[FEAT]: Switching Between PAT and GitHub App Authentication Without Modifying Terraform Code #1877
Comments
twokasa
added
Status: Triage
kfcampbell
added
Status: Up for grabs
|
Hi! Unfortunately there is currently no way to do so. That would be an interesting feature to add! |
|
You can do this by using the GitHub CLI ( name: CI
on:
push:
branches: [main]
jobs:
apply:
name: TF Apply
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Generate app token
id: generate-app-token
uses: tibdex/github-app-token@v1.9.0
with:
app_id: ${{ vars.YOUR_APP_ID }}
private_key: ${{ secrets.YOUR_APP_PRIVATE_KEY }}
- name: Terraform apply
env:
GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }}
run: terraform apply -auto-approve |
|
Using the app installation token directly is a good workaround when you run Terraform from GitHub actions, but what about using it from Atlantis? Installation token is short-lived, so it can't be used in Atlantis as a static secret, but providing app credentials instead requires having A potential solution here without breaking the existing interface or adding new functionality might be to look for app env vars even when there is no empty provider "github" {}
I see the docs say
P.S. Also having empty |
|
Hello, is there an update on this ? |
Hello, do you know there has been any progress made on this issue ? |
This resolves [FEAT]: Switching Between PAT and GitHub App Authentication Without Modifying Terraform Code integrations#1877 New parameters mirror those in the app_auth block and make it possible to switch between token-based and app-based authentication via environment variables without altering existing provider configuration code. This allows flexibility of using a GitHub app for provider authentication when running in CI or another automated environment, and using a personal access token when developing locally. Existing behavior is preserved and the only new case is when GITHUB_APP_* are set, GITHUB_TOKEN isn't set and there is no app_auth block: before it would be an error (app vars would be ignored), but now it works as an app-based configuration.
|
I took a stab at it in #2174 Any feedback and help are appreciated! |
|
for the off chance someone arrives to this thread in the same situation as me, this is how I worked around this for my specific use case. A little background, we use atlantis to automate our tf in most cases, but we use the terraform-precommit github action to update our tf lock files when needed. as part of this process, the precommit hook does a terraform validate, which fails when there is an empty app_auth {} block. validate seems to only need the environment variables to exist in order to succeed, so we set them to bogus values so they would be available when validate was run and allow it to succeed. so, if like me you are just needing to run validate in CI, then set the env vars as below to bogus values |
When I try the @wheelerlaw workaround using an empty So it seems likje a permissions issue on the githuib app being used. Unfortunately I have the following permissions assigned to the app, on all organization repositories, and have tested that tokens generated from it are able to do cross-repository checkouts &c Read access to actions, attestations api, checks, code, commit statuses, issues, metadata, and pull requests anything missing? |
Describe the need
Hello,
I'm trying to differentiate between authentication methods: using PAT (Personal Access Token) in my local environment and the GitHub App in the CI environment. However, after adding the app_auth block for the CI setup, I receive an error in the local environment indicating that id, installation_id, and pem_file are not set. Is there a way to toggle between authentication methods without changing the Terraform code?
Thank you for your assistance.
(Note: This message was translated with the assistance of a machine translation tool.)
SDK Version
No response
API Version
No response
Relevant log output
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: