github_actions_secret: document how to obtain encrypted_value

[hoxu]

Affected Resource(s)

• github_actions_secret

github_actions_secret page does not contain any documentation on how to produce the encrypted_value.

There are two alternatives on how to create encrypted_value from the plaintext value:

1. One using TF_LOG=debug terraform apply to observe what "encrypted_secret" value is sent as JSON in the GitHub API call, as @jcudit outlined in a PR Added encrypted_value to Actions + Organizations's secrets #807 comment, although this is missing instructions necessary to avoid storing the plaintext_secret in a remote backend.
2. Make an API call to https://api.github.com/repos/ORG/REPO/actions/secrets/public-key and write a helper script using the example code in GitHub reference for "Create or update a repository secret".

Both of these are too cumbersome in my opinion.

But at the very least, a way to do this should be documented on github_actions_secret documentation.

[shrink]

until this is better supported, there are 2 other non-terraform options to generate an encrypted secret:

1. Using the GitHub CLI
2. Download the Actions public key locally and encrypt yourself

GitHub CLI

1. Download the GitHub CLI (e.g: brew install gh)
2. Authenticate with the admin:org scope, e.g: gh auth login -s admin:org
3. Set a secret with DEBUG=api which will output the raw request data and extract from that, e.g:

{
    "encrypted_value": "7hYpwbtVZ...==",
    "visibility": "private",
    "key_id": "56825..."
}

Generate Locally

1. Create a new Personal Access Token with the admin:org scope
2. Download the public key:

dev:~$ GITHUB_USERNAME="my-username"; \
GITHUB_TOKEN="ghp_..."; \
GITHUB_ORGANISATION="my-organisation"; \
curl -u $GITHUB_USERNAME:$GITHUB_TOKEN \
https://api.github.com/orgs/$GITHUB_ORGANISATION/actions/secrets/public-key

3... encrypt with a tool of your choice or using the provider code or gh cli code

[danielvvoros]

Hi,

I feel there is a lack of information on how to implement an encrypted secret via Terraform.

Any update on this case? Or other alternative?

Thank you, guys!

Daniel Vincenzi

[danielvvoros]

until this is better supported, there are 2 other non-terraform options to generate an encrypted secret:

1. Using the GitHub CLI
2. Download the Actions public key locally and encrypt yourself

GitHub CLI

1. Download the GitHub CLI (e.g: brew install gh)
2. Authenticate with the admin:org scope, e.g: gh auth login -s admin:org
3. Set a secret with DEBUG=api which will output the raw request data and extract from that, e.g:

{
    "encrypted_value": "7hYpwbtVZ...==",
    "visibility": "private",
    "key_id": "56825..."
}

Generate Locally

1. Create a new Personal Access Token with the admin:org scope
2. Download the public key:

dev:~$ GITHUB_USERNAME="my-username"; \
GITHUB_TOKEN="ghp_..."; \
GITHUB_ORGANISATION="my-organisation"; \
curl -u $GITHUB_USERNAME:$GITHUB_TOKEN \
https://api.github.com/orgs/$GITHUB_ORGANISATION/actions/secrets/public-key

3... encrypt with a tool of your choice or using the provider code or gh cli code

HI @shrink,

Thank you for your alternatives. It's correctly say to after generate my encrypted secret by gh command, I put it on my Terraform file?

Thank you!

Daniel Vincenzi

[shrink]

Hi @danielvincenzi.

Since my previous comment, Add gh secret encrypt command to encrypt a secret locally without sending to GitHub #4388 has been resolved by - Add new flag --no-store to print the encoded secret in "secret set" #4423 so you're now able to generate this value more easily:

$ gh secret set example_secret_name --no-store
? Paste your secret *************

cbKs5pvmBaTNrWqDEQAgMg0MklLlIdx5mjZ+YW6OQmeMlHglDafcaL/6Ybp6bNhbG7Psaif0pa65K1wCSA==

The correct approach depends on your specific needs, but ideally your terraform files should not contain secrets and instead they should be sourced from a .tfvars file or the environment. The Protect Sensitive Input Variables article from Hashicorp Learn gives a good rundown and using the example from the Terraform documentation for this provider, you'd end up with something like:

github.tf:

variable "my_encrypted_secret_value" {
  type = "string"
}

data "github_actions_public_key" "example_public_key" {
  repository = "example_repository"
}

resource "github_actions_secret" "example_secret" {
  repository       = "example_repository"
  secret_name      = "example_secret_name"
  encrypted_value  = var.my_encrypted_secret_value
}

secrets.tfvars:

my_encrypted_secret_value = "cbKs5pvmBaTNrWqDEQAgMg0MklLlIdx5mjZ+YW6OQmeMlHglDafcaL/6Ybp6bNhbG7Psaif0pa65K1wCSA=="

[ned1313]

How would this work for a value generated by another resource in Terraform? For instance, I have a config that creates an Azure service principal:

resource "azuread_service_principal" "gh_actions" {
  application_id = azuread_application.gh_actions.application_id
  owners         = [data.azuread_client_config.current.object_id]
}

resource "azuread_service_principal_password" "gh_actions" {
  service_principal_id = azuread_service_principal.gh_actions.object_id
}

And I want to store the service principal password in my GitHub secrets for a repository. How would I get the encrypted value within the same configuration? Or do I have to create the resource first, use the null resource to invoke a local provisioner with the gh cli, and then use the resulting value?

Since the service principal password will be stored in my state data anyway, is there really an advantage to using the encrypted_value argument?

[shrink]

Since the service principal password will be stored in my state data anyway, is there really an advantage to using the encrypted_value argument?

I don't think there is an advantage. I default to plaintext: I only make use of encrypted_value for secrets that I specifically do not want to persist in the terraform state because they have a lifecycle that is independent of the infrastructure, and so would be difficult to rotate if the state file was compromised from an old backup I accidentally leave in a public s3 bucket 2 years from now. Put another way, I use encrypted_value for a secret that has to remain secret after I've run terraform destroy.

[ned1313]

Thanks @shrink! This came up b/c Checkov has started flagging the plaintext_value as a possibly unsecure argument to use (CKV_GIT_4) and I wanted to see if that was the case. Seems like I can safely add it to the skipped checks list for my configuration.

[shrink]

@ned1313 I think the Checkov maintainers have been a little overzealous with their implementation and misinterpreted the GitHub terraform provider documentation: the comment describing why this warns isn't accurate. I'll submit an issue describing the nuance so that the check can be reviewed.

[shrink]

@ned1313 Just in case you're not tracking the issue, it looks there was a very fast turnaround: the Checkov team have merged bridgecrewio/checkov#2383 and released the change in version 2.0.830 so you shouldn't get warnings anymore for using plaintext_value :)

[killmeplz]

I was waiting for some solution in here but now I ended up with writing my own provider to do the job
https://github.com/killmeplz/terraform-provider-sodium

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = ">= 4.5.2"
    }
    sodium = {
      source  = "killmeplz/sodium"
      version = ">= 0.0.3"
    }
  }
}

provider "github" {
  owner = var.repo_owner
  token = var.github_token
}

data "github_actions_public_key" "gh_actions_public_key" {
  repository = var.repo_name
}

data "sodium_encrypted_item" "encrypted_key" {
    public_key_base64 = data.github_actions_public_key.gh_actions_public_key.key
    content_base64 = base64encode("secretpassword")
}

resource "github_actions_secret" "gh_actions_secret" {
  repository       = var.repo_name
  secret_name      = "SECRET_KEY"
  encrypted_value  = data.sodium_encrypted_item.encrypted_key.encrypted_value_base64
}