Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Isolate credentials inside container #319

Merged
merged 1 commit into from
Dec 24, 2023
Merged

Isolate credentials inside container #319

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/test-http.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,12 @@ jobs:
- name: Checkout
uses: actions/checkout@v3

- name: Create dummy credential file
run: |
mkdir -p ${{ runner.temp }}/_github_home
cp tests/workflows/test-http/http-module/netrc ${{ runner.temp }}/_github_home/.netrc
ls -la ${{ runner.temp }}

- name: Apply
uses: ./terraform-apply
id: output
Expand All @@ -130,6 +136,9 @@ jobs:
echo "::error:: output not set correctly"
exit 1
fi

# Check the credential file is as before
diff tests/workflows/test-http/http-module/netrc ${{ runner.temp }}/_github_home/.netrc

http_no_credentials:
runs-on: ubuntu-latest
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/test-registry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ jobs:
- name: Checkout
uses: actions/checkout@v3

- name: Create dummy credential file
run: |
mkdir -p ${{ runner.temp }}/_github_home
cp tests/workflows/test-registry/terraformrc ${{ runner.temp }}/_github_home/.terraformrc
ls -la ${{ runner.temp }}

- name: Plan
uses: ./terraform-plan
env:
Expand All @@ -37,6 +43,9 @@ jobs:
echo "::error:: output not set correctly"
exit 1
fi

# Check that terraformrc is as before
diff tests/workflows/test-registry/terraformrc ${{ runner.temp }}/_github_home/.terraformrc

multiple_registry_module:
runs-on: ubuntu-latest
Expand Down
69 changes: 46 additions & 23 deletions image/actions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,23 +33,14 @@ repair_environment
source /usr/local/workflow_commands.sh

function debug() {
debug_cmd ls -la /root
debug_cmd pwd
debug_cmd ls -la
debug_cmd printenv

if [[ -L "$HOME" ]]; then
debug_cmd ls -la "$HOME"
fi

debug_cmd ls -la "$HOME/"
debug_tree "$HOME"
debug_file "$GITHUB_EVENT_PATH"
echo
}

function detect-terraform-version() {
debug_cmd ls -la "/usr/local/bin"
debug_cmd ls -la "$JOB_TMP_DIR/terraform-bin-dir"
TERRAFORM_BIN_CACHE_DIR="/var/terraform:$JOB_TMP_DIR/terraform-bin-dir" TERRAFORM_BIN_CHECKSUM_DIR="/var/terraform" terraform-version
debug_cmd ls -la "$(which terraform)"

Expand Down Expand Up @@ -393,8 +384,6 @@ function set-remote-plan-args() {
cp "$STEP_TMP_DIR/variables.tfvars" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars"
fi

debug_cmd ls -la "$INPUT_PATH"

export PLAN_ARGS
}

Expand All @@ -408,18 +397,38 @@ function random_string() {
}

function write_credentials() {
format_tf_credentials >>"$HOME/.terraformrc"
chown --reference "$HOME" "$HOME/.terraformrc"
netrc-credential-actions >>"$HOME/.netrc"
chown --reference "$HOME" "$HOME/.netrc"
CREDS_DIR="$STEP_TMP_DIR/credentials"
mkdir -p "$CREDS_DIR"

if [[ -f "$HOME/.terraformrc" ]]; then
debug_log "Backing up $HOME/.terraformrc"
cp "$HOME/.terraformrc" "$CREDS_DIR/.terraformrc"
mv "$HOME/.terraformrc" "$HOME/.dflook-terraformrc-backup"
else
touch "$CREDS_DIR/.terraformrc"
fi
ln -s "$CREDS_DIR/.terraformrc" "$HOME/.terraformrc"

format_tf_credentials >>"$CREDS_DIR/.terraformrc"
chown --reference "$HOME" "$CREDS_DIR/.terraformrc"

if [[ -f "$HOME/.netrc" ]]; then
debug_log "Backing up $HOME/.netrc"
cp "$HOME/.netrc" "$CREDS_DIR/.netrc"
mv "$HOME/.netrc" "$HOME/.dflook-netrc-backup"
else
touch "$CREDS_DIR/.netrc"
fi
ln -s "$CREDS_DIR/.netrc" "$HOME/.netrc"

netrc-credential-actions >>"$CREDS_DIR/.netrc"
chown --reference "$HOME" "$CREDS_DIR/.netrc"

chmod 700 /.ssh
if [[ -v TERRAFORM_SSH_KEY ]]; then
echo "$TERRAFORM_SSH_KEY" >>/.ssh/id_rsa
chmod 600 /.ssh/id_rsa
fi

debug_cmd git config --list
}

function plan() {
Expand Down Expand Up @@ -478,25 +487,39 @@ readonly STEP_TMP_DIR JOB_TMP_DIR WORKSPACE_TMP_DIR
export STEP_TMP_DIR JOB_TMP_DIR WORKSPACE_TMP_DIR

function fix_owners() {
debug_cmd ls -la "$GITHUB_WORKSPACE"
if [[ -d "$GITHUB_WORKSPACE/.dflook-terraform-github-actions" ]]; then
chown -R --reference "$GITHUB_WORKSPACE" "$GITHUB_WORKSPACE/.dflook-terraform-github-actions" || true
debug_cmd ls -la "$GITHUB_WORKSPACE/.dflook-terraform-github-actions"
debug_tree "$GITHUB_WORKSPACE/.dflook-terraform-github-actions"
fi

debug_cmd ls -la "$HOME"
if [[ -d "$HOME/.dflook-terraform-github-actions" ]]; then
chown -R --reference "$HOME" "$HOME/.dflook-terraform-github-actions" || true
debug_cmd ls -la "$HOME/.dflook-terraform-github-actions"
fi
if [[ -d "$HOME/.terraform.d" ]]; then
chown -R --reference "$HOME" "$HOME/.terraform.d" || true
debug_cmd ls -la "$HOME/.terraform.d"
fi

if [[ -d "$INPUT_PATH" ]]; then
debug_cmd find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -print -delete || true
fi

if [[ -f "$HOME/.terraformrc" ]]; then
rm -f "$HOME/.terraformrc"
fi
if [[ -f "$HOME/.dflook-terraformrc-backup" ]]; then
debug_log "Restoring $HOME/.terraformrc"
mv "$HOME/.dflook-terraformrc-backup" "$HOME/.terraformrc"
fi

if [[ -f "$HOME/.netrc" ]]; then
rm -f "$HOME/.netrc"
fi
if [[ -f "$HOME/.dflook-netrc-backup" ]]; then
debug_log "Restoring $HOME/.netrc"
mv "$HOME/.dflook-netrc-backup" "$HOME/.netrc"
fi

debug_tree "$HOME"
}

trap fix_owners EXIT
8 changes: 8 additions & 0 deletions image/workflow_commands.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,14 @@ function debug_file() {
fi
}

##
# Print a directory tree to the debug log
#
# This will be visible in the workflow log if ACTIONS_STEP_DEBUG workflow secret is set.
function debug_tree () {
tree -ahuF --du "$@" | while IFS= read -r line; do echo "::debug::tree:${line}"; done
}

##
# Set an output value
#
Expand Down
3 changes: 3 additions & 0 deletions tests/workflows/test-http/http-module/netrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
machine example.com
login dflook
password 123456
3 changes: 3 additions & 0 deletions tests/workflows/test-registry/terraformrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
credentials "terraform.example.com" {
token = "abcdefg"
}
Loading