If you are just interested in the examples, jump straight ahead or have a look at the example code
It sucks, if your CI provider has a security breach. What sucks even more is, if you are the lucky one in charge who has to go, rotate all possibly compromised secrets and update those in your build pipeline environment variables 🤦♂️.
Sadly, this is not some dystopian fantasy, but was just announced this week (2023-01-04) by CircleCI. This is no news you want to receive on your first day back to work after the holidays - lucky me 🤪. But, to be fair, I guess you don't want those news on any other day either 🤷♂️...
Jokes aside, when one of your clients - and their 10s or more repositories - is affected by this, it can get hairy pretty quickly. Worst case, you have to click your way through the UI and collect all secrets stored in contexts or, even better, in project/repository-specific settings. In the meantime, CircleCI has published a repository to help those unlucky ones: CircleCI-Public/CircleCI-Env-Inspector. Using this, you can get at least a high-level overview of all used secrets in your organization, e.g. name, location and anonymized value.
The best case on the other hand would be, if you could just rotate most - if not all - of your secrets with the click of a button and be done with it. Lucky for us, this is indeed achievable via Terraform and this neat plugin: mrolla/circleci. Chances are, a good chunk of your secrets are already managed alongside your infrastructure via Terraform. Using the plugin, you can update your secrets in CircleCI automatically whenever they are changed in Terraform. (Although this is not achievable for all secrets and passwords, many resources support this directly via Terraform, e.g. Azure Service Principal Passwords)
Set CircleCI Secrets via Terraform
# Configure the plugin
terraform {
required_providers {
circleci = {
source = "mrolla/circleci" # c.f. https://registry.terraform.io/providers/mrolla/circleci/latest/docs
version = ">=0.6.1"
}
}
# possibly some more
required_version = ">= 1.2.5, < 3.0.0"
}
provider "circleci" {
vcs_type = "github"
organization = "my-org"
}
# Create a CircleCI Context
resource "circleci_context" "example" {
name = "my-terraform-variables"
}
# Populate context with ENV variables
resource "circleci_context_environment_variable" "example" {
for_each = {
FOO = <some-value-from-resource-foo> # e.g. secret from Key Vault
BAR = <some-value-from-resource-bar>
}
variable = each.key
value = each.value
context_id = circleci_context.example.id
}
# OR set project-specific ENV variable instead
resource "circleci_environment_variable" "example" {
for_each = {
FOO = <some-value-from-resource-foo>
BAR = <some-value-from-resource-bar>
}
name = each.key
value = each.value
project = "my-repo"
organization = "my-org"
}
Hopefully 🤞, you are not affected by those news and are just reading this out of curiosity (thanks!). If not, maybe this plugin can save you some sweat and tears - at least in the future! 🍀
You can find a more detailed example here on GitHub.
Top comments (0)