Skip to content

New tool to create GitHub secrets based on IAM creds extracted from Terraform state. #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 26 commits into from
Feb 24, 2020
Merged

New tool to create GitHub secrets based on IAM creds extracted from Terraform state. #5

merged 26 commits into from
Feb 24, 2020

Conversation

felddy
Copy link
Contributor

@felddy felddy commented Feb 22, 2020
edited
Loading

🗣 Description

Add the iam-to-github tool. Creates GitHub secrets for use in GitHub Actions.

💭 Motivation and Context

We have a similar tool for our previous CI (Travis).
Terraform no longer displays the secret keys in show state.
This is a nice thing to have.

Features:

  • Requires a GitHub token (PAT), and detects everything else.
  • It will detect the repo itself, but it can be overridden with the --repo option.
  • I did a bit of future-proofing. We don't have any multi-user workflows yet, but this should
    handle those nicely. If more than one user is found it will inform the user how to proceed.
  • There is a --user option to be used to filter users down to one. And a --suffix option that can modify the names used to store secrets.

🧪 Testing

I tested this on a personal repository as well as cisago
v/ansible-role-dev-ssh-access
(@dav3r I may have clobbered any secrets you put out there. If the terraform state changed since we debugged it.)

📷 Screenshots (if appropriate)

Screen Shot 2020-02-22 at 16 14 34

Don't worry I rolled the key in the screenshot before I posted the image. 😛

🚥 Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (causes existing functionality to change)

✅ Checklist

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

mcdonnnj and others added 16 commits February 10, 2020 10:39
@mcdonnnj
Backported changes to CONTRIBUTING.md from the development guide.
5327516
@mcdonnnj
Merge pull request #31 from cisagov/improvements/add_wsl_instructions
3f6d654 
Cleanup Linux instructions and add WSL references to CONTRIBUTING.md
@mcdonnnj
Update Python version used to 3.8
f7a4166 
Update actions/checkout to v2
Update formatting to match downstream children
@mcdonnnj
Merge pull request #32 from cisagov/improvements/update_python_versio…
8116a89 
…n_and_checkout_action

Update Python and actions/checkout Versions
@mcdonnnj
Run pre-commit autoupdate.
b857939
@mcdonnnj
Flip cache order to mirror how it is done downstream.
d99fd00
@mcdonnnj
Merge pull request #33 from cisagov/improvement/update_pre-commit_hooks
16872bf 
Update pre-commit hooks (and flip Actions cache order in workflow).
@mcdonnnj
All references to '-r' for pip calls have been replaced with the more…
e96577b 
… verbose '--requirement'.
@mcdonnnj
Merge pull request #34 from cisagov/improvements/use_verbose_pip_swit…
a17986b 
…ches

Use Verbose pip Switches
@felddy
Autoupdate pre-commit hooks. Add mypy.
067ee08
@felddy
Merge pull request #35 from cisagov/improvement/static_type_checking
6369cc6 
Autoupdate pre-commit hooks.  Add mypy.
@felddy
Add script to create GitHub Actions secrets.
cb7b74e
@felddy
Merge branch 'develop' of github.com:cisagov/skeleton-generic into im…
be6e9c3 
…provement/iam_to_github
@felddy
Correct isort config after seed-hook borked it.
c9c5731
@felddy
Add detection of GitHub repo name and extra users.
871a1a2 
Adds the ability to filter users.  Adds better pre-launch checks.  Adds 
ability to add suffixes to secret names.
@felddy
Clarify tool documentation.
ed1c4cc
@felddy felddy self-assigned this Feb 22, 2020
@felddy felddy marked this pull request as ready for review February 22, 2020 21:35
@felddy felddy requested review from a team, dav3r, jsf9k and mcdonnnj as code owners February 22, 2020 21:35
jsf9k
jsf9k approved these changes Feb 23, 2020
View reviewed changes
Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, but please see my one comment/question.

dav3r
dav3r approved these changes Feb 24, 2020
View reviewed changes
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks awesome- can't wait to use it! 🎸
I noted a few superficial items to clean up.

mcdonnnj
mcdonnnj approved these changes Feb 24, 2020
View reviewed changes
Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really solid. Strong work 💪
I did have some superficial/preferential stuff for consideration.

@felddy felddy merged commit 84091a5 into develop Feb 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcdonnnj mcdonnnj mcdonnnj approved these changes

@jsf9k jsf9k jsf9k approved these changes

@dav3r dav3r dav3r approved these changes

Assignees

@felddy felddy

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@felddy @jsf9k @dav3r @mcdonnnj