search

getsentry / tacos-gha

Terraform Automation & Collaboration Software (TACOS) help organizations to scale the use of Terraform by enabling collaboration through governance, access controls, and automation of Terraform runs.
Apache License 2.0
1 stars 0 forks source link

Support passing provider custom secrets to TACOs #225

Open fpacifici opened 5 months ago

fpacifici commented 5 months ago

Soem Terraform provider need secrets for authentication. For example the datadog one and the pagerduty one.

TACOs does not provide, as of today, a way to provide those secrets as they are specific to the slices and providers the client is using.

This PR adds a new secret to all the acitons where the secret is needed: plan, apply, drift detection. This secret is provided as a json object where each key represents a secret.

The setup action unpacks it and sets an environment variable for terraform per secret. It also ensures all the secret values are masked.

Secrets are going to be provided to terraform as variable by setting TF_VAR_ environment variables. This happens once per secret.

See it working on this PR https://github.com/getsentry/ops/actions/runs/9521154268. I checked that the secret is never in visible in the log.

mwarkentin commented 4 months ago

These secrets are global (across all slices)? Trying to think if there are cases where we might need to have different secrets depending on what you're applying.

GCP is the main one that sticks out but that is already handled by using OIDC authentication.