From f5d3d656bea70bf99c8653a531d8bc8955501b99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Taveira=20Ara=C3=BAjo?= <joao@observeinc.com>
Date: Wed, 10 Apr 2024 09:40:01 -0700
Subject: [PATCH] feat: synchronize github secrets to secretsmanager

It is more convenient to manage secrets in github than to interact with
AWS secretsmanager. Unfortunately, doing so naively would make it
impossible for an operator to run terraform manually if a complex state
operation were to be necessary. As a workaround, we can ensure that
secrets with prefix X_ are synchronized to secretsmanager on every
workflow run.
---
 .github/workflows/tf-account.yaml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/tf-account.yaml b/.github/workflows/tf-account.yaml
index 65cfcee..221a33f 100644
--- a/.github/workflows/tf-account.yaml
+++ b/.github/workflows/tf-account.yaml
@@ -126,6 +126,20 @@ jobs:
           role-session-name: ${{ github.sha }}
           aws-region: ${{ secrets.AWS_REGION }}
 
+      - name: Synchronize secrets
+        env:
+          SECRETS: ${{ toJSON(secrets) }}
+        shell: bash
+        run: |
+          LOCAL=`echo "$SECRETS" | jq 'with_entries(select(.key | startswith("X_")))'`
+          REMOTE=`aws secretsmanager get-secret-value --secret-id ${{ github.event.repository.name }} | jq -r .SecretString`
+          FILTERED=`echo ${REMOTE} | jq 'with_entries(select(.key | startswith("X_") | not))'`
+          MERGED=`echo ${LOCAL} ${REMOTE} | jq -s add`
+          if [[ "$MERGED" != "$REMOTE" ]]
+          then
+            aws secretsmanager put-secret-value --secret-id ${{ github.event.repository.name }} --secret-string="$MERGED"
+          fi
+
       - name: Terraform Init
         id: init
         run: |
@@ -222,4 +236,4 @@ jobs:
           fi
           terraform apply "${apply_args[@]}" -auto-approve       
          
-        
\ No newline at end of file
+