v7.0.0: Workflow Parameters and Security Enhancements

[rdhar]

Highlights

• Added workflow parameters to customize the entry point of Terraform commands and minimize the need to type out the same arguments repeatedly.
• Dedicated workflow example to demonstrate AWS authentication with temporary/OIDC credentials passed in from the caller workflow.
• Improved handling of environment variables and masking of sensitive values.
• Improved documentation and inline comments to clarify the "why" as well as the "how".
• Amended Terraform output verbosity to account for lengthy plans in the context of GitHub's stack size limitation.

Added

• Parameter outputs of the workflow, including: COMMENT_SHA, PARSED_COMMENT, PROMPT_MATRIX, TF_PLAN_ID, and WORKING_DIRECTORY.
• Parameter input documentation, including: CONFIG_TF_CHDIR_PREFIX, CONFIG_TF_VAR_FILE_PREFIX, CONFIG_TF_VAR_FILE_SUFFIX, CONFIG_TF_WORKSPACE_AS_VAR_FILE, TF_CLI_HOSTNAME, TF_CLI_TOKEN, and TF_CLI_VERSION.
• Example caller_aws.yml to demonstrate passing temporary/OIDC credentials or secrets to the reusable workflow in the context of AWS authentication.
• Inline comments and README.md documentation to better clarify the purpose and intent of the workflow and its parameters to lower the barrier to entry for prospective users/contributors.
• Dynamic setting of -var-file arguments, to take into account CONFIG_TF_VAR_FILE_PREFIX, CONFIG_TF_VAR_FILE_SUFFIX, and CONFIG_TF_WORKSPACE_AS_VAR_FILE configuration variables.

Changed

• Prefix of workflow-related configuration variables from CONFIGURE_TF_ to CONFIG_TF_.
• Rename workflow without "(Multiple AWS)" in the title.
• Increase retry count of "actions/github-script" steps from 0 to 3.
• Filter Terraform output's verbosity in Bash instead of with "actions/github-script". This is to workaround GitHub's stack size limitation of 128 – 16 bytes for passing environment variables, resulting in "Argument list too long" error for lengthy plans. As a result, the output is truncated above the last 131056 characters to capture the final change summary of the Terraform command.

Removed

• Drop id-token: write permission scope by removing "aws-actions/configure-aws-credentials" GitHub Action.

Fixed

• Split the argument on the first equals sign, instead of the last, to assign key-value pairs.
• Populate environment variables only if supplied, instead of always.
• Mask environment variables only if they're not prefixed with CONFIG_TF_, instead of all of them, to avoid masking non-sensitive configuration values of the reusable workflow.

Secured

• Support v7.0.0 onwards.
• Bring required permissions inline with default access (permissive) for GITHUB_TOKEN (per documentation).
• Conceive original method to pass any number of secrets from the caller workflow to the reusable workflow security as masked, encrypted environment variables without requiring external artifacts or secrets store (per documentation): demonstrated with caller_aws.yml.
• Environment variables with the prefix BASE64_ are decoded from Base64 twice to account for security hardening of GitHub Actions. As a result, Base64 values passed from the caller workflow have to be encoded twice with | base64 -w0 | base64 -w0 before output.

Commits changelog: v6.0.0...v7.0.0

---

This discussion was created from the release v7.0.0: Workflow Parameters and Security Enhancements.