search

chainguard-dev / terraform-infra-common

A repository containing a collection of "glue" modules for encapsulating common Cloud Run patterns.
Apache License 2.0
4 stars 22 forks source link

octo-sts-secret: New terraform module for rotating GitHub tokens #413

Open pdeslaur opened 2 months ago

pdeslaur commented 2 months ago

This module allows to store an octo-sts token in a Google Cloud Secret in order to:

  1. Allow a Google Cloud service to access a GitHub repo (Google Cloud Build, Google Cloud Dataform)
  2. (not recommended) Share a cached GitHub secret between services

The main use case is (1) - but it also makes (2) possible if really needed.

pdeslaur commented 1 month ago

whats the monitoring plan here? as i assume if the rotation fails, a bunch of workflows will start running into auth issues?

Good question! I added a monitoring dashboard to the component. This is using the standard cron module, so we get the same monitoring capabilities via notifications. Basically, monitoring can be configured with the rotate job or with the downstream service.

k4leung4 commented 1 month ago

one more question

does it make sense to keep the previously active secret around but disabled? the motivation is that if some logic in octosts changed and the new secret is not functioning as expected there is no rollback story, as the previous secret would be deleted at this point.

pdeslaur commented 1 month ago

one more question

does it make sense to keep the previously active secret around but disabled? the motivation is that if some logic in octosts changed and the new secret is not functioning as expected there is no rollback story, as the previous secret would be deleted at this point.

That's a good idea - I like it. I'll make the change!