initial commit

.gitignore

@@ -0,0 +1,118 @@
+# Created by https://www.toptal.com/developers/gitignore/api/macos,windows,terraform,visualstudiocode
+# Edit at https://www.toptal.com/developers/gitignore?templates=macos,windows,terraform,visualstudiocode
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### macOS Patch ###
+# iCloud generated files
+*.icloud
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# End of https://www.toptal.com/developers/gitignore/api/macos,windows,terraform,visualstudiocode

.vscode/settings.json

@@ -0,0 +1,17 @@
+{
+    "terraform.experimentalFeatures.validateOnSave": true,
+    "[terraform]": {
+        "editor.defaultFormatter": "hashicorp.terraform",
+        "editor.formatOnSave": true,
+        "editor.formatOnSaveMode": "file"
+    },
+    "[terraform-vars]": {
+        "editor.defaultFormatter": "hashicorp.terraform",
+        "editor.formatOnSave": true,
+        "editor.formatOnSaveMode": "file"
+    },
+    "cSpell.words": [
+        "azurerm",
+        "jsondecode"
+    ]
+}

main.tf

@@ -0,0 +1,104 @@
+terraform {
+  required_providers {
+    akeyless = {
+      version = ">= 1.0.0"
+      source  = "akeyless-community/akeyless"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "~> 5.0"
+    }
+  }
+
+  cloud {
+    organization = "work-demos"
+
+    workspaces {
+      name = "terraform-cloud-gha-secrets"
+    }
+  }
+}
+
+# Configure the Akeyless Provider
+provider "akeyless" {
+  api_gateway_address = "https://api.akeyless.io"
+
+  jwt_login {
+    access_id = var.AKEYLESS_ACCESS_ID
+    jwt       = var.AKEYLESS_AUTH_JWT
+  }
+}
+
+# Configure the GitHub Provider
+provider "github" {
+  owner = "akeyless-community"
+  token = var.GITHUB_TOKEN
+}
+
+variable "GITHUB_TOKEN" {
+  type        = string
+  description = "GitHub token with repo scope."
+}
+
+variable "AKEYLESS_ACCESS_ID" {
+  type        = string
+  description = "Access ID for the JWT Auth Method for Terraform cloud. Provided by Terraform Cloud through a terraform variable added to the workspace."
+}
+
+variable "GITHUB_REPO" {
+  type        = string
+  description = "GitHub org/repository full name. Provided by Terraform Cloud through a terraform variable added to the workspace."
+}
+
+variable "AKEYLESS_AUTH_JWT" {
+  type        = string
+  description = "Terraform Cloud Workload Identity JWT for authentication into Akeyless. Provided by Terraform Cloud through an agent pool and hooks."
+}
+
+variable "AKEYLESS_DYNAMIC_SECRET_FULL_PATH" {
+  type        = string
+  description = "Full path to the azure dynamic secret in Akeyless. Provided by Terraform Cloud through a terraform variable added to the workspace."
+}
+
+data "akeyless_dynamic_secret" "secret" {
+  path = var.AKEYLESS_DYNAMIC_SECRET_FULL_PATH
+}
+
+output "github_repository" {
+  value = var.GITHUB_REPO
+}
+
+output "akeyless_secret" {
+  value     = data.akeyless_dynamic_secret.secret.value
+  sensitive = true
+}
+
+output "akeyless_secret_json" {
+  value     = jsondecode(jsondecode(data.akeyless_dynamic_secret.secret.value).secret)
+  sensitive = true
+}
+
+resource "github_actions_secret" "subscription_id" {
+  repository      = var.GITHUB_REPO
+  secret_name     = "ARM_SUBSCRIPTION_ID"
+  plaintext_value = "07f75d77-80cc-46a1-b821-22dc487c154e"
+}
+
+
+resource "github_actions_secret" "tenant_id" {
+  repository      = var.GITHUB_REPO
+  secret_name     = "ARM_TENANT_ID"
+  plaintext_value = jsondecode(jsondecode(data.akeyless_dynamic_secret.secret.value).secret).tenantId
+}
+
+resource "github_actions_secret" "client_id" {
+  repository      = var.GITHUB_REPO
+  secret_name     = "ARM_CLIENT_ID"
+  plaintext_value = jsondecode(jsondecode(data.akeyless_dynamic_secret.secret.value).secret).appId
+}
+
+resource "github_actions_secret" "client_secret" {
+  repository      = var.GITHUB_REPO
+  secret_name     = "ARM_CLIENT_SECRET"
+  plaintext_value = jsondecode(jsondecode(data.akeyless_dynamic_secret.secret.value).secret).secretText
+}