[Enhancement]: Allow CodeBuild Source Credentials Resource to leverage Secrets Manager/Parameter Store

[stevebott]

Description

Allow CodeBuild Source Credentials Resource (aws_codebuild_source_credential) to leverage Secrets Manager or Parameter Store for the token, vs. requiring the token to be stored in the terraform code as plain text.

Affected Resource(s) and/or Data Source(s)

• aws_codebuild_source_credential

Potential Terraform Configuration

resource "aws_codebuild_source_credential" "secret-example" {
  auth_type   = "PERSONAL_ACCESS_TOKEN"
  server_type = "GITHUB"
  token       = {
    value = "arn:aws:secretsmanager:<region>:<account>:secret:github-secrets:access-token"
    type  = "SECRETS_MANAGER"
  }

resource "aws_codebuild_source_credential" "parameter-example" {
  auth_type   = "PERSONAL_ACCESS_TOKEN"
  server_type = "GITHUB"
  token       = {
    value = "arn:aws:ssm:<region>:<account>:parameter/github/access-tokenS"
    type  = "PARAMETER_STORE"
  }

resource "aws_codebuild_source_credential" "plain-example-full" {
  auth_type   = "PERSONAL_ACCESS_TOKEN"
  server_type = "GITHUB"
  token       = {
    value = "xxxxxxxxxxxxxxxxxxxxxxxxxx"
    type  = "PLAINTEXT"
  }

resource "aws_codebuild_source_credential" "plain-example-minimal" {
  auth_type   = "PERSONAL_ACCESS_TOKEN"
  server_type = "GITHUB"
  token       = "xxxxxxxxxxxxxxxxxxxxxxxxxx"
}

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[DrFaust92]

This is not currently supported by AWS API https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ImportSourceCredentials.html

[terenho]

It seems to be supported now. I can do

resource "aws_codebuild_source_credential" "secret-example" {
  auth_type   = "SECRETS_MANAGER"
  server_type = "GITHUB"
  token       = "arn:aws:secretsmanager:<region>:<account>:secret:github-secrets-XXXXXX"
}

https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ImportSourceCredentials.html also mentions we can put secrets manager arn as the token