Create github actions secrets with ECR details

This change will create github actions secrets in all repositories specified in the `github_repositories` variable. This depends on the concourse pipeline providing `TF_VAR_github_token` and `TF_VAR_github_owner` environment variables for the github terraform provider.
ministryofjustice · Jan 27, 2021 · a19ca62 · a19ca62
1 parent 06dcdda
commit a19ca62
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -6,6 +6,10 @@
 
 This terraform module will create an ECR repository and IAM credentials to access it.
 
+If `github_repositories` is a non-empty list of strings, [github actions
+secrets] will be created in those repositories, containing the ECR name, AWS
+access key, and AWS secret key.
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -14,7 +18,10 @@ This terraform module will create an ECR repository and IAM credentials to acces
 | team_name | name of the team creating the credentials | string | - | yes |
 | aws_region | region into which the resource will be created | string | eu-west-2 | no |
 | providers | provider creating resources | arrays of string | default provider | no |
-
+| github_repositories | List of repositories in which to create github actions secrets | list of strings | no |
+| github_actions_secret_ecr_name | Name of the github actions secret containing the ECR name | ECR_NAME | no |
+| github_actions_secret_ecr_access_key | Name of the github actions secret containing the ECR AWS access key | ECR_AWS_ACCESS_KEY_ID | no |
+| github_actions_secret_ecr_secret_key | Name of the github actions secret containing the ECR AWS secret key | ECR_AWS_SECRET_ACCESS_KEY | no |
 
 ## Outputs
 
@@ -24,3 +31,5 @@ This terraform module will create an ECR repository and IAM credentials to acces
 | secret_access_key | Secret for the new user |
 | repo_arn | ECR repository ARN |
 | repo_url | ECR repository URL |
+
+[github actions secrets]: https://docs.github.com/en/actions/reference/encrypted-secrets
diff --git a/examples/ecr.tf b/examples/ecr.tf
@@ -15,6 +15,11 @@ module "example_team_ecr_credentials" {
     To disable 'scan_on_push', set it to false as below:
   scan_on_push = "false"
   */
+
+  # Uncomment and provide repository names to create github actions secrets
+  # containing the ECR name, AWS access key, and AWS secret key, for use in
+  # github actions CI/CD pipelines
+  # github_repositories = ["my-repo"]
 }
 
 resource "kubernetes_secret" "example_team_ecr_credentials" {

diff --git a/main.tf b/main.tf
@@ -59,3 +59,23 @@ resource "aws_iam_user_policy" "policy" {
   user   = aws_iam_user.user.name
 }
 
+resource "github_actions_secret" "ecr_name" {
+  for_each        = toset(var.github_repositories)
+  repository      = each.key
+  secret_name     = var.github_actions_secret_ecr_name
+  plaintext_value = trimspace(aws_ecr_repository.repo.name)
+}
+
+resource "github_actions_secret" "ecr_access_key" {
+  for_each        = toset(var.github_repositories)
+  repository      = each.key
+  secret_name     = var.github_actions_secret_ecr_access_key
+  plaintext_value = aws_iam_access_key.key.id
+}
+
+resource "github_actions_secret" "ecr_secret_key" {
+  for_each        = toset(var.github_repositories)
+  repository      = each.key
+  secret_name     = var.github_actions_secret_ecr_secret_key
+  plaintext_value = aws_iam_access_key.key.secret
+}
diff --git a/template/ecr.tmpl b/template/ecr.tmpl
@@ -3,6 +3,11 @@ module "ecr-repo" {
 
   team_name = var.team_name
   repo_name = "${var.namespace}-ecr"
+
+  # Uncomment and provide repository names to create github actions secrets
+  # containing the ECR name, AWS access key, and AWS secret key, for use in
+  # github actions CI/CD pipelines
+  # github_repositories = ["my-repo"]
 }
 
 resource "kubernetes_secret" "ecr-repo" {

diff --git a/variables.tf b/variables.tf
@@ -11,4 +11,24 @@ variable "aws_region" {
 
 variable "scan_on_push" {
   default = true
-}
+}
+
+variable "github_repositories" {
+  description = "GitHub repositories in which to create github actions secrets"
+  default     = []
+}
+
+variable "github_actions_secret_ecr_name" {
+  description = "The name of the github actions secret containing the ECR name"
+  default     = "ECR_NAME"
+}
+
+variable "github_actions_secret_ecr_access_key" {
+  description = "The name of the github actions secret containing the ECR AWS access key"
+  default     = "ECR_AWS_ACCESS_KEY_ID"
+}
+
+variable "github_actions_secret_ecr_secret_key" {
+  description = "The name of the github actions secret containing the ECR AWS secret key"
+  default     = "ECR_AWS_SECRET_ACCESS_KEY"
+}