">prod</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre> </div> <p>Keep an empty list (<code>[]</code>) for each environment for now.</p> <h2> Generate Personal Access Token (PAT) </h2> <p>Go to <a href="https://github.com/settings/tokens" rel="noopener noreferrer">https://github.com/settings/tokens</a> and generate a new Personal Access Token (PAT) to access GitHub via API. At the moment of writing (2023-03-21), new fine-grained scoped tokens didn't work properly for managing Secrets.</p> <p>Please grant <code>repo</code> (Full control of private repositories) permission to your token:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fld99nk8eh0j8a0r7khnb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fld99nk8eh0j8a0r7khnb.png" alt="GitHub Personal Access Token"></a></p> <h2> Create Environments </h2> <p><a href="https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment" rel="noopener noreferrer">Environments</a> are needed to protect your secrets. In this tutorial we will create <code>dev</code>, <code>stage</code> and <code>prod</code> environments. Only GitHub Workflows with <code>dev</code>, <code>stage</code> and <code>prod</code> tags will be able to access Secrets in corresponding environments. GitHub Environments can be restricted by branch names.</p> <p>Go to your repository → Settings → Environments and add <code>dev</code>, <code>stage</code>, <code>prod</code> environments:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx7tuhgiyjeca222wnt7t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx7tuhgiyjeca222wnt7t.png" alt="GitHub Environments"></a> </p> <h2> Generate Secrets </h2> <p>Encrypt secrets for each environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh secret <span class="nb">set</span> <span class="nt">--no-store</span> <span class="nt">-e</span> dev </code></pre> </div> <p>Type secret value into the command line prompt. This command together with the <code>--no-store</code> option encrypts all data locally by using a public key from the specified GitHub Environment (i.e. <code>dev</code>, <code>stage</code>, <code>prod</code>). Sensitive data is not transmitted outside your machine. Save generated value into <code>secrets.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">secrets</span><span class="pi">:</span> <span class="na">dev</span><span class="pi">:</span> <span class="na">HELLO</span><span class="pi">:</span> <span class="s">QQYIZqerFfiarG+9VyGeDDqz/cMNL7OABaNjWMPOOD7qDO7IHUr+1RND8p5oilV8VaIgbso=</span> <span class="na">WORLD</span><span class="pi">:</span> <span class="s">oxSzP+MNstOknjv/1Q3/m9q0fQAbaxny91DNd0tf2TV+pOBpgfqURA/0UrG1+V8OR3RHD7Y=</span> <span class="na">stage</span><span class="pi">:</span> <span class="na">HELLO</span><span class="pi">:</span> <span class="s">d4gfSmhZolZSh/zWq3gh/hTMUiBm5bZyeJuHmKIkW3jl3pHX3E565vTpDBjHBVzydr8bMFw=</span> <span class="na">WORLD</span><span class="pi">:</span> <span class="s">vVwxkPZY4Z6HYZKmfmy5PrPe7GPCqXav+59yPB7WzHe6dZ3B3VLxvei4PnO+hqIL4OoDlsQ=</span> <span class="na">prod</span><span class="pi">:</span> <span class="na">HELLO</span><span class="pi">:</span> <span class="s">+DsS2fbRzLIDmUqqUC0+dZlq9tgYO2jufUGj3vGxpk/1pFgjLaPk03a6uLOGgha43nfNLxU=</span> <span class="na">WORLD</span><span class="pi">:</span> <span class="s">1Pxp9C8BK4L9Q1COBQe+3MjaJR7iyajM3iF5gkmBvxEg/9d38VBvJbLf3Zt+40qexk87ZnY=</span> </code></pre> </div> <h2> Apply Secrets </h2> <p>Now it is time to apply all the secrets to GitHub by using Terraform. Export environment variables to specify your GitHub name, repository and Personal Access Token (PAT).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">TF_VAR_github_owner</span><span class="o">=</span>rtsisyk <span class="nb">export </span><span class="nv">TF_VAR_github_repository</span><span class="o">=</span>github-actions-secrets-terraform <span class="nb">export </span><span class="nv">GITHUB_TOKEN</span><span class="o">=</span>&lt;Personal Access Token generated previously&gt; </code></pre> </div> <p>Now run Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="p">[</span><span class="nx">REDACTED</span><span class="p">]</span> <span class="nx">Terraform</span> <span class="nx">will</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">following</span> <span class="nx">actions</span><span class="err">:</span> <span class="c1"># github_actions_environment_secret.example["dev:HELLO"] will be created</span> <span class="err">+</span> <span class="k">resource</span> <span class="s2">"github_actions_environment_secret"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">created_at</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">encrypted_value</span> <span class="p">=</span> <span class="p">(</span><span class="nx">sensitive</span> <span class="nx">value</span><span class="p">)</span> <span class="err">+</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"github-actions-secrets-terraform"</span> <span class="err">+</span> <span class="nx">secret_name</span> <span class="p">=</span> <span class="s2">"HELLO"</span> <span class="err">+</span> <span class="nx">updated_at</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="p">}</span> <span class="p">[</span><span class="nx">REDACTED</span><span class="p">]</span> </code></pre> </div> <p>Terraform will apply all secrets to GitHub:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxdztnzis48a3a5tk8zl2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxdztnzis48a3a5tk8zl2.png" alt="GitHub Environments with Secrets"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0a0pkohaqhn9g4k23bht.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0a0pkohaqhn9g4k23bht.png" alt="GitHub Action Secrets"></a></p> <p>That is it. Now you can manage all GitHub Secrets in GitHub repo.</p> <h2> Notes Regarding Terraform State </h2> <p>Terraform is <a href="https://developer.hashicorp.com/terraform/language/state" rel="noopener noreferrer">stateful</a> and keeps information about all created resources in <code>terraform.tfstate</code> by default:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"managed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github_actions_environment_secret"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"example"</span><span class="p">,</span><span class="w"> </span><span class="nl">"provider"</span><span class="p">:</span><span class="w"> </span><span class="s2">"provider[</span><span class="se">\"</span><span class="s2">registry.terraform.io/integrations/github</span><span class="se">\"</span><span class="s2">]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"instances"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"index_key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev:HELLO"</span><span class="p">,</span><span class="w"> </span><span class="nl">"schema_version"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"attributes"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2023-03-20 09:29:43 +0000 UTC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"encrypted_value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"QQYIZqerFfiarG+9VyGeDDqz/cMNL7OABaNjWMPOOD7qDO7IHUr+1RND8p5oilV8VaIgbso="</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github-actions-secrets-terraform:dev:HELLO"</span><span class="p">,</span><span class="w"> </span><span class="nl">"plaintext_value"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"repository"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github-actions-secrets-terraform"</span><span class="p">,</span><span class="w"> </span><span class="nl">"secret_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HELLO"</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2023-03-20 09:29:43 +0000 UTC"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"sensitive_attributes"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"private"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bnVsbA=="</span><span class="p">,</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"data.github_repository.example"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span></code></pre> </div> <p>All Secrets generated in this tutorial are encrypted by using <a href="https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes" rel="noopener noreferrer">libsodium sealed box</a>. There is absolutely no risk in storing these encrypted strings in a git repository and having them in the Terraform state.</p> <p>For <code>github_actions_environment_secret</code> resource in particular, you can actually drop Terraform state and Terraform will correctly update GitHub Actions Secrets on every run without any issues.</p> <h2> Links </h2> <ul> <li><a href="https://github.com/rtsisyk/github-actions-secrets-terraform/" rel="noopener noreferrer">GitHub repository for this tutorial</a></li> <li><a href="https://docs.github.com/en/actions/security-guides/encrypted-secrets" rel="noopener noreferrer">GitHub Secrets documentation</a></li> <li><a href="https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment" rel="noopener noreferrer">GitHub Environments documentation</a></li> <li><a href="https://registry.terraform.io/providers/integrations/github/latest/docs" rel="noopener noreferrer">Terraform-&gt;GitHub integration overview</a></li> </ul> githubactions terraform devops tutorial