Skip to content

Support Encrypted Pipeline Variables #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kierang-contino opened this issue Dec 20, 2022 · 0 comments · Fixed by #142
Closed

Support Encrypted Pipeline Variables #97

kierang-contino opened this issue Dec 20, 2022 · 0 comments · Fixed by #142

Comments

@kierang-contino
Copy link
Contributor

kierang-contino commented Dec 20, 2022
edited
Loading

Issue

Currently the terraform provider does not support encrypted pipeline variables.
This leads to constant drift in which when the TF provider reads the configuration it gets ***** as the variable's value.
To fix this, we can add a lifecycle block:

  lifecycle {
    ignore_changes = [
      spec[0].variables
    ]
  }

But any change to the pipeline will now result in all variables being changed to unencrypted, plain-text strings of *****.
And this destructive operation on the variables is not shown in the plan.

Deeper look into why this happens

There is no dedicated API to update specific parts of a pipeline's configuration. It's all wrapped in a single yaml file.
TF will call the read API and get a yaml of the whole pipeline.
This yaml is then decoded into the matching go struct.
When TF is ready to update the configuration, it has to regenerate a yaml file and upload that to codefresh control plane.

The issue is that when TF reads the configuration, it does not pass the 'decryptVariables' flag and thus it gets the ***** in the variables values (if they are encrypted)
TF does not understand the difference between encrypted and non-encrypted and so it puts ***** in the value when it regenerates the yaml to update the config, nor does it know to set the value as an encrypted type.

And because TF is writing the same value it's reading, it does not think there is a drift and thus does not show any changes in the plan.

Solution?

  • The provider needs to use the decryptVariabls flag to retrieve the correct value.
  • It needs to support setting variables as encrypted or not.

e.g. instead of passing a map of simple k=v, pass in a list of maps.

[
  {
    key       = "variable1"
    value     = "val1"
    encrypted = false (default)
  },
  {
    key       = "variable2"
    value     = "val2"
    encrypted = true
  }
]
  • And of course, generate the pipeline configuration yaml accordingly.
Merged
4 tasks
ilia-medvedev-codefresh added a commit that referenced this issue Mar 12, 2024
@ilia-medvedev-codefresh
Feat: Support encrypted variables in project and pipeline (including …
843163f 
…triggers) (#142)

## What
Support for encrypted variables - closes #97 
## Why

## Notes
<!-- Add any notes here -->

## Checklist

* [x] _I have read
[CONTRIBUTING.md](https://github.com/codefresh-io/terraform-provider-codefresh/blob/master/CONTRIBUTING.md)._
* [x] _I have [allowed changes to my fork to be
made](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork)._
* [x] _I have added tests, assuming new tests are warranted_.
* [x] _I understand that the `/test` comment will be ignored by the CI
trigger [unless it is made by a repo admin or
collaborator](https://codefresh.io/docs/docs/pipelines/triggers/git-triggers/#support-for-building-pull-requests-from-forks)._
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@kierang-contino