Inaccurate documentation for github_actions_public_key and github_actions_secret

[skoblenick]

Terraform Version

Terraform v0.12.24

• provider.github v2.5.0

Affected Resource(s)

Please list the resources as a list, for example:

• github_actions_public_key
• github_actions_secret

Terraform Configuration Files

Code exactly like the sample in the current documentation:

data "github_actions_public_key" "example_public_key" {
  owner      = var.github_organization
  repository = "example_repository"
}

resource "github_actions_secret" "example_secret" {
  repository       = "example_repository"
  secret_name      = "example_secret_name"
  plaintext_value  = "var.some_secret_string"
  key_id                = github_actions_public_key.example_public_key.key_id
  public_key        = github_actions_public_key.example_public_key.key
}

Output

Error: Unsupported argument

  on main.tf line 21, in data "github_actions_public_key" "public_key":
  21:   owner      = var.github_organization

An argument named "owner" is not expected here.


Error: Unsupported argument

  on main.tf line 41, in resource "github_actions_secret" "example_secret":
  41:   key_id           = github_actions_public_key.public_key.key_id

An argument named "key_id" is not expected here.


Error: Unsupported argument

  on main.tf line 42, in resource "github_actions_secret" "example_secret":
  42:   public_key       = github_actions_public_key.public_key.key

An argument named "public_key" is not expected here.

Expected Behavior

There shouldn't be Error: Unsupported argument on required arguments

Actual Behavior

The errors above are output by the plan. If the "required" fields are moved the plan succeed correctly and can be applied. This works rather than the provided example:

data "github_actions_public_key" "example_public_key" {
  repository = "example_repository"
}

resource "github_actions_secret" "example_secret" {
  repository       = "example_repository"
  secret_name      = "example_secret_name"
  plaintext_value  = "var.some_secret_string"
}

Steps to Reproduce

1. terraform init
2. terraform plan -var-file="./my.tfvars" -out=plan.out

Important Factoids

This is a company GitHub account creating secrets on a private repository.

References

• https://www.terraform.io/docs/providers/github/r/actions_secret.html
• https://www.terraform.io/docs/providers/github/d/actions_public_key.html

[anGie44]

hi @skoblenick @benj-fletch! i'm looking to begin implementing a change to address the discrepencies and it seems like there could be several ways to approach this including:
1.

• For the github_actions_public_key datasource: update the key_id and key fields in the schema to be set to Computed: true as these fields are set in the Read method. Update the docs to reflect these attributes and remove owner from the example config as well
• For github_actions_secret resource: update just the docs to reflect the current schema (key_id and public_key omitted).

• Same action for the github_actions_public_key as in no.1 above
• For github_actions_secret resource: add key_id and public_key to the schema as Optional, add logic in CreateOrUpdate to read and use the provided vals instead of calling the API method to GetPublicKey (but only when vals are not available in config), and reflect this in the docs. This seems like something of need since a github_actions_public_key retrieved in a data block could be referenced in the github_actions_secret block as originally intended in the docs; but without validation of one key value w/o another at the Schema level, further validation in the Read method is needed.

• Same action for the github_actions_public_key as in no.1
• Similar action for github_actions_secret resource as in no.2 but: add key_id and public_key to the schema as Required fields as part of an Optional block (e.g. key) to ensure if a user wants to reference an existing actions_public_key data source, both the key_id and key itself are provided in a config.
  ex:

 key {
		key_id         = data.github_actions_public_key.test_pk.key_id
		public_key = data.github_actions_public_key.test_pk.key
	  }

thoughts? happy to discuss other options you might of considered or anything I've missed, thanks!

[benj-fletch]

Hi @anGie44, thanks for picking this up and a comprehensive change detail! My thoughts on your proposed changes:

1. No issues with this change
2. I'm not sure the benefit of adding entries for key_id and public_key here for 2 reasons:

• By providing the repository we can derive the public key details and so don't need to ask the user to provide this.
• Asking for the details of the public key (which requires an authenticated call in the API) they will then be stored in the state file, potentially opening a security issue.

3. Similar to (2)

Since it is the least amount of work and reflects how the code currently works I think we should go with option (1).

Any questions let me know 😄. Thanks!

[anGie44]

@benj-fletch thank you for the feedback! Option 1 it is :)