rover icon indicating copy to clipboard operation
rover copied to clipboard

Published 20 hours ago verified publisher icon im2nguyen

[Feature Request] Support for Git credentials

Open jimsmith opened this issue 4 years ago • 6 comments

When terraform module source is a private git repository prompts for login details

$ docker run --rm -it -p 9000:9000 -v $(pwd):/src im2nguyen/rover
2021/09/24 10:09:46 Starting Rover...
2021/09/24 10:09:46 Initializing Terraform.
Username for 'https://gitlab.com':

After entering username just sits there.

main.tf

module "some-module" {
  source              = "git::https://gitlab.com/group/module-name.git//?ref=v1.0.0"
  name                = "blah"
}

jimsmith avatar Sep 24 '21 10:09 jimsmith

@jimsmith Could you run terraform init in the folder before you run Docker? That should create a .terraform/modules folder and a lock file.

Nevermind, won't work because Rover runs this during setup: /usr/local/bin/terraform init -no-color -force-copy -input=false -backend=true -get=true -upgrade=true :(

mhvelplund avatar Sep 26 '21 07:09 mhvelplund

I found a workaround. First I export my credentials as env. vars. (not shown) Then I make a mountable version of my local credentials. And finally I run Rover, but notice that I overwrite the baked in Terraform with my current TF, since I have modules that require a specific version or higher.

cp -a ~/.ssh ~/.ssh2
sudo chown -R 0:0 ~/.ssh2
docker run --rm -it -p 9000:9000 \
  -v ~/.ssh2:/root/.ssh -v $(pwd):/src \
  -v $(which terraform):/usr/local/bin/terraform \
  -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_ACCESS_KEY_ID \
  --name rover im2nguyen/rover

mhvelplund avatar Sep 26 '21 07:09 mhvelplund

when I mount ro ~/.ssh/ and ~/.gitconfig (where git gets the creds from is used)

 [url "https://oauth2:[email protected]"]
        insteadOf = https://gitlab.com

Using terraform from the container

docker run --rm -it \
-v ~/.ssh:/root/.ssh:ro \
-v ~/.gitconfig:/root/.gitconfig:ro \
-p 9000:9000 \
-v $(pwd):/src \
-e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_ACCESS_KEY_ID -e AWS_DEFAULT_REGION \
--name rover im2nguyen/rover

This then happens:

2021/09/26 18:15:38 Starting Rover...
2021/09/26 18:15:38 Initializing Terraform...
2021/09/26 18:15:42 Unable to parse Plan: terraform core version not supported by configuration

And when adding the terraform command this happens:

$ docker run --rm -it \
 -v ~/.ssh:/root/.ssh:ro \
 -v ~/.gitconfig:/root/.gitconfig:ro \
 -v $(which terraform):/usr/local/bin/terraform \
 -p 9000:9000 \
 -v $(pwd):/src \
 -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_ACCESS_KEY_ID -e AWS_DEFAULT_REGION \
 --name rover im2nguyen/rover
2021/09/26 18:18:15 Starting Rover...
2021/09/26 18:18:15 Initializing Terraform...
2021/09/26 18:18:15 Unable to parse Plan: fork/exec /usr/local/bin/terraform: exec format error

Local terraform on is from my local workstation (Mac OS)

which terraform
/usr/local/bin/terraform
terraform --version
Terraform v1.0.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.60.0

looks like some kind of incompatibility of using local terraform to what the container is expecting / running ?

jimsmith avatar Sep 26 '21 18:09 jimsmith

Right now, the current Docker version has Terraform v1.0.2 which is probably why we're experiencing the terraform core version not supported by configuration error message.

I think the best way to address this issue is to download the rover binary and run everything locally. This should work, since it'll use your Git creds and current Terraform binary. I'll release a homebrew formula in the next release to make installing and upgrading the binary much easier

If you need to use the Docker image, I think @jimsmith's comment (mounting ro ~/.ssh/ and ~/.gitconfig into the Docker image) is the best path forward to support Git credentials. Additionally, you can modify the Dockerfile then build the image locally. That way, your local image will have your Git credentials and specified Terraform version built in

$ docker build . -t rover --no-cache

If you think there's a better approach than what's described above, I'll be more than happy to implement it 😄

im2nguyen avatar Sep 28 '21 09:09 im2nguyen

You can easily pass the ssh-agent to the docker-image, why not just do that?

    volumes:
      # forward our SSH agent socket
      - $SSH_AUTH_SOCK:$SSH_AUTH_SOCK
      - $HOME/.ssh/known_hosts:/root/.ssh/known_hosts
    environment:
      # forward our SSH agent socket name
      SSH_AUTH_SOCK:

This is the agnostic way for this exact issue since docker exists

EugenMayer avatar Jan 13 '22 15:01 EugenMayer

A way to allow terraform init to download your private Github Terraform module from rover docker image is to run the following locally in your host machine (or CI runner) :

git config --global url."https://oauth2:${SECRET_TOKEN}@github.com".insteadOf https://github.com

then mount your local gitconfig to rover image :

docker run --rm -it -p 9000:9000 -v $(pwd):/src -v ~/.gitconfig:/etc/gitconfig --env-file ./.env im2nguyen/rover

Example uses Github but I guess the same applies to Gitlab.

Hope that helps!

Marwen94 avatar Oct 09 '22 11:10 Marwen94