Back to Initiative Library
Security & Compliance Medium complexity

GitHub Terraform Provider: App Authentication Migration

Terraform GitHub Authentication Security
Run this Initiative Get Demo
✦ Sample Prompt 
Migrate every `provider "github"` block from personal access token authentication
to GitHub App authentication.

For each Terraform repository:
1. Find every `provider "github"` block (typically in `providers.tf` or `main.tf`).
2. Remove the `token = var.github_token` (or hardcoded equivalent) argument.
3. Add an `app_auth` block:
     app_auth {
       id              = var.github_app_id
       installation_id = var.github_app_installation_id
       pem_file        = var.github_app_pem_file
     }
4. Keep the `owner` argument only if the App is installed across multiple orgs;
   otherwise remove it (the App scopes naturally to its installation).
5. Add the three new variable declarations to `variables.tf`:
   - `github_app_id` (string)
   - `github_app_installation_id` (string)
   - `github_app_pem_file` (string, sensitive)
6. Leave the old `github_token` variable in place but mark it deprecated with a
   comment so downstream callers can clean it up next.
7. Do not commit values for the new variables, they come from the secret backend.

In the PR body, list the GitHub App permissions required (Administration:write,
Contents:write, Pull requests:write, Metadata:read, plus any repo-specific needs).

The Problem

Most orgs bootstrap their GitHub Terraform setup with a personal access token from whoever set it up. That PAT then becomes load-bearing, if the person leaves, every plan and apply breaks. PATs also have no fine-grained permission model: the token has the user’s full GitHub access.

The GitHub provider has supported App authentication for years. Migrating means swapping the `token` argument for an `app_auth` block, provisioning a GitHub App with the right permissions, and storing the App private key in your secret store.

What Tidra Does

  1. Finds every provider "github" block across Terraform repos
  2. Swaps the token argument for an app_auth block referencing variables for id, installation_id, and pem_file
  3. Removes any owner overrides that conflict with App-level scoping
  4. Adds the required variable declarations to variables.tf
  5. Opens one PR per repo and documents the required GitHub App scopes in the PR body

Before & After

diff
providers.tf
@@ -1,5 +1,10 @@
provider "github" {
- token = var.github_token
owner = "example-org"
+ app_auth {
+ id = var.github_app_id
+ installation_id = var.github_app_installation_id
+ pem_file = var.github_app_pem_file
+ }
}

Customization Tips

  • App provisioning: Tidra updates Terraform code but does not provision the GitHub App itself; do that first or in parallel.
  • Per-org Apps: If you have multiple GitHub orgs, supply a mapping of org → App so each repo gets the right credentials.
  • Variable wiring: Tidra adds variable declarations but leaves the values to your secret backend (Vault, Doppler, TF Cloud variables).

Ready to run this across your repos?

Connect your Git provider and Tidra opens pull requests in every repo that needs them.

Run this Initiative Get Demo