Skip to content

isovalent/terraform-vault-github-sync

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.devcontainer
.devcontainer
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
data.tf
data.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
providers.tf
providers.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Vault - Github Secrets Syncer

This Terraform module manages GitHub Actions secrets and variables at different scopes (organization, repository, environment).

Care has been taken to handle all the functionality of secrets and variable creation. This module does not cover management of dependabot secrets and variables.

Organization Secrets and Variables

An organization secret / variable creation operation has the following knobs to customize the visibility.

  • visibility - all, private, selected
  • repositories - a list of repositories to which the item should be scoped. (applicable only for selected visibility)

Repository Secrets and Variables

A Repository Secret is available to the repository in question. Can have the same name as the Organization secret / variable. This has precedence over the org secret / variable.

Environment Secrets and Variables

An Environment Secret is available to the specific environment in question. Can have the same name as Org and/or Repo secret / variable. This has precedence over secrets/variable the other two aforementioned scopes.

Requirements

Name Version
terraform >= 1.5.0
github ~> 6.0
sodium 0.0.3
vault ~> 5.1.0

Providers

Name Version
github ~> 6.0
sodium 0.0.3
vault ~> 5.1.0

Modules

No modules.

Resources

Name Type
github_actions_environment_secret.secret resource
github_actions_environment_variable.variable resource
github_actions_organization_secret.secret resource
github_actions_organization_variable.variable resource
github_actions_secret.secret resource
github_actions_variable.variable resource
github_actions_organization_public_key.org_public_key data source
github_actions_public_key.repo_public_key data source
github_app_token.app_token data source
github_repository.selected_repositories data source
sodium_encrypted_item.encrypted_item data source
vault_generic_secret.app_key data source
vault_generic_secret.secret data source

Inputs

Name Description Type Default Required
environment GitHub repository environment name string "" no
github_app_pem_path Path to the GitHub App PEM key in Vault string "secret/path/to/github/app/pem" no
github_svt Github Secret / Variable / Token Configuration 
object({
    name            = string                     # Name of the secret
    key             = string                     # Key for the secret
    path            = optional(string, "")       # Path to the secret in Vault (overrides default path construction)
    app_id          = optional(number, 0)        # GitHub App ID (if applicable)
    installation_id = optional(number, 0)        # GitHub App Installation ID (if applicable)
    team            = optional(string, "devops") # Team associated with the secret
    visibility      = optional(string, "all")    # Visibility of the secret (e.g., 'all', 'selected')
    repositories    = optional(list(string), []) # List of repository IDs for selected visibility
  })
 
{
  "key": "vault-key-or-github-app-slug",
  "name": "action_secret_token"
}
 no
organization GitHub organization name string "your-org" no
repository GitHub repository name string "" no
type Type of the GitHub Actions configuration string "secret" no

Outputs

Name Description
github_svt_path GitHub SVT Path

About

An opinionated Terraform module used to manage GitHub Actions secrets and variables at different scopes

Topics

vault terraform secrets secrets-management github-actions

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

v1.3 Latest
Sep 6, 2025
+ 3 releases

Packages

No packages published

Languages