Manage GitHub Actions secrets and variables across the full scope matrix (repository, organization, environment) from one typed surface, using the integrations/github provider. Each secret takes its value either as a literal or synced from an Azure Key Vault secret, so a vault can be the source of truth for the values a pipeline needs.
The GitHub provider has no write-only support for secrets, so the value of every secret this
module sets is written to Terraform state (only marked sensitive; the
feature request is open).
Use it where that is acceptable (local, unshared state), or set genuinely sensitive secrets out of
band (gh secret set or a helper) and keep this module for variables and non-sensitive config.
Variables are not sensitive and have no such caveat.
- Secrets and variables, each keyed by a stable logical name, routed to the right resource
by a
scopefield:repository(default),organization, orenvironment. - Two value sources per secret: a literal
value, or a Key Vault secret (key_vault_id+key_vault_secret_name) the module reads and syncs. Exactly one per secret. - Input validation for the scope, the required fields per scope, the organization visibility, and the one-source rule.
integrations/github is the primary provider. hashicorp/azurerm is required because the Key Vault
sync reads through it; a caller that never uses the Key Vault source still configures a bare
azurerm provider (no Azure call is made unless a Key Vault backed secret is present).
examples/minimal- one repository secret and variable from literals.examples/complete- repository, environment and (gated) organization scopes, plus the (gated) Key Vault sync.
| Name | Version |
|---|---|
| terraform | >= 1.9.0, < 2.0.0 |
| azurerm | >= 4.0.0, < 5.0.0 |
| github | >= 6.0.0, < 7.0.0 |
| Name | Version |
|---|---|
| azurerm | >= 4.0.0, < 5.0.0 |
| github | >= 6.0.0, < 7.0.0 |
No modules.
| Name | Type |
|---|---|
| github_actions_environment_secret.this | resource |
| github_actions_environment_variable.this | resource |
| github_actions_organization_secret.this | resource |
| github_actions_organization_variable.this | resource |
| github_actions_secret.repository | resource |
| github_actions_variable.repository | resource |
| azurerm_key_vault_secret.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| secrets | GitHub Actions secrets to manage, keyed by a stable logical name. secret_name the secret name in GitHub (defaults to the map key). scope repository (default), organization, or environment. repository required for repository and environment scopes. environment required for environment scope. visibility organization scope only: all, private, or selected. selected_repository_ids organization scope with visibility = selected. value a literal value (sensitive). Exactly one of value or key_vault_id. key_vault_id + key_vault_secret_name read the value from a Key Vault secret and sync it (key_vault_secret_name defaults to secret_name). Needs the azurerm provider configured with data-plane access to the vault. |
map(object({ |
{} |
no |
| variables | GitHub Actions variables to manage, keyed by a stable logical name. variable_name the variable name in GitHub (defaults to the map key). scope repository (default), organization, or environment. repository required for repository and environment scopes. environment required for environment scope. visibility organization scope only: all, private, or selected. selected_repository_ids organization scope with visibility = selected. value the variable value. |
map(object({ |
{} |
no |
| Name | Description |
|---|---|
| secret_names | Managed secret names by logical key and scope (values are never exported). |
| synced_from_key_vault | Logical keys of secrets whose value was synced from Key Vault. |
| variable_names | Managed variable names by logical key and scope. |