Comments (13)
A solution for the problem can be found here #63 (comment)
from terraform-aws-atlantis.
This would be ideal. I'm having to move away from using this module solely because I can't inject an SSH key.
from terraform-aws-atlantis.
I understand. PR is welcome if anyone has time.
from terraform-aws-atlantis.
@antonbabenko I'm wondering what would be the best way to implement this?
- Add another input parameter for the private ssh key and save it in a SSM parameter as it is done for tokens currently.
- Generate a key pair within the module, store in SSM and return the public key in output params.
- Use an existing SSM parameter for fetching the private key.
- Something else?
Please, advise.
from terraform-aws-atlantis.
@eupestov that's along the lines of what we did, but we used a custom wrapper Docker image that at startup gets the key from SSM.
@bmihaescu is working on a blog post detailing all this.
from terraform-aws-atlantis.
I think that this module should not be very smart and generate keys or save them in SSM but instead, it should either:
- Control the URL or SSM parameter where secret should be fetched when the container starts and set an environment variable to instruct Git to use SSH key. See comment by Paul (Hi there :))
- Alternatively, which is a more popular solution (according to my knowledge), as @Vlaaaaaaad has mentioned - customize Docker image, get secret at startup from S3 or SSM.
I recommend that we add description of this process in README and include code-snippets there.
Also, it is important to avoid handling of the secret using Terraform to keep it outside of terraform.tfstate.
@psalaberria002 Do you have any ideas about this? Or objections?
from terraform-aws-atlantis.
Thanks! I'll try the method described by @Vlaaaaaaad first as I already use a custom docker image. But I think I will still need to extend the policy granting the fargate task rights to read specific parameters from SSM.
from terraform-aws-atlantis.
@antonbabenko Why do you think it's important to not keep the SSH key in .tfstate file? Other secrets are also kept there. The bigger problem is that you need a custom docker image with SSH config and mechanism of importing SSH key on startup. This would need to get official support from atlantis server. I don't think that this feature should be part of this module. @Vlaaaaaaad @bmihaescu However a blog post would be nice!
from terraform-aws-atlantis.
It is a private key, not public. This is a bit too much to keep in tfstate.
I think if we can get a process (eg, a script) which creates necessary adjustments it would be handy to have it in this repository at least.
from terraform-aws-atlantis.
If it helps, you can reference the work that I did in creating the public Helm chart for Atlantis: https://github.com/helm/charts/tree/master/stable/atlantis
We add trickery to .gitconfig to force HTTPS over SSH and substitute the supplied user token in the URL:
https://github.com/helm/charts/blob/master/stable/atlantis/values.yaml#L41-L52
Unfortunately, I'm not sure to what extent Fargate allows mounting secrets as files. I suppose it could always be done via the CLI at startup.
from terraform-aws-atlantis.
Unfortunately, I'm not sure to what extent Fargate allows mounting secrets as files. I suppose it could always be done via the CLI at startup.
It only supports secrets as environment variables and files (link), but you could use custom workflows to access that environment variable, or you could use a custom container to get the environment variable and save it to a file.
from terraform-aws-atlantis.
One quick fix would be to expose the command
input variable for the container_definition_github_gitlab definition. Then you could add the following run cmd ["sh", "-c", "git config --system url.https://oauth2:[email protected] ssh://[email protected] && atlantis server"]
to the container and it will configure git to use https with token instead of ssh key. You of course need to add the environment variable YOUR_GITLAB_TOKEN also.
from terraform-aws-atlantis.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
from terraform-aws-atlantis.
Related Issues (20)
- Invalid index in module "ecs_service" in v 4.0.1 HOT 3
- security_group_egress_rules uses wrong input HOT 2
- Missing secretsmanager:GetSecretValue policy action HOT 2
- ATLANTIS_ATLANTIS_URL not correctly picked up from atlantis.fqdn HOT 3
- Allow custom ALB Security Group rules HOT 7
- Job details lost after re-deployment HOT 2
- Document that setting ATLANTIS_GH_USER breaks the github app (ATLANTIS_GH_APP_ID / ATLANTIS_GH_APP_KEY) scenario HOT 2
- Atlantis default UID of 100 vs 1000 HOT 2
- Redeploying fargate atlantis task always breaks HOT 6
- atlantis_repo_allowlist format for Atlantis and the github_repository_webhooks HOT 2
- Do we need to call github_organization_webhook instead of github_repository_webhook for * ? HOT 1
- When EFS is Enabled, the Created EFS File System has an empty 'Name' Tag HOT 2
- The ALB Target Group Name is not set to the 'name' Variable HOT 2
- No possibility to pass a created SG for Atlantis ALB to ECS Service if we set var.create_alb = true, and var.alb.create_security_group = false HOT 1
- Just curious how to allow atlantis to comment on Bitbucket PRs using this tf module. HOT 3
- (re-open #384) atlantis_repo_allowlist format for Atlantis and the github_repository_webhooks HOT 4
- "Encountering 'Unsupported attribute' Errors with OIDC Configuration in AWS LB Listener" HOT 1
- Issues with ACM Certificate Validation Timeout and ECS Service Creation Due to Target Group Association HOT 7
- Secret manager version reported changes HOT 3
- Political ware breaks Atlantis module HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-atlantis.