Secrets cannot be set in tfaction.yaml

[florianmutter]

tfaction version

1.2.0

Overview

Adding secrets to tfaction.yaml does not result in secrets being added as environment variables

How to reproduce

tfaction-root.yaml

# Main configuration for tfaction workflow. See https://suzuki-shunsuke.github.io/tfaction/docs/config/tfaction-root-yaml
plan_workflow_name: tfaction

tfsec:
  enabled: false
tflint:
  enabled: false
trivy:
  enabled: false

conftest_policy_directory: infrastructure/terraform/gcp/policy

target_groups:
  - working_directory: infrastructure/terraform/
    # Use folder path below infrastructure/terraform/ for labels. Can be removed when https://github.com/suzuki-shunsuke/tfaction/issues/1502 is fixed
    target: ""

tfaction.yaml

terraform_plan_config:
  ...
terraform_apply_config:
...
secrets:
  - env_name: SOME_SECRET
    secret_name: SOME_SECRET

GitHub Actions Workflow

...
      - uses: suzuki-shunsuke/tfaction/export-secrets@b03dfcc9d26de824ca0d7fc385d0bb4986d6642e # v1.2.0
        with:
          secrets: ${{ toJSON(secrets) }}
...

Other related code such as local Registry

GitHub Actions' log

No output from export-secrets step.

Expected behaviour

export-secrets action should use target config respecting tfaction.yaml

Actual behaviour

export-secrets only reads tfaction-root.yaml

Important Factoids

With tfaction-root.yaml like this it works with the exact same workflow:

# Main configuration for tfaction workflow. See https://suzuki-shunsuke.github.io/tfaction/docs/config/tfaction-root-yaml
plan_workflow_name: tfaction

tfsec:
  enabled: false
tflint:
  enabled: false
trivy:
  enabled: false

conftest_policy_directory: infrastructure/terraform/gcp/policy

target_groups:
  - working_directory: infrastructure/terraform/
    target: ""
    secrets:
      - env_name: SOME_SECRET
        secret_name: SOME_SECRET

Note

No response

[suzuki-shunsuke]

Thank you for your report.

Is the GitHub Actions Secret SOME_SECRET set correctly?
For example, if you separate GitHub Actions Workflows with reusable workflows, maybe the secret isn't passed to the workflow.

[ponkio-o]

Hi, I'm facing the same exactly issue. I solved this problem by switching to AWS Secrets Manager 😂

my tfaction-root.yaml

...
target_groups:
  - working_directory: fastly
    target: fastly
    aws_region: ap-northeast-1
    terraform_command: terraform
    drift_detection:
      enabled: true
    terraform_plan_config:
      aws_assume_role_arn: arn:aws:iam::123412341234:role/github-actions-terraform-plan-role
    terraform_apply_config:
      aws_assume_role_arn: arn:aws:iam::123412341234:role/github-actions-terraform-apply-role
    secrets:
      - env_name: FASTLY_API_KEY
        secret_name: FASTLY_API_KEY

For example, if you separate GitHub Actions Workflows with reusable workflows, maybe the secret isn't passed to the workflow.

I'm using the exact same workflow with reference to suzuki-shunsuke/tfaction-example.
If the resauble workflow is the problem, I thought it would be better to fix the example repository or added description for this.

[suzuki-shunsuke]

@ponkio-o @florianmutter

Could you try v1.3.1-1?

https://github.com/suzuki-shunsuke/tfaction/releases/tag/v1.3.1-1

This release has a update of the action export-secrets to output the list of secret names for troubleshooting.
The log is useful to check if secrets are passed to the action properly.

If secrets aren't passed properly, this isn't a bug of tfaction.
You should check your workflow and the usage of tfaction.

[ponkio-o]

Hi, thank you for release the v1.3.1-1. I confirmed that secrets are not passed across workflow.

See.

So, I think this behavior is correct and not a bug of tfaction.

[suzuki-shunsuke]

Yeah, so you need to pass secrets to a reusable workflow.

https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecrets

We should add the description about this to tfaction-example and tfaction-docs.

[suzuki-shunsuke]

Released v1.3.1 and updated tfaction-example and tfaction-docs.

• https://github.com/suzuki-shunsuke/tfaction/releases/tag/v1.3.1
• style: add code comment to export-secrets tfaction-example#2544
• add the troubleshooting for export-secrets tfaction-docs#230