From c619a900a366bd6dd800ebab92755eed192a38a1 Mon Sep 17 00:00:00 2001 From: bendwyer <17102207+bendwyer@users.noreply.github.com> Date: Sun, 22 Sep 2024 15:21:15 +0200 Subject: [PATCH 1/2] feat: Add action --- action.yml | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 action.yml diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..f55250a --- /dev/null +++ b/action.yml @@ -0,0 +1,99 @@ +--- +name: action-rotate-hcp-terraform-user-token +description: Rotates a HCP Terraform user token stored as a secret in a GitHub repository. +author: Ben Dwyer (github.com/bendwyer) + +inputs: + github_token: + description: GitHub token used for writing the HCP Terraform user token to the repository secret store. + required: false + default: ${{ github.token }} + github_secrets_name: + description: Name of the secret in the repository secret store where the token will be written. + required: false + default: HCP_TERRAFORM_USER_TOKEN + hcp_terraform_user_token: + description: HCP Terraform user token to be rotated. This token must already exist and be saved as a repository secret before running this action. + required: true + hcp_terraform_user_token_description: + description: Description for the HCP Terraform user token. Must be the same for the original and new tokens. + required: false + default: github-token + hcp_terraform_user_token_expiration: + description: Time in days when the HCP Terraform user token will expire. + default: "30" + +runs: + using: composite + steps: + - name: Rotate HCP Terraform user token + env: + GH_TOKEN: ${{ inputs.github_token }} + run: | + echo "Set token" + TOKEN=${{ inputs.hcp_terraform_user_token }} + echo "Mask token" + echo "::add-mask::$TOKEN" + echo "Set token description" + TOKEN_DESCRIPTION=${{ inputs.hcp_terraform_user_token_description }} + echo "Set expiration" + TOKEN_EXPIRATION=${{ inputs.hcp_terraform_user_token_expiration }} + SECRETS_NAME=${{ inputs.github_secrets_name }} + echo "Set user ID" + ID=$(curl -Ss --fail-with-body --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" --request GET https://app.terraform.io/api/v2/account/details | jq -r '.data.id') + echo "Check if date should be calculated" + if [[ -n $TOKEN_EXPIRATION ]]; + then + echo "Calculate date" + DATE=$(date -d "+$TOKEN_EXPIRATION days" -u +%Y-%m-%dT%H:%M:%S.%3NZ) + fi + echo "Get all token info" + ALL_TOKENS=$(curl -Ss --fail-with-body --header "Authorization: Bearer $TOKEN" --header "Content-Type: application/vnd.api+json" --request GET https://app.terraform.io/api/v2/users/$ID/authentication-tokens) + echo "Filter matched token info" + MATCHED_TOKEN_INFO=$(echo $ALL_TOKENS | jq -r --arg TOKEN_DESCRIPTION "$TOKEN_DESCRIPTION" --arg DATE "$DATE" '[.data[] | {id,attributes} | select(.attributes.description==$TOKEN_DESCRIPTION) | select(.attributes."expired-at"!=$DATE)]') + echo "Get matched token IDs" + MATCHED_TOKEN_IDS=$(echo $MATCHED_TOKEN_INFO | jq -c 'map(.id)') + echo "Get matched token count" + MATCHED_TOKEN_COUNT=$(echo $MATCHED_TOKEN_INFO | jq -c 'map(.id) | length') + if [[ $MATCHED_TOKEN_COUNT -ge 2 ]] + then + echo "ERROR: $MATCHED_TOKEN_COUNT tokens matched search criteria. Please ensure that 0 or 1 tokens match the search criteria." >> /dev/stderr + exit 1 + else + echo "Matched token IDs: $MATCHED_TOKEN_IDS" + echo "Matched token count: $MATCHED_TOKEN_COUNT" + fi + echo "Create json payload" + PAYLOAD=$(cat < Date: Sun, 22 Sep 2024 13:21:58 +0000 Subject: [PATCH 2/2] docs: Automated README update --- README.md | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/README.md b/README.md index a09f9c3..84f2667 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,60 @@ +## action-rotate-hcp-terraform-user-token +### Description + +Rotates a HCP Terraform user token stored as a secret in a GitHub repository. + +### Inputs + +| name | description | required | default | +| --- | --- | --- | --- | +| `github_token` |

GitHub token used for writing the HCP Terraform user token to the repository secret store.

| `false` | `${{ github.token }}` | +| `github_secrets_name` |

Name of the secret in the repository secret store where the token will be written.

| `false` | `HCP_TERRAFORM_USER_TOKEN` | +| `hcp_terraform_user_token` |

HCP Terraform user token to be rotated. This token must already exist and be saved as a repository secret before running this action.

| `true` | `""` | +| `hcp_terraform_user_token_description` |

Description for the HCP Terraform user token. Must be the same for the original and new tokens.

| `false` | `github-token` | +| `hcp_terraform_user_token_expiration` |

Time in days when the HCP Terraform user token will expire.

| `false` | `30` | + + +### Runs + +This action is a `composite` action. + +### Usage + +```yaml +- uses: bendwyer/action-rotate-hcp-terraform-user-token@v1 + with: + github_token: + # GitHub token used for writing the HCP Terraform user token to the repository secret store. + # + # Required: false + # Default: ${{ github.token }} + + github_secrets_name: + # Name of the secret in the repository secret store where the token will be written. + # + # Required: false + # Default: HCP_TERRAFORM_USER_TOKEN + + hcp_terraform_user_token: + # HCP Terraform user token to be rotated. This token must already exist and be saved as a repository secret before running this action. + # + # Required: true + # Default: "" + + hcp_terraform_user_token_description: + # Description for the HCP Terraform user token. Must be the same for the original and new tokens. + # + # Required: false + # Default: github-token + + hcp_terraform_user_token_expiration: + # Time in days when the HCP Terraform user token will expire. + # + # Required: false + # Default: 30 +``` Resources