Merge pull request #59 from mineiros-io/integration

integration: add support to manage secrets

Author: mariux

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+## [0.6.1]
+
+- Add support for managing github secrets via `plaintext_secrets` argument (#58/#59 kudos to @mrodm)
+
 ## [0.6.0]
 
 ### Added
@@ -17,7 +23,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-- Remove support for Terraform Github Provider v3.1.0 as this version introduced undocumneted breaking changes. See https://github.com/terraform-providers/terraform-provider-github/issues/566 for details.
+- Remove support for Terraform Github Provider v3.1.0 as this version introduced undocumented breaking changes. See https://github.com/integrations/terraform-provider-github/issues/566 for details.
 
 ### Changed
 
@@ -184,10 +190,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- markdown-link-check-disable -->
 
 [unreleased]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.6.0...HEAD
-[0.6.0]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.5.1...v0.6.0
+[0.6.1]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.6.0...v0.6.1
 
 <!-- markdown-link-check-enable -->
 
+[0.6.0]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.5.1...v0.6.0
 [0.5.1]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.5.0...v0.5.1
 [0.5.0]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.4.2...v0.5.0
 [0.4.2]: https://github.com/mineiros-io/terraform-github-repository/compare/v0.4.1...v0.4.2

README.md

@@ -27,6 +27,7 @@ and is compatible with the Terraform Github Provider v3 as well as v2.6 and abov
     - [Issue Labels Configuration](#issue-labels-configuration)
     - [Projects Configuration](#projects-configuration)
     - [Webhooks Configuration](#webhooks-configuration)
+    - [Secrets Configuration](#secrets-configuration)
     - [`defaults` Object Attributes](#defaults-object-attributes)
     - [`template` Object Attributes](#template-object-attributes)
     - [`deploy_key` Object Attributes](#deploy_key-object-attributes)
@@ -387,6 +388,24 @@ removed thislimitation.
   can also be configured
   Default is `[]`.
 
+#### Secrets Configuration
+
+- **`plaintext_secrets`**: _(Optional `map(string)`)_
+
+  This map allows you to create and manage secrets for repositories in your organization.
+  Each element in the map is considered a secret to be managed, being the key map the secret name and the value the corresponding secret in plain text:
+  ```
+  plaintext_secrets = {
+    SECRET_NAME_1 = "secret_value_1"
+    SECRET_NAME_2 = "secret_value_2"
+    ...
+  }
+  ```
+  When applied, a secret with the given key and value will be created in the repositories.
+  The value of the secrets must be given in plain text, github provider is in charge of encrypting it.
+  **Attention:** You might want to get secrets via a data source from a secure vault and not add them in plain text to your source files; so you do not commit plaintext secrets into the git repository managing your github account.
+  Default is `{}`.
+
 #### [`defaults`](#repository-configuration) Object Attributes
 
 This is a special argument to set various defaults to be reused for multiple repositories.

main.tf

@@ -429,3 +429,15 @@ resource "github_repository_webhook" "repository_webhook" {
     secret       = try(var.webhooks[count.index].secret, null)
   }
 }
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Action Secrets
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "github_actions_secret" "repository_secret" {
+  for_each = var.plaintext_secrets
+
+  repository      = github_repository.repository.name
+  secret_name     = each.key
+  plaintext_value = each.value
+}

outputs.tf

@@ -59,3 +59,8 @@ output "webhooks" {
   value       = github_repository_webhook.repository_webhook
   description = "All attributes and arguments as returned by the github_repository_webhook resource."
 }
+
+output "secrets" {
+  value       = [for secret in github_actions_secret.repository_secret : secret.secret_name]
+  description = "List of secrets available."
+}

test/public-repository-with-secret/main.tf

@@ -0,0 +1,19 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# CREATE A REPOSITORY WITH A SECRET
+# This example will create a repository with a secret and some basic settings.
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# ---------------------------------------------------------------------------------------------------------------------
+# TEST
+# We are creating a repository with a single secret while specifying only the minimum required variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "repository" {
+  source = "../.."
+
+  name = var.name
+
+  plaintext_secrets = {
+    (var.secret_name) = var.secret_text
+  }
+}

test/public-repository-with-secret/outputs.tf

@@ -0,0 +1,14 @@
+output "repository" {
+  description = "All outputs of the created repository."
+  value       = module.repository
+}
+
+output "repository_name" {
+  description = "The full name of the created repository."
+  value       = module.repository.full_name
+}
+
+output "secret_name" {
+  description = "The name of the secret."
+  value       = module.repository.secrets[0]
+}

test/public-repository-with-secret/variables.tf

@@ -0,0 +1,35 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# ENVIRONMENT VARIABLES
+# Define these secrets as environment variables.
+# ---------------------------------------------------------------------------------------------------------------------
+
+# GITHUB_ORGANIZATION
+# GITHUB_TOKEN
+
+# ---------------------------------------------------------------------------------------------------------------------
+# REQUIRED VARIABLES
+# These variables must be set when using this module.
+# ---------------------------------------------------------------------------------------------------------------------
+
+# ---------------------------------------------------------------------------------------------------------------------
+# OPTIONAL VARIABLES
+# These variables have defaults, but may be overridden.
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "name" {
+  description = "The name of the created repository."
+  type        = string
+  default     = "test-public-repository-with-secrets"
+}
+
+variable "secret_name" {
+  description = "The name of the secret."
+  type        = string
+  default     = "MYSECRET"
+}
+
+variable "secret_text" {
+  description = "Secret value in plain text."
+  type        = string
+  default     = "42"
+}

test/public_repository_with_secrets_test.go

@@ -0,0 +1,38 @@
+package test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/random"
+	"github.com/gruntwork-io/terratest/modules/terraform"
+)
+
+func TestGithubPublicRepositoryWithSecret(t *testing.T) {
+	t.Parallel()
+
+	// Set the name for the repository this test should create
+	expectedRepositoryName := fmt.Sprintf("test-public-repository-with-secret-%s", random.UniqueId())
+
+	// Set config settings for the secret this test should create
+	expectedSecretName := "MYSECRET"
+	expectedSecretValue := "42"
+
+	terraformOptions := &terraform.Options{
+		// The path to where your Terraform code is located
+		TerraformDir: "public-repository-with-secret",
+		Upgrade:      true,
+		Vars: map[string]interface{}{
+			"name":        expectedRepositoryName,
+			"secret_name": expectedSecretName,
+			"secret_text": expectedSecretValue,
+		},
+	}
+
+	// At the end of the test, run `terraform destroy` to clean up any resources that were created
+	defer terraform.Destroy(t, terraformOptions)
+
+	// This will run `terraform init` and `terraform apply` and fail the test if there are any errors
+	terraform.InitAndApply(t, terraformOptions)
+
+}

variables.tf

@@ -444,3 +444,16 @@ variable "webhooks" {
   #   insecure_ssl = false
   # }]
 }
+
+variable "plaintext_secrets" {
+  description = "Configuring actions secrets. For details please check: https://www.terraform.io/docs/providers/github/r/actions_secret.html"
+  type        = map(string)
+
+  # Example:
+  # secrets = {
+  #     "MY_SECRET" = "42"
+  #     "OWN_TOKEN" = "12345"
+  # }
+
+  default = {}
+}