packer-plugin-sshkey icon indicating copy to clipboard operation
packer-plugin-sshkey copied to clipboard

Published 20 hours ago verified publisher icon ivoronin

`packer validate` failures when using the data "sshkey" source

Open puetzk opened this issue 3 years ago • 4 comments

When given input like sshkey.pkr.hcl

packer {
  required_plugins {
    sshkey = {
      version = ">= 0.1.0"
      source = "github.com/ivoronin/sshkey"
    }
  }
}

data "sshkey" "packer" {}

source "null" "test" {
#  cd_content = {
#    meta-data = "instance-id: \"${uuidv4()}\""
#    user-data = <<-EOF
#      #cloud-config
#      ssh_authorized_keys:
#        - ${data.sshkey.packer.public_key}
#      EOF
#  }
#  cd_label             = "cidata"
  communicator         = "ssh"
  ssh_host             = "localhost"
  ssh_private_key_file = data.sshkey.packer.private_key_path
  ssh_username         = "root"
}

build {
  sources = ["source.null.test"]
}

packer validate sshkey.pkr.hcl fails with

Error: 1 error(s) occurred:

  • ssh_private_key_file is invalid: CreateFile : The filename, directory name, or volume label syntax is incorrect.

    on sshkey.pkr.hcl line 12: (source code not available)

(the same is true for real builders, but this minimal example shows the issue)

puetzk avatar Sep 28 '21 15:09 puetzk

Unfortunately, that's Packer's limitation - it doesn't execute datasources in validation mode:

https://github.com/hashicorp/packer/blob/29d751a17c9677e91b18e98412f379f780023370/command/validate.go#L59-L61

Therefore data.sshkey.packer.private_key_path is undefined during validate run. Would running packer validate -syntax-only . serve as a workaround?

ivoronin avatar Sep 28 '21 18:09 ivoronin

I suppose it could, though it's obviously lets more things slip through.

It looks like when it skips executing, in places specific cty.UnknownVal placeholders. I wonder if one could build on that to realize that these are values that (presumably) will be supplied by the datasource in a real run (maybe using https://github.com/zclconf/go-cty/blob/main/docs/marks.md), and then ignore only those fields during validation, and ignore validation of fields that come out incompletely-defined because they have a datasource-provided thing in them.

https://github.com/hashicorp/packer/blob/a534c743cf21e9cd6bcb97367254f99767a24582/hcl2template/types.packer_config.go#L299-L301

But that would indeed be an issue for packer, not your plugin.

puetzk avatar Sep 29 '21 00:09 puetzk

FYI, there is a dev's reply regarding this behavior in a similar issue: https://github.com/hashicorp/packer/issues/11197#issuecomment-903578817 I'll leave this issue open and wait for updates from the Packer team.

ivoronin avatar Sep 29 '21 21:09 ivoronin

Another possible workaround is to exclude all builds and perform a dry run:

$ packer build -only=non-existant openbsd.pkr.hcl
Warning: an 'only' option was passed, but not all matches were found for the given build.
Possible build names: [qemu.base.img qemu.full.img].
These could also be matched with a glob pattern like: 'happycloud.*'
==> Wait completed after 2 microseconds
==> Builds finished but no artifacts were created.

ivoronin avatar Mar 07 '22 18:03 ivoronin

https://github.com/hashicorp/packer/pull/12106

ivoronin avatar Nov 18 '22 14:11 ivoronin

As mentioned in https://github.com/hashicorp/packer/pull/12106 packer 1.8.5 now has a -evaluate-datasources parameter which solves this issue.

Thanks @ivoronin for the link ! it helped me find the solution

danaelg avatar Jan 22 '23 10:01 danaelg