Check out a free preview of the full Enterprise DevOps & Cloud Infrastructure course

The "GitHub Configuration" Lesson is part of the full, Enterprise DevOps & Cloud Infrastructure course featured in this preview video. Here's what you'd learn in this lesson:

Erik walks through creating an SSH key for a GitHub account. A fine-grained personal access token is also added to GitHub and configured so Terraform can manage repositories. Secrets for GITHUB_TOKEN and GITHUB_OWNER are then added to the Doppler project.


Transcript from the "GitHub Configuration" Lesson

>> The next thing I wanna do is I wanna talk about GitHub really quickly, because this is the next thing that we need to set up. So in GitHub, this is your main GitHub login page panel thing, right? If you haven't already, which I wouldn't be surprised if you already have, the first thing you really do when you get started on GitHub is you add an SSH key, right?

You need to create an SSH key so that you can start pushing code to GitHub and things like that. And so in this case, what we wanna do after we set up Doppler is we wanna make sure that we can push code to GitHub. And so what we're gonna do is we're gonna go to our profile in GitHub, go down to Settings.

Right, and then once you click on Settings, go to SSH and GPG keys. Now, notice I have a lot of SSH keys cuz I use a lot of different systems. But realistically, what you wanna do is you wanna create an SSH key for your computer. I do have a document here that can help us with this, and we can kinda go through it.

So if you wanna generate an SSH key, whether on Mac, Windows, or Linux, it's pretty straightforward. You're just gonna use the ssh-keygen command. Does anyone here not have a key, by the way? You don't have a key? Yeah, it's fine, no worries, no worries.
>> I use GitLab, so this is-

>> Okay, yeah, no worries, no worries. That makes sense. But you have ssh-keygen and all that stuff? Okay, cool, cool, cool, cool, cool. Yeah, so in this case, you'll want to generate your key first. So one note about ed25519 versus RSA, it's not fully supported yet everywhere. Amazon, for example, still uses RSA encryptions and ciphers.

So just be aware of that if you wanna use this key anywhere else that you might wanna actually do the RSA because, as it says, a legacy system that might not support that key yet. With GitHub and everything we're doing, it's totally fine, so it doesn't really matter.

So yeah, you're gonna want to paste this command in, and then you're going to want to run it. And so you can see it generates your key. It might ask you some questions, like where to save the key file. You can save it to the default location. But at the end of the day, you should be able to have that created.

And it might be in Users, like it says, Users/YOU/.ssh and stuff like that. Okay, we don't have to worry about adding an SSH key to our agent cuz we're not gonna do that. I don't need the security key. Okay, well, I guess it doesn't really actually show you how to add it.

So, yeah, here it is, Add a new SSH key, there we go. So after you've created your SSH key, the next thing you wanna do is you wanna copy the public file, right? The public file, not the private file, the .pub file is the key that actually tells GitHub, hey, this is the key I want to let access into my account, right?

This is something every developer should have. Every developer should have an SSH key. They should be able to manage this SSH key. And it's their responsibility to do all of that, essentially. They dox their SSH key, it's on them [LAUGH] but it is something to just be aware of.

Keep it backed up, keep it safe. I've definitely been in circumstances where I've had SSH keys, and then I've accidentally deleted them. I've never been able to use them again. I lost access to servers just because I didn't keep a good copy of it. So just make sure to keep it backed up and safe.

Once you've got the pub file, all you need to do is go back to this page here and then click New SSH key, give it a name, myexamplekey, and then paste in your actual key. Once you do that, make sure the key type is on Authentication, and then click Add SSH key.

And then once you've done that, you should now have an SSH key on GitHub and ready for you to push. The next thing we wanna do is we actually wanna create a token for GitHub as well, right? We have SSH for cloning repositories and things like that. But Terraform actually uses the API, right, to create repositories and all that kinda stuff.

And so in this scenario, what we actually wanna do is we wanna create what's called a fine-grained personal access token. And the way that you do that is you click, where is it? It's on the left-hand side, scroll down, Developer settings, there it is. So if I click on Developer settings > Personal access tokens, you'll see that there's two options here, Fine-grained tokens and Tokens (classic).

You might be used to these tokens here. As a matter of fact, you'll see I have one here. However, I do recommend you using fine-grained tokens going forward. The reason for that is because fine-grained tokens are scoped to specific accounts versus a personal token gives you access to every account that you're connected to, right?

So that's another reason why they went with this approach was because you'll see here, I have fem-eci, which is my little profile picture there. But then I also have a terraform-github, which is this one right here, right? The TLDR is that we wanna generate a new token. So I'm gonna click on Generate new token.

You might have to pass a passkey. Shoot, okay, hang on [LAUGH] security. So once you get to the new fine-grained personal access token section, you can then give it a name. So we'll give it a name. In this case, what we're gonna call it is we're gonna call it fem-eci, github.

Right, we're gonna give it a expiration of 90 days. Now, I recommend, always give tokens expirations. Mostly because when people leave companies, they didn't realize they made it. [LAUGH] And that's when you can get security exploits, people getting into your systems, all that kinda stuff. So I know it sucks, I know it's annoying, just let it fail, it's fine.

You'll know when the token isn't there anymore. And at that point, 90 days from now, it's a problem to solve 90 days from now. [LAUGH] That's probably the easiest way to put it, it's a 90-day later problem. But really, in my mind, I would rather do this than be terrified that a key is gonna get exploited or something like that.

The next thing that we wanna do is we wanna select the resource owner, right? And so you'll see here, I have three resource owners. I have my personal one, Hippo, and then the company that I own, ALT-F4-LLC. For now, we're just gonna use our personal accounts, right? So we're just gonna click on personal.

There's one caveat to this in what we're doing, okay? And that is is that you can't do teams with personal accounts. So the one thing we will not have teams in for this is GitHub, and it's just a pure limitation, unfortunately, of GitHub. If we wanted to have teams, I would have to pay for every single one of your licenses here.

[LAUGH] So we just couldn't do that with this. So if it was a company, you would put teams into your GitHub automation, and then you'd create your teams through that and give access and stuff. Because we're not doing that, we're just gonna do it all on our own personal account.

The next thing we're gonna do is we're gonna click All repositories from the list, just because we wanna give access to everything for now. And then we're gonna go to Repository permissions. So I would not recommend going here and just allow, allow, allow, allow, allow, allow, allow, allow, allow.

That probably isn't a good idea. However, there are a couple of things that we really do need. And the first and most important one is really just administration, right? We wanna be able to let Terraform create repos, manage repos, all that kinda stuff. And you will notice that repository creation and deletion is in here.

So this is a caveat to the new tokens. And I actually didn't even realize that until just now. So if you wanna make sure that you do not delete, you might wanna use the old personal tokens because that's a specific scope. Okay, so that's really the only permission we need in a repository.

Everything else is just other things that we're not really gonna deal with right now. The next thing we wanna do is we wanna go to Account permissions. Wait, no, I'm sorry, we don't need account permissions cuz this isn't a organization. So yeah, it's literally just that one because we just wanna make sure that Terraform can manage all of our repositories and everything for us.

Now, I'm not actually going to click Generate token because it will then show my token on screen for you guys. But if you click that, you will then be able to go to, actually, you know what, screw it, let's just do it. There you go, so there's my token.

And so you can see here, this is it, and now it's gone. But that token is then what you want. Now, what you're gonna do is that you're gonna copy that token and you're gonna go to Doppler, right? Because then what we wanna do is we wanna go to Doppler and we wanna create a new environment variable called GITHUB_TOKEN.

>> Where is that?
>> So this would be in your project in Doppler, I added this. I'm sorry, let me go to a fresh one, sorry. So if I go back to my example-project, right, dev, you'll see that we have nothing, right? So if I click Add First Secret, then I get the ability to add a new name, as well as a value.

And so in this case, we do GITHUB_TOKEN, and then we paste in our token. So yeah, so if you go to Save, here I'll just do 1234567, sure. So if you go to Save, you might notice that Doppler goes, hey, hey, whoa, hold up, hold up, hold up, this secret isn't in any other environments.

Do you want that, right? And what it can say is, well, it can say, hey, if you want me to update all your environments with this secret simultaneously, I can do that for you, right? And so if I click on Production and I hit Save, and then I go back and I go to prod, you'll see my secret's now there.

So it's a nice way if you have secrets that do cross multiple ems or things like that to kinda update it. I don't really use it that often, to be honest. So use it when you need it, I guess. But realistically, you'll just save for the environment that you're working in, yeah.

>> So you'd ideally change, if you could do initial one in dev, and then go into prod and stay and change the-
>> Exactly, yeah, and that's what you would for multiple environments. Yeah, you'd go into prod, and then you'd say, this is 456789, right? And then you'd save that.

And if it says the same thing, you just don't check the other environment, right? Now, the reason for that is because there's another feature that Doppler has that I haven't gone over, and I'm probably not going to cuz it's a little confusing. But they also give you the ability to create configurations for branches, right?

So say you're in dev, but you're testing a specific branch in dev, right? So what I can do is I can create a branch config off of dev called example, right? And then I can tell my environment to use this config. So I can use the already existing ones, but then I can override specific ones that I want for what I'm working with.

Yeah, it's really nice. And again, if you go in here and then you say, the next thing we need to add, which I would recommend doing, is we need to add our GitHub owner, right? This is what we actually wanna tell our automation who owns these repositories. And so in this case, you're just gonna put in your GitHub username, right?

And so now if I hit Save and I hit Development, you'll notice that it says, will smartly update the secrets in all branched configs. So because this is dev and I'm updating the root of dev, it can say, well, hey, I'm gonna update everything else that's under dev for you because you're touching the root config.

So now if I hit Save and then I go back to here, you'll see that not only do I have GITHUB_TOKEN, but I also have GITHUB_OWNER, right? So this is how branches are how you kinda branch off of an environment to make changes, and configs are how you create whole different environments, basically.

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now