Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secrets cannot be set in tfaction.yaml #1564

Closed
florianmutter opened this issue Mar 5, 2024 · 6 comments
Closed

Secrets cannot be set in tfaction.yaml #1564

florianmutter opened this issue Mar 5, 2024 · 6 comments
Labels
bug Something isn't working
Milestone

Comments

@florianmutter
Copy link
Contributor

tfaction version

1.2.0

Overview

Adding secrets to tfaction.yaml does not result in secrets being added as environment variables

How to reproduce

tfaction-root.yaml

# Main configuration for tfaction workflow. See https://suzuki-shunsuke.github.io/tfaction/docs/config/tfaction-root-yaml
plan_workflow_name: tfaction

tfsec:
  enabled: false
tflint:
  enabled: false
trivy:
  enabled: false

conftest_policy_directory: infrastructure/terraform/gcp/policy

target_groups:
  - working_directory: infrastructure/terraform/
    # Use folder path below infrastructure/terraform/ for labels. Can be removed when https://github.com/suzuki-shunsuke/tfaction/issues/1502 is fixed
    target: ""

tfaction.yaml

terraform_plan_config:
  ...
terraform_apply_config:
...
secrets:
  - env_name: SOME_SECRET
    secret_name: SOME_SECRET

GitHub Actions Workflow

...
      - uses: suzuki-shunsuke/tfaction/export-secrets@b03dfcc9d26de824ca0d7fc385d0bb4986d6642e # v1.2.0
        with:
          secrets: ${{ toJSON(secrets) }}
...

Other related code such as local Registry

GitHub Actions' log

No output from export-secrets step.

Expected behaviour

export-secrets action should use target config respecting tfaction.yaml

Actual behaviour

export-secrets only reads tfaction-root.yaml

Important Factoids

With tfaction-root.yaml like this it works with the exact same workflow:

# Main configuration for tfaction workflow. See https://suzuki-shunsuke.github.io/tfaction/docs/config/tfaction-root-yaml
plan_workflow_name: tfaction

tfsec:
  enabled: false
tflint:
  enabled: false
trivy:
  enabled: false

conftest_policy_directory: infrastructure/terraform/gcp/policy

target_groups:
  - working_directory: infrastructure/terraform/
    target: ""
    secrets:
      - env_name: SOME_SECRET
        secret_name: SOME_SECRET

Note

No response

@florianmutter florianmutter added the bug Something isn't working label Mar 5, 2024
@suzuki-shunsuke
Copy link
Owner

Thank you for your report.

Is the GitHub Actions Secret SOME_SECRET set correctly?
For example, if you separate GitHub Actions Workflows with reusable workflows, maybe the secret isn't passed to the workflow.

@ponkio-o
Copy link
Contributor

Hi, I'm facing the same exactly issue. I solved this problem by switching to AWS Secrets Manager 😂

my tfaction-root.yaml

...
target_groups:
  - working_directory: fastly
    target: fastly
    aws_region: ap-northeast-1
    terraform_command: terraform
    drift_detection:
      enabled: true
    terraform_plan_config:
      aws_assume_role_arn: arn:aws:iam::123412341234:role/github-actions-terraform-plan-role
    terraform_apply_config:
      aws_assume_role_arn: arn:aws:iam::123412341234:role/github-actions-terraform-apply-role
    secrets:
      - env_name: FASTLY_API_KEY
        secret_name: FASTLY_API_KEY

For example, if you separate GitHub Actions Workflows with reusable workflows, maybe the secret isn't passed to the workflow.

I'm using the exact same workflow with reference to suzuki-shunsuke/tfaction-example.
If the resauble workflow is the problem, I thought it would be better to fix the example repository or added description for this.

@suzuki-shunsuke
Copy link
Owner

suzuki-shunsuke commented Mar 16, 2024

@ponkio-o @florianmutter

Could you try v1.3.1-1?

https://github.com/suzuki-shunsuke/tfaction/releases/tag/v1.3.1-1

This release has a update of the action export-secrets to output the list of secret names for troubleshooting.
The log is useful to check if secrets are passed to the action properly.

If secrets aren't passed properly, this isn't a bug of tfaction.
You should check your workflow and the usage of tfaction.

@ponkio-o
Copy link
Contributor

Hi, thank you for release the v1.3.1-1. I confirmed that secrets are not passed across workflow.

See.
CleanShot 2024-03-17 at 12 54 33

So, I think this behavior is correct and not a bug of tfaction.

@suzuki-shunsuke
Copy link
Owner

Yeah, so you need to pass secrets to a reusable workflow.

https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecrets

We should add the description about this to tfaction-example and tfaction-docs.

@suzuki-shunsuke
Copy link
Owner

Released v1.3.1 and updated tfaction-example and tfaction-docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
No open projects
Archived in project
Development

No branches or pull requests

3 participants