-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
110 lines (90 loc) · 2.94 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
terraform {
required_providers {
akeyless = {
version = ">= 1.0.0"
source = "akeyless-community/akeyless"
}
github = {
source = "integrations/github"
version = "~> 5.0"
}
}
cloud {
organization = "work-demos"
workspaces {
name = "terraform-cloud-gha-secrets"
}
}
}
# Configure the Akeyless Provider
provider "akeyless" {
api_gateway_address = "https://api.akeyless.io"
jwt_login {
access_id = var.AKEYLESS_ACCESS_ID
jwt = var.AKEYLESS_AUTH_JWT
}
}
# Configure the GitHub Provider
provider "github" {
owner = "akeyless-community"
token = var.GITHUB_TOKEN
}
variable "GITHUB_TOKEN" {
type = string
description = "GitHub token with repo scope."
}
variable "AKEYLESS_ACCESS_ID" {
type = string
description = "Access ID for the JWT Auth Method for Terraform cloud. Provided by Terraform Cloud through a terraform variable added to the workspace."
}
variable "GITHUB_REPO" {
type = string
description = "GitHub org/repository full name. Provided by Terraform Cloud through a terraform variable added to the workspace."
}
variable "AKEYLESS_AUTH_JWT" {
type = string
description = "Terraform Cloud Workload Identity JWT for authentication into Akeyless. Provided by Terraform Cloud through an agent pool and hooks."
}
variable "AKEYLESS_DYNAMIC_SECRET_FULL_PATH" {
type = string
description = "Full path to the azure dynamic secret in Akeyless. Provided by Terraform Cloud through a terraform variable added to the workspace."
}
data "akeyless_dynamic_secret" "secret" {
path = var.AKEYLESS_DYNAMIC_SECRET_FULL_PATH
}
output "github_repository" {
value = var.GITHUB_REPO
}
output "akeyless_secret" {
value = data.akeyless_dynamic_secret.secret.value
sensitive = true
}
output "akeyless_secret_json" {
value = jsondecode(jsondecode(data.akeyless_dynamic_secret.secret.value).secret)
sensitive = true
}
resource "github_actions_secret" "subscription_id" {
repository = var.GITHUB_REPO
secret_name = "ARM_SUBSCRIPTION_ID"
plaintext_value = "07f75d77-80cc-46a1-b821-22dc487c154e"
}
resource "github_actions_secret" "test" {
repository = var.GITHUB_REPO
secret_name = "ARM_SUBSCRIPTION_ID_JWT"
plaintext_value = "booga booga"
}
resource "github_actions_secret" "tenant_id" {
repository = var.GITHUB_REPO
secret_name = "ARM_TENANT_ID"
plaintext_value = jsondecode(jsondecode(data.akeyless_dynamic_secret.secret.value).secret).tenantId
}
resource "github_actions_secret" "client_id" {
repository = var.GITHUB_REPO
secret_name = "ARM_CLIENT_ID"
plaintext_value = jsondecode(jsondecode(data.akeyless_dynamic_secret.secret.value).secret).appId
}
resource "github_actions_secret" "client_secret" {
repository = var.GITHUB_REPO
secret_name = "ARM_CLIENT_SECRET"
plaintext_value = jsondecode(jsondecode(data.akeyless_dynamic_secret.secret.value).secret).secretText
}