I'm trying to call terraform init from Github actions. I'm using the Google provider which includes the block:
provider "google" {
credentials = file("cred.json")
project = var.project
region = var.region
zone = var.zone
}
When I run this locally, its fine because the creds.json (service account key json) is there, but I don't want to have that key checked out as part of the repo in GHA. Instead the json for the key is added as a secret: ${{ env.GCP_CREDENTIALS }}
How do I get Terraform to use that secret in the 'terraform init' command? I tried changing the line to:
provider "google" {
credentials = ${{ env.GCP_CREDENTIALS }}
project = var.project
region = var.region
zone = var.zone
}
But it just errors out. There must be a simpler way?
The environment variable must point to a file which is the location for a service account JSON key. You could write the contents to an artifact, but that is dangerous. . Still, a simple workaround to this would be:
If you want to place your credentials in a Terraform Cloud environment variable:
cat key.json | tr -s '\n' ' '
Alternative:
You can use this GitHub action to log in. Pretty much you have to create a secret with the content of the service account and specified it as input:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}