From 31216fa2767ade1bc9fe4141c387ed095c52d407 Mon Sep 17 00:00:00 2001 From: Daniel Flook Date: Wed, 20 Dec 2023 20:53:35 +0000 Subject: [PATCH] Isolate credentials inside container Some credentials are required to be on disk in the home directory. This directory is mounted by the runner, and some self-hosted runners don't clear them between jobs. Instead write them to a directory inside the container and symlink to them, to stop them possibly leaking into another job. Cleans up some unhelpful logs and use tree instead of ls --- .github/workflows/test-http.yaml | 9 +++ .github/workflows/test-registry.yaml | 9 +++ image/actions.sh | 69 ++++++++++++++------- image/workflow_commands.sh | 8 +++ tests/workflows/test-http/http-module/netrc | 3 + tests/workflows/test-registry/terraformrc | 3 + 6 files changed, 78 insertions(+), 23 deletions(-) create mode 100644 tests/workflows/test-http/http-module/netrc create mode 100644 tests/workflows/test-registry/terraformrc diff --git a/.github/workflows/test-http.yaml b/.github/workflows/test-http.yaml index 76305c36..f6a0ecd9 100644 --- a/.github/workflows/test-http.yaml +++ b/.github/workflows/test-http.yaml @@ -117,6 +117,12 @@ jobs: - name: Checkout uses: actions/checkout@v3 + - name: Create dummy credential file + run: | + mkdir -p ${{ runner.temp }}/_github_home + cp tests/workflows/test-http/http-module/netrc ${{ runner.temp }}/_github_home/.netrc + ls -la ${{ runner.temp }} + - name: Apply uses: ./terraform-apply id: output @@ -130,6 +136,9 @@ jobs: echo "::error:: output not set correctly" exit 1 fi + + # Check the credential file is as before + diff tests/workflows/test-http/http-module/netrc ${{ runner.temp }}/_github_home/.netrc http_no_credentials: runs-on: ubuntu-latest diff --git a/.github/workflows/test-registry.yaml b/.github/workflows/test-registry.yaml index cb4b290f..31b6112b 100644 --- a/.github/workflows/test-registry.yaml +++ b/.github/workflows/test-registry.yaml @@ -14,6 +14,12 @@ jobs: - name: Checkout uses: actions/checkout@v3 + - name: Create dummy credential file + run: | + mkdir -p ${{ runner.temp }}/_github_home + cp tests/workflows/test-registry/terraformrc ${{ runner.temp }}/_github_home/.terraformrc + ls -la ${{ runner.temp }} + - name: Plan uses: ./terraform-plan env: @@ -37,6 +43,9 @@ jobs: echo "::error:: output not set correctly" exit 1 fi + + # Check that terraformrc is as before + diff tests/workflows/test-registry/terraformrc ${{ runner.temp }}/_github_home/.terraformrc multiple_registry_module: runs-on: ubuntu-latest diff --git a/image/actions.sh b/image/actions.sh index 43651ab9..94c26cbb 100644 --- a/image/actions.sh +++ b/image/actions.sh @@ -33,23 +33,14 @@ repair_environment source /usr/local/workflow_commands.sh function debug() { - debug_cmd ls -la /root debug_cmd pwd - debug_cmd ls -la debug_cmd printenv - - if [[ -L "$HOME" ]]; then - debug_cmd ls -la "$HOME" - fi - - debug_cmd ls -la "$HOME/" + debug_tree "$HOME" debug_file "$GITHUB_EVENT_PATH" echo } function detect-terraform-version() { - debug_cmd ls -la "/usr/local/bin" - debug_cmd ls -la "$JOB_TMP_DIR/terraform-bin-dir" TERRAFORM_BIN_CACHE_DIR="/var/terraform:$JOB_TMP_DIR/terraform-bin-dir" TERRAFORM_BIN_CHECKSUM_DIR="/var/terraform" terraform-version debug_cmd ls -la "$(which terraform)" @@ -393,8 +384,6 @@ function set-remote-plan-args() { cp "$STEP_TMP_DIR/variables.tfvars" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars" fi - debug_cmd ls -la "$INPUT_PATH" - export PLAN_ARGS } @@ -408,18 +397,38 @@ function random_string() { } function write_credentials() { - format_tf_credentials >>"$HOME/.terraformrc" - chown --reference "$HOME" "$HOME/.terraformrc" - netrc-credential-actions >>"$HOME/.netrc" - chown --reference "$HOME" "$HOME/.netrc" + CREDS_DIR="$STEP_TMP_DIR/credentials" + mkdir -p "$CREDS_DIR" + + if [[ -f "$HOME/.terraformrc" ]]; then + debug_log "Backing up $HOME/.terraformrc" + cp "$HOME/.terraformrc" "$CREDS_DIR/.terraformrc" + mv "$HOME/.terraformrc" "$HOME/.dflook-terraformrc-backup" + else + touch "$CREDS_DIR/.terraformrc" + fi + ln -s "$CREDS_DIR/.terraformrc" "$HOME/.terraformrc" + + format_tf_credentials >>"$CREDS_DIR/.terraformrc" + chown --reference "$HOME" "$CREDS_DIR/.terraformrc" + + if [[ -f "$HOME/.netrc" ]]; then + debug_log "Backing up $HOME/.netrc" + cp "$HOME/.netrc" "$CREDS_DIR/.netrc" + mv "$HOME/.netrc" "$HOME/.dflook-netrc-backup" + else + touch "$CREDS_DIR/.netrc" + fi + ln -s "$CREDS_DIR/.netrc" "$HOME/.netrc" + + netrc-credential-actions >>"$CREDS_DIR/.netrc" + chown --reference "$HOME" "$CREDS_DIR/.netrc" chmod 700 /.ssh if [[ -v TERRAFORM_SSH_KEY ]]; then echo "$TERRAFORM_SSH_KEY" >>/.ssh/id_rsa chmod 600 /.ssh/id_rsa fi - - debug_cmd git config --list } function plan() { @@ -478,25 +487,39 @@ readonly STEP_TMP_DIR JOB_TMP_DIR WORKSPACE_TMP_DIR export STEP_TMP_DIR JOB_TMP_DIR WORKSPACE_TMP_DIR function fix_owners() { - debug_cmd ls -la "$GITHUB_WORKSPACE" if [[ -d "$GITHUB_WORKSPACE/.dflook-terraform-github-actions" ]]; then chown -R --reference "$GITHUB_WORKSPACE" "$GITHUB_WORKSPACE/.dflook-terraform-github-actions" || true - debug_cmd ls -la "$GITHUB_WORKSPACE/.dflook-terraform-github-actions" + debug_tree "$GITHUB_WORKSPACE/.dflook-terraform-github-actions" fi - debug_cmd ls -la "$HOME" if [[ -d "$HOME/.dflook-terraform-github-actions" ]]; then chown -R --reference "$HOME" "$HOME/.dflook-terraform-github-actions" || true - debug_cmd ls -la "$HOME/.dflook-terraform-github-actions" fi if [[ -d "$HOME/.terraform.d" ]]; then chown -R --reference "$HOME" "$HOME/.terraform.d" || true - debug_cmd ls -la "$HOME/.terraform.d" fi if [[ -d "$INPUT_PATH" ]]; then debug_cmd find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -print -delete || true fi + + if [[ -f "$HOME/.terraformrc" ]]; then + rm -f "$HOME/.terraformrc" + fi + if [[ -f "$HOME/.dflook-terraformrc-backup" ]]; then + debug_log "Restoring $HOME/.terraformrc" + mv "$HOME/.dflook-terraformrc-backup" "$HOME/.terraformrc" + fi + + if [[ -f "$HOME/.netrc" ]]; then + rm -f "$HOME/.netrc" + fi + if [[ -f "$HOME/.dflook-netrc-backup" ]]; then + debug_log "Restoring $HOME/.netrc" + mv "$HOME/.dflook-netrc-backup" "$HOME/.netrc" + fi + + debug_tree "$HOME" } trap fix_owners EXIT diff --git a/image/workflow_commands.sh b/image/workflow_commands.sh index 88b8fcb1..4ac44e9b 100644 --- a/image/workflow_commands.sh +++ b/image/workflow_commands.sh @@ -50,6 +50,14 @@ function debug_file() { fi } +## +# Print a directory tree to the debug log +# +# This will be visible in the workflow log if ACTIONS_STEP_DEBUG workflow secret is set. +function debug_tree () { + tree -ahuF --du "$@" | while IFS= read -r line; do echo "::debug::tree:${line}"; done +} + ## # Set an output value # diff --git a/tests/workflows/test-http/http-module/netrc b/tests/workflows/test-http/http-module/netrc new file mode 100644 index 00000000..3e85b284 --- /dev/null +++ b/tests/workflows/test-http/http-module/netrc @@ -0,0 +1,3 @@ +machine example.com +login dflook +password 123456 diff --git a/tests/workflows/test-registry/terraformrc b/tests/workflows/test-registry/terraformrc new file mode 100644 index 00000000..cec14761 --- /dev/null +++ b/tests/workflows/test-registry/terraformrc @@ -0,0 +1,3 @@ +credentials "terraform.example.com" { + token = "abcdefg" +}