Support GitHub environment secrets in terraform-to-secrets

[dav3r]

🗣 Description

This PR updates the terraform-to-secrets script to include a new option for specifying the GitHub environment to store the secret(s) in. Previously, this script only was able to upload repository secrets.

💭 Motivation and context

As part of our work to properly segment COOL IAM user accounts into their own environments (e.g. Production, Staging, etc.) we plan to take advantage of GitHub Environments to store environment-specific details such as build user roles and third-party bucket names. In order to do this, it will be extremely useful for terraform-to-secrets to be able to store GitHub environment secrets.

🧪 Testing

I tested this by running the modified version of the script in a repo where I created a staging-a environment (see here if you have access). The script was able to successfully store secrets in that staging-a environment.

For regression testing, I confirmed that running the updated script without providing a GitHub environment name worked the same way that it has worked in the past - repository secrets were created, not environment secrets.

I also tested to ensure that error handling works if a non-existent environment name is provided to the script:

❱ terraform-to-secrets --env foobar
2025-01-13 14:50:37,147 INFO Using GitHub repository name: cisagov/skeleton-packer
2025-01-13 14:50:42,911 INFO GitHub token retrieved from keyring.
2025-01-13 14:50:42,911 INFO Reading state from Terraform command.
2025-01-13 14:50:44,188 INFO Searching Terraform state for IAM credentials.
2025-01-13 14:50:44,188 INFO Found credentials for user: build-skeleton-packer
2025-01-13 14:50:44,188 INFO Searching Terraform state for tagged resources.
2025-01-13 14:50:44,188 INFO Found secret: BUILD_ROLE_TO_ASSUME
2025-01-13 14:50:44,188 INFO Found secret: THIRD_PARTY_BUCKET
2025-01-13 14:50:44,188 INFO Creating GitHub API session using personal access token.
2025-01-13 14:50:44,189 INFO Checking if environment foobar exists
2025-01-13 14:50:44,294 CRITICAL Environment foobar not found in cisagov/skeleton-packer.
Traceback (most recent call last):
  File "/Users/dav3r/.pyenv/versions/development-guide/bin/terraform-to-secrets", line 7, in <module>
    exec(compile(f.read(), __file__, 'exec'))
  File "/Users/dav3r/code/cisagov/development-guide/project_setup/scripts/terraform-to-secrets", line 489, in <module>
    sys.exit(main())
             ^^^^^^
  File "/Users/dav3r/code/cisagov/development-guide/project_setup/scripts/terraform-to-secrets", line 481, in main
    create_all_secrets(all_secrets, github_env, github_token, repo_name, dry_run)
  File "/Users/dav3r/code/cisagov/development-guide/project_setup/scripts/terraform-to-secrets", line 360, in create_all_secrets
    raise Exception(f"Environment {github_env} not found in {repo_name}.")
Exception: Environment foobar not found in cisagov/skeleton-packer.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All new and existing tests pass.

[felddy]

I feel like I was transported back to Summer of 2019. The future is bright!

Strong work. Looks good. 💪 👀