Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make action more modular, improve security and docs #1

Open
wants to merge 23 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Use gpg instead of openssl
devgioele committed Aug 11, 2022
commit 2d4fc83f0bf41fc2155c9030abd43521d40d65cd
2 changes: 1 addition & 1 deletion .github/workflows/terraform.yml
Original file line number Diff line number Diff line change
@@ -16,7 +16,7 @@ jobs:
- id: state-download
uses: devgioele/terraform-state-artifact@v3
with:
encryption-key: ${{ secrets.pat }}
passphrase: ${{ secrets.TF-STATE-PASSPHRASE }}
download-upload: download
terraform-upload-job:
runs-on: ubuntu-latest
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -20,25 +20,25 @@ A fix is being searched and you are welcome to open a PR.
steps:
- uses: devgioele/terraform-state-artifact@v3
with:
encryption-key: ${{ secrets.TF-STATE-KEY }}
passphrase: ${{ secrets.TF-STATE-PASSPHRASE }}
```

Using OpenSSL 1.1.1, a key can be generated with:
```
openssl enc -aes-256-cbc -k <secret> -P -md sha256 -pbkdf2
```
Replace `<secret>` with some password.
Copy the key from the output and use it as a GitHub secret named `TF-STATE-KEY`.
Copy the key from the output and use it as a GitHub secret named `TF-STATE-PASSPHRASE`.

## Inputs

The action supports the following inputs:

| Variable | Description | Default |
|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------|---------|
| `encryption-key` | An encryption key to use when encrypting the statefile. Recommended to use a secret value. | N/A |
| `passphrase` | A passphrase to encrypt and decrypt the statefile artifact. | N/A |
| `download-upload` | Whether to download and decrypt or upload and encrypt. | N/A |
| `statefile-location` | (optional) The location of your Terraform statefile. | `''` |
| `statefile-location` | (optional) The location of your Terraform statefile. | `''` |

## Credits

8 changes: 4 additions & 4 deletions action.yml
Original file line number Diff line number Diff line change
@@ -3,8 +3,8 @@ description: 'Downloads and uploads your Terraform statefile as an encrypted Git
author: 'Sturla Bragason & Gioele De Vitti'

inputs:
encryption-key:
description: 'Used as a key to encrypt and decrypt the statefile artifact'
passphrase:
description: 'A passphrase to encrypt and decrypt the statefile artifact.'
required: true
download-upload:
description: 'Whether to download and decrypt or upload and encrypt.'
@@ -32,7 +32,7 @@ runs:
if ($MostRecentArtifactURI){
Invoke-RestMethod -uri $MostRecentArtifactURI -Token $Token -Authentication bearer -outfile ./state.zip
Expand-Archive ./state.zip
openssl enc -d -in ./state/terraform.tfstate.enc -aes-256-cbc -pbkdf2 -pass pass:"${{ inputs.encryption-key }}" -out ."${{ inputs.statefile-location }}"/terraform.tfstate
gpg --batch --passphrase "${{ inputs.passphrase }}" -o ."${{ inputs.statefile-location }}"/terraform.tfstate -d ./state/terraform.tfstate.enc
}
}
shell: pwsh
@@ -42,7 +42,7 @@ runs:
$ArtifactName = "${{ github.ref_name }}" + "${{ inputs.statefile-location }}"
$StateExists = Test-Path -Path ."${{ inputs.statefile-location }}"/terraform.tfstate -PathType Leaf
if ($StateExists){
openssl enc -in ."${{ inputs.statefile-location }}"/terraform.tfstate -aes-256-cbc -pbkdf2 -pass pass:"${{ inputs.encryption-key }}" -out ."${{ inputs.statefile-location }}"/terraform.tfstate.enc
gpg --batch --symmetric --cipher-algo aes256 --digest-algo sha256 --passphrase "${{ inputs.passphrase }}" -o ."${{ inputs.statefile-location }}"/terraform.tfstate.enc ."${{ inputs.statefile-location }}"/terraform.tfstate
}
shell: pwsh
- uses: actions/upload-artifact@v3