Learn
Reference
Examples
Learn
Reference
Examples

Secret

A named credential referenced by Action triggers — a Terraform Cloud API token, a GitHub token, an Atlantis API secret, a webhook HMAC secret. The Secret declaration only names the credential; the value is set out-of-band so it never lands in a blueprint or version control. Values are encrypted at rest. Phase: schema.

Minimal example

kind: Secret
name: tfc-api-token

Fields

FieldTypeRequiredDescription
kind"Secret"yesDiscriminator. Always Secret.
namestringyesUnique secret name within the project. Referenced from triggers as {{ secrets.<name> }}.
descriptionstringnoHuman description of what the credential is for.

Setting the value

The catalog declares the secret; the value is set separately via the CLI (or the SDK / API), so the plaintext never appears in YAML:

terrantula secrets set-value tfc-api-token --value "$TFC_TOKEN"

Reference the secret from any trigger that supports interpolation:

trigger:
  type: terraform-cloud
  organization: my-org
  workspaceName: tenant-onboard
  apiToken: "{{ secrets.tfc-api-token }}"

Annotated example

The two secrets from the multi-stack greenfield demo:

apiVersion: terrantula.io/v1
kind: Secret
metadata:
  name: github-token
spec:
  description: GitHub PAT or App token for committing files, opening PRs, and firing repository_dispatch
---
apiVersion: terrantula.io/v1
kind: Secret
metadata:
  name: github-webhook-secret
spec:
  description: HMAC secret for the GitHub webhook that auto-completes ActionRuns on PR merge

Caveats

WARNING

Never put a secret value in the catalog. Applying a Secret declaration creates the slot; it does not carry a value. Use terrantula secrets set-value.

INFO

Secret values are env-scoped: a value set in one environment is decrypted only for runs in that environment. The same secret name can hold different values per env. See the Configuration Referencefor env model.

NOTE

Secrets are referenced only through interpolation ({{ secrets.<name> }}) inside Action triggers and operations — never logged or returned in plaintext by the API.

Related

ON THIS PAGE