Skip to content

libre-devops/terraform-github-actions-secrets

Repository files navigation

Terraform GitHub Actions Secrets

Manage GitHub Actions secrets and variables across the full scope matrix (repository, organization, environment) from one typed surface, using the integrations/github provider. Each secret takes its value either as a literal or synced from an Azure Key Vault secret, so a vault can be the source of truth for the values a pipeline needs.

CI Release Terraform Registry License


Not production grade for secret values (read this)

The GitHub provider has no write-only support for secrets, so the value of every secret this module sets is written to Terraform state (only marked sensitive; the feature request is open). Use it where that is acceptable (local, unshared state), or set genuinely sensitive secrets out of band (gh secret set or a helper) and keep this module for variables and non-sensitive config. Variables are not sensitive and have no such caveat.

What it does

  • Secrets and variables, each keyed by a stable logical name, routed to the right resource by a scope field: repository (default), organization, or environment.
  • Two value sources per secret: a literal value, or a Key Vault secret (key_vault_id + key_vault_secret_name) the module reads and syncs. Exactly one per secret.
  • Input validation for the scope, the required fields per scope, the organization visibility, and the one-source rule.

Providers

integrations/github is the primary provider. hashicorp/azurerm is required because the Key Vault sync reads through it; a caller that never uses the Key Vault source still configures a bare azurerm provider (no Azure call is made unless a Key Vault backed secret is present).

Examples

  • examples/minimal - one repository secret and variable from literals.
  • examples/complete - repository, environment and (gated) organization scopes, plus the (gated) Key Vault sync.

Requirements

Name Version
terraform >= 1.9.0, < 2.0.0
azurerm >= 4.0.0, < 5.0.0
github >= 6.0.0, < 7.0.0

Providers

Name Version
azurerm >= 4.0.0, < 5.0.0
github >= 6.0.0, < 7.0.0

Modules

No modules.

Resources

Name Type
github_actions_environment_secret.this resource
github_actions_environment_variable.this resource
github_actions_organization_secret.this resource
github_actions_organization_variable.this resource
github_actions_secret.repository resource
github_actions_variable.repository resource
azurerm_key_vault_secret.this data source

Inputs

Name Description Type Default Required
secrets GitHub Actions secrets to manage, keyed by a stable logical name.
secret_name the secret name in GitHub (defaults to the map key).
scope repository (default), organization, or environment.
repository required for repository and environment scopes.
environment required for environment scope.
visibility organization scope only: all, private, or selected.
selected_repository_ids organization scope with visibility = selected.
value a literal value (sensitive). Exactly one of value or key_vault_id.
key_vault_id + key_vault_secret_name read the value from a Key Vault secret and sync it
(key_vault_secret_name defaults to secret_name). Needs the azurerm provider
configured with data-plane access to the vault.
map(object({
secret_name = optional(string)
scope = optional(string, "repository")
repository = optional(string)
environment = optional(string)
visibility = optional(string)
selected_repository_ids = optional(list(number))
value = optional(string)
key_vault_id = optional(string)
key_vault_secret_name = optional(string)
}))
{} no
variables GitHub Actions variables to manage, keyed by a stable logical name.
variable_name the variable name in GitHub (defaults to the map key).
scope repository (default), organization, or environment.
repository required for repository and environment scopes.
environment required for environment scope.
visibility organization scope only: all, private, or selected.
selected_repository_ids organization scope with visibility = selected.
value the variable value.
map(object({
variable_name = optional(string)
scope = optional(string, "repository")
repository = optional(string)
environment = optional(string)
visibility = optional(string)
selected_repository_ids = optional(list(number))
value = string
}))
{} no

Outputs

Name Description
secret_names Managed secret names by logical key and scope (values are never exported).
synced_from_key_vault Logical keys of secrets whose value was synced from Key Vault.
variable_names Managed variable names by logical key and scope.

About

πŸ” Manage GitHub Actions secrets and variables across repo/org/environment scope, with optional Key Vault sync

Topics

Resources

License

Contributing

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors