OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

AWS Secrets to get created using github env secret without exposing (Terraform and Github Workflow)

  • Thread starter Thread starter Ankit Rai
  • Start date Start date
A

Ankit Rai

Guest
Currently, we are passing secrets directly into container environments using key-value pairs for our microservices. We are planning to create a secret module and call it in our Terraform repository to create multiple secrets by assigning values from GitHub environment secrets where they are already stored.

Here is the current setup which I have placed

Terraform Code:

Code:
secrets = {
  Thoughtspot = {
    TS_SECRET_KEY     = ""
    TS_PUBLIC_API_URL = ""
  }
  Auth0 = {}
}

Github Action Workflow:

Code:
Fetch-Environment-Secrets:
  runs-on: ubuntu-latest
  outputs:
    ts_secret_key: ${{ steps.fetch_secret.outputs.ts_secret_key }}
    ts_public_api_url: ${{ steps.fetch_secret.outputs.ts_public_api_url }}
    auth0_client_id: ${{ steps.fetch_secret.outputs.auth0_client_id }}
    auth0_client_secret: ${{ steps.fetch_secret.outputs.auth0_client_secret }}
  steps:
    - name: Fetch and print secrets
      id: fetch_secret
      run: |
        # Fetch ThoughtSpot secret
        TS_SECRET_JSON=$(echo "${{ secrets.DEV_THOUGHTSPOT_SECRET }}" | base64 -d)
        TS_SECRET_KEY=$(echo $TS_SECRET_JSON | jq -r '.TS_SECRET_KEY')
        TS_PUBLIC_API_URL=$(echo $TS_SECRET_JSON | jq -r '.TS_PUBLIC_API_URL')
        echo "::set-output name=ts_secret_key::$TS_SECRET_KEY"
        echo "::set-output name=ts_public_api_url::$TS_PUBLIC_API_URL"

Code:
Deploy-Static-Infra:
  needs: Fetch-Environment-Secrets
  if: ${{ inputs.infra_deploy }}
  uses: globe/oneglobal-templates/.github/workflows/[email protected]
  secrets: inherit
  with:
    deploy_method: ${{ inputs.deploy_method }}
    environment: ${{ inputs.environment }}
    repo_name: "microservice"

custom_tf_vars_json: '"{"TS_SECRET_KEY":"${{ needs.Fetch-Environment- Secrets.outputs.ts_secret_key }}","TS_PUBLIC_API_URL":"${{ needs.Fetch-Environment-Secrets.outputs.ts_public_api_url }}"}"'

In the custom_tf_vars_json, which is being called from another workflow, we have the following code to set the environment variables:

Code:
steps:
  - name: Create Custom Terraform Vars
    if: inputs.custom_tf_vars_json != ''
    run: |
      echo ${{ inputs.custom_tf_vars_json }} | jq -c '. | to_entries | .[]' | while read i; do
        echo "TF_VAR_$(echo $i | jq -r '.key')=$(echo $i | jq -r '.value')" >> $GITHUB_ENV
      done`

Despite this setup, the secrets are being created with empty values. Question: What is the best way to create a secret module and then pass the secret names and their values from GitHub environment secrets to multiple secrets in Terraform? How can we ensure that the secrets are fetched, decoded, and passed correctly without resulting in empty values?

Question:

What is the best way to create a secret module and then pass the secret names and their values from GitHub environment secrets to multiple secrets in Terraform? How can we ensure that the secrets are fetched, decoded, and passed correctly without resulting in empty values?
<p>Currently, we are passing secrets directly into container environments using key-value pairs for our microservices. We are planning to create a secret module and call it in our Terraform repository to create multiple secrets by assigning values from GitHub environment secrets where they are already stored.</p>
<p>Here is the current setup which I have placed</p>
<p>Terraform Code:</p>
<pre><code>secrets = {
Thoughtspot = {
TS_SECRET_KEY = ""
TS_PUBLIC_API_URL = ""
}
Auth0 = {}
}
</code></pre>
<p>Github Action Workflow:</p>
<pre class="lang-yaml prettyprint-override"><code>Fetch-Environment-Secrets:
runs-on: ubuntu-latest
outputs:
ts_secret_key: ${{ steps.fetch_secret.outputs.ts_secret_key }}
ts_public_api_url: ${{ steps.fetch_secret.outputs.ts_public_api_url }}
auth0_client_id: ${{ steps.fetch_secret.outputs.auth0_client_id }}
auth0_client_secret: ${{ steps.fetch_secret.outputs.auth0_client_secret }}
steps:
- name: Fetch and print secrets
id: fetch_secret
run: |
# Fetch ThoughtSpot secret
TS_SECRET_JSON=$(echo "${{ secrets.DEV_THOUGHTSPOT_SECRET }}" | base64 -d)
TS_SECRET_KEY=$(echo $TS_SECRET_JSON | jq -r '.TS_SECRET_KEY')
TS_PUBLIC_API_URL=$(echo $TS_SECRET_JSON | jq -r '.TS_PUBLIC_API_URL')
echo "::set-output name=ts_secret_key::$TS_SECRET_KEY"
echo "::set-output name=ts_public_api_url::$TS_PUBLIC_API_URL"
</code></pre>
<pre><code>Deploy-Static-Infra:
needs: Fetch-Environment-Secrets
if: ${{ inputs.infra_deploy }}
uses: globe/oneglobal-templates/.github/workflows/[email protected]
secrets: inherit
with:
deploy_method: ${{ inputs.deploy_method }}
environment: ${{ inputs.environment }}
repo_name: "microservice"

custom_tf_vars_json: '"{"TS_SECRET_KEY":"${{ needs.Fetch-Environment- Secrets.outputs.ts_secret_key }}","TS_PUBLIC_API_URL":"${{ needs.Fetch-Environment-Secrets.outputs.ts_public_api_url }}"}"'
</code></pre>
<p>In the custom_tf_vars_json, which is being called from another workflow, we have the following code to set the environment variables:</p>
<pre><code>steps:
- name: Create Custom Terraform Vars
if: inputs.custom_tf_vars_json != ''
run: |
echo ${{ inputs.custom_tf_vars_json }} | jq -c '. | to_entries | .[]' | while read i; do
echo "TF_VAR_$(echo $i | jq -r '.key')=$(echo $i | jq -r '.value')" >> $GITHUB_ENV
done`
</code></pre>
<p>Despite this setup, the secrets are being created with empty values.
Question:
What is the best way to create a secret module and then pass the secret names and their values from GitHub environment secrets to multiple secrets in Terraform? How can we ensure that the secrets are fetched, decoded, and passed correctly without resulting in empty values?</p>
<p>Question:</p>
<p>What is the best way to create a secret module and then pass the secret names and their values from GitHub environment secrets to multiple secrets in Terraform? How can we ensure that the secrets are fetched, decoded, and passed correctly without resulting in empty values?</p>
Continue reading...
 
Top