change tf secret strategy

2025-07-20 06:45:50 +00:00 · 2024-10-27 14:15:43 +07:00 · 2024-10-27 14:15:43 +07:00 · 9ac676192e
commit 9ac676192e
parent f282b80b55
3 changed files with 10 additions and 5 deletions
--- a/.github/workflows/terraform-ci.yml
+++ b/.github/workflows/terraform-ci.yml
@ -26,12 +26,11 @@ jobs:
        run: terraform init
        env:
          GOOGLE_CREDENTIALS: ${{ secrets.GCP_JSON }}
-      - name: Replace secret
-        run: sed -i "s/POSTGRES_PASSWORD/${{ secrets.POSTGRES_PASSWORD }}/" main.tf
      - name: Dry run Terraform
        run: terraform plan -var-file=variables.tfvars
        env:
          GOOGLE_CREDENTIALS: ${{ secrets.GCP_JSON }}
+          TF_VAR_db_password: ${{ secrets.POSTGRES_PASSWORD }}
          
  terraform-deploy:
    runs-on: ubuntu-latest
@ -56,4 +55,5 @@ jobs:
      - name: Deploy Terraform
        run: terraform apply -var-file=variables.tfvars -auto-approve
        env:
-          GOOGLE_CREDENTIALS: ${{ secrets.GCP_JSON }}
+          GOOGLE_CREDENTIALS: ${{ secrets.GCP_JSON }}
+          TF_VAR_db_password: ${{ secrets.POSTGRES_PASSWORD }}
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -55,7 +55,7 @@ resource "google_sql_database_instance" "petclinic" {
 resource "google_sql_user" "users" {
  name     = var.app
  instance = google_sql_database_instance.petclinic.name
-  password = POSTGRES_PASSWORD
+  password = var.postgres_password
 }

 resource "google_sql_database" "database" {
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@ -46,4 +46,9 @@ variable "db_version" {
 variable "db_tier" {
    type = string
    description = "Tier of CloudSQL in GCP"
-} 
+}
+
+variable "db_password" {
+    type = string
+    description = "Password for CloudSQL instance in GCP"
+}