aws_codebuild_webhook: Secret not propagated to GHE webhook as in documentation example

[gthole]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform Version 0.11.7
Terraform AWS Provider Version 1.21

Affected Resource(s)

• aws_codebuild_webhook

Terraform Configuration Files

resource "aws_codebuild_webhook" "example" {
  name = "${aws_codebuild_project.example.name}"
}

resource "github_repository_webhook" "example" {
  active     = true
  events     = ["push"]
  name       = "example"
  repository = "${github_repository.example.name}"

  configuration {
    url          = "${aws_codebuild_webhook.example.payload_url}"
    secret       = "${aws_codebulld_webhook.example.secret}"
    content_type = "json"
    insecure_ssl = false
  }
}

Debug Output

The following prints on creation. Note that the secret, while "computed" in the aws_codebuild_webhook is empty in the github_repository_webhook.

aws_codebuild_webhook.example: Creating...
  payload_url:  "" => "<computed>"
  project_name: "" => "example"
  secret:       "" => "<computed>"
  url:          "" => "<computed>"
aws_codebuild_webhook.example: Creation complete after 0s (ID: example)
github_repository_webhook.example: Creating...
  active:                     "" => "true"
  configuration.%:            "" => "4"
  configuration.content_type: "" => "json"
  configuration.insecure_ssl: "" => "0"
  configuration.secret:       "" => ""
  configuration.url:          "" => "REDACTED"
  events.#:                   "" => "1"
  events.1597642340:          "" => "push"
  name:                       "" => "web"
  repository:                 "" => "example"
  url:                        "" => "<computed>"

Expected Behavior

The Github Enterprise webhook should be created with the "secret" attribute value from the AWS Codebuild webhook.

Actual Behavior

The Github Enterprise webhook "secret" is an empty string.

Steps to Reproduce

1. Set up manifests as described above
2. terraform apply
3. Check GHE webhook value under /<org>/<repo>/settings/hooks/ and note that no secret is set.

References

The aws_codebuild_webhook resource was quite recently added.

• Add aws_codebuild_webhook resource for creating GitHub webhooks for CodeBuild projects #4473

[bflad]

I was afraid this was the case 😅 I was seeing flakey acceptance testing with the secret value:

https://github.com/terraform-providers/terraform-provider-aws/blob/97bdb2d9d6fef90e3e076e38242c76664306dd12/aws/resource_aws_codebuild_webhook_test.go#L63-L64

Does its value eventually show up after awhile or do we need to forcefully trigger secret rotation?

[gthole]

Despite what the documentation says, the secret is never returned from the API after the webhook is initially created unless the "rotate-secret" option is set (AWS Support says this is an intentional decision and the docs are out of date.) The two options, I think, are (A) forcefully rotate the secret each time, or (B) get the secret on resource creation and don't let it be overwritten by state refresh or update. Option (B) would require tainting the webhook resource if someone ever manually rotates the secret, but it might be better than option (A) which would modify the values every single time apply is called.

[bflad]

The fix for this (setting secret on resource creation only) has been merged and will release with version 1.23.0 of the AWS provider. Hopefully the CodeBuild API is improved to just always return the secret at some point so we can better support this attribute, but until then this implementation seems like the lesser of evils to at least provide working functionality.

[bflad]

This has been released in version 1.23.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!