How to add encrypted secret to GitHub Actions

Hi, I’m new to Terraform and am trying to figure out how to add encrypted secrets to GitHub Actions. Here’s my resource:

resource “github_actions_secret” “encrypted_my_secret” {
repository = var.secret_repo
secret_name = “SECRET_KEY”
encrypted_value = var.encrypted_secret_value

And my variable:

variable “encrypted_secret_value” {
default = “EncryptedMyPassword”

The error I get is:

Error: PUT 422 Invalid request.

│ EncryptedMyPassword does not match /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/.
“SECRET_KEY” exists in my repo as a plaintext secret.

Obviously, I’m getting the error because my PW is not encrypted. So how do I encrypt it? According to this doc, the /crypto/box Go module does the encryption. How do I use this module within TF? Do I add Box as a required provider, add the Box module, then somehow encrypt within my TF file? Or am I supposed to encrypt the string separately in a Go script? Please advise.

@alee68dmv GitHub’s API documentation has examples in multiple languages that you can generate an encrypted secret in a required format. You have to do this beforehand outside of the TF context then put it into your TF file, or pass it to a variable upon execution, for instance (e.g., via .tfvars).

See this post also: github_actions_secret: document how to obtain encrypted_value · Issue #888 · integrations/terraform-provider-github · GitHub

1 Like

@shohei These links really help, thank you!