Currently, we are passing secrets directly into container environments using key-value pairs for our microservices. We are planning to create a secret module and call it in our Terraform repository to create multiple secrets by assigning values from GitHub environment secrets where they are already stored.
Here is the current setup which I have placed
Terraform Code:
secrets = {
"Thoughtspot" = {
TS_SECRET_KEY = ""
TS_PUBLIC_API_URL = ""
}
"Auth0" = {}
}
Github Action Workflow:
`Fetch-Environment-Secrets:
runs-on: ubuntu-latest
outputs:
ts_secret_key: ${{ steps.fetch_secret.outputs.ts_secret_key }}
ts_public_api_url: ${{ steps.fetch_secret.outputs.ts_public_api_url }}
auth0_client_id: ${{ steps.fetch_secret.outputs.auth0_client_id }}
auth0_client_secret: ${{ steps.fetch_secret.outputs.auth0_client_secret }}
steps:
- name: Fetch and print secrets
id: fetch_secret
run: |
# Fetch ThoughtSpot secret
TS_SECRET_JSON=$(echo "${{ secrets.DEV_THOUGHTSPOT_SECRET }}" | base64 -d)
TS_SECRET_KEY=$(echo $TS_SECRET_JSON | jq -r '.TS_SECRET_KEY')
TS_PUBLIC_API_URL=$(echo $TS_SECRET_JSON | jq -r '.TS_PUBLIC_API_URL')
echo "::set-output name=ts_secret_key::$TS_SECRET_KEY"
echo "::set-output name=ts_public_api_url::$TS_PUBLIC_API_URL"
Deploy-Static-Infra:
needs: Fetch-Environment-Secrets
if: ${{ inputs.infra_deploy }}
uses: globe/oneglobal-templates/.github/workflows/[email protected]
secrets: inherit
with:
deploy_method: ${{ inputs.deploy_method }}
environment: ${{ inputs.environment }}
repo_name: “microservice”
custom_tf_vars_json: ‘”{“TS_SECRET_KEY”:”${{ needs.Fetch-Environment- Secrets.outputs.ts_secret_key }}”,”TS_PUBLIC_API_URL”:”${{ needs.Fetch-Environment-Secrets.outputs.ts_public_api_url }}”}”‘
In the custom_tf_vars_json, which is being called from another workflow, we have the following code to set the environment variables:
steps:
- name: Create Custom Terraform Vars
if: inputs.custom_tf_vars_json != ''
run: |
echo ${{ inputs.custom_tf_vars_json }} | jq -c '. | to_entries | .[]' | while read i; do
echo "TF_VAR_$(echo $i | jq -r '.key')=$(echo $i | jq -r '.value')" >> $GITHUB_ENV
done`
Despite this setup, the secrets are being created with empty values.
Question:
What is the best way to create a secret module and then pass the secret names and their values from GitHub environment secrets to multiple secrets in Terraform? How can we ensure that the secrets are fetched, decoded, and passed correctly without resulting in empty values?
Question:
What is the best way to create a secret module and then pass the secret names and their values from GitHub environment secrets to multiple secrets in Terraform? How can we ensure that the secrets are fetched, decoded, and passed correctly without resulting in empty values?
Ankit Rai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.