DEV Community

Alex Kucksdorf
Alex Kucksdorf

Posted on

Managing CircleCI secrets via Terraform

If you are just interested in the examples, jump straight ahead or have a look at the example code

It sucks, if your CI provider has a security breach. What sucks even more is, if you are the lucky one in charge who has to go, rotate all possibly compromised secrets and update those in your build pipeline environment variables ðŸĪĶ‍♂ïļ.

Sadly, this is not some dystopian fantasy, but was just announced this week (2023-01-04) by CircleCI. This is no news you want to receive on your first day back to work after the holidays - lucky me ðŸĪŠ. But, to be fair, I guess you don't want those news on any other day either ðŸĪ·â€â™‚ïļ...

Jokes aside, when one of your clients - and their 10s or more repositories - is affected by this, it can get hairy pretty quickly. Worst case, you have to click your way through the UI and collect all secrets stored in contexts or, even better, in project/repository-specific settings. In the meantime, CircleCI has published a repository to help those unlucky ones: CircleCI-Public/CircleCI-Env-Inspector. Using this, you can get at least a high-level overview of all used secrets in your organization, e.g. name, location and anonymized value.

The best case on the other hand would be, if you could just rotate most - if not all - of your secrets with the click of a button and be done with it. Lucky for us, this is indeed achievable via Terraform and this neat plugin: mrolla/circleci. Chances are, a good chunk of your secrets are already managed alongside your infrastructure via Terraform. Using the plugin, you can update your secrets in CircleCI automatically whenever they are changed in Terraform. (Although this is not achievable for all secrets and passwords, many resources support this directly via Terraform, e.g. Azure Service Principal Passwords)

Set CircleCI Secrets via Terraform

# Configure the plugin
terraform {
  required_providers {
    circleci = {
      source  = "mrolla/circleci" # c.f. https://registry.terraform.io/providers/mrolla/circleci/latest/docs
      version = ">=0.6.1"
    }
  }
  # possibly some more

  required_version = ">= 1.2.5, < 3.0.0"
}

provider "circleci" {
  vcs_type     = "github"
  organization = "my-org"
}

# Create a CircleCI Context
resource "circleci_context" "example" {
  name = "my-terraform-variables"
}
# Populate context with ENV variables
resource "circleci_context_environment_variable" "example" {
  for_each = {
    FOO = <some-value-from-resource-foo> # e.g. secret from Key Vault
    BAR = <some-value-from-resource-bar>
  }

  variable   = each.key
  value      = each.value
  context_id = circleci_context.example.id
}

# OR set project-specific ENV variable instead
resource "circleci_environment_variable" "example" {
  for_each = {
    FOO = <some-value-from-resource-foo>
    BAR = <some-value-from-resource-bar>
  }

  name         = each.key
  value        = each.value
  project      = "my-repo"
  organization = "my-org"
}
Enter fullscreen mode Exit fullscreen mode

Hopefully ðŸĪž, you are not affected by those news and are just reading this out of curiosity (thanks!). If not, maybe this plugin can save you some sweat and tears - at least in the future! 🍀

You can find a more detailed example here on GitHub.

Top comments (0)