Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Isolate the container home dir from the mounted github_home #317

Closed
wants to merge 7 commits into from
Closed

Isolate the container home dir from the mounted github_home #317

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
29b764d
Update debug logging
dflook Dec 20, 2023
4510435
Fix remote plans that don't have variables
dflook Dec 22, 2023
cbc0569
Fix credentials links
dflook Dec 22, 2023
dbd7b7b
Fix credentials links
dflook Dec 22, 2023
e3b94a8
Test credentials are cleared
dflook Dec 24, 2023
7b68ae4
Test credentials are cleared using ARC
dflook Dec 24, 2023
b3bd8aa
yaml is shit
dflook Dec 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/test-http.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,14 @@ jobs:
- name: Checkout
uses: actions/checkout@v3

- name: Create dummy credential file
run:
ls -la ${{ runner.temp }}
mkdir -p ${{ runner.temp }}/_github_home
ls -la ${{ runner.temp }}
cp tests/workflows/test-http/http-module/netrc ${{ runner.temp }}/_github_home/.netrc
ls -la ${{ runner.temp }}

- name: Apply
uses: ./terraform-apply
id: output
Expand All @@ -130,6 +138,9 @@ jobs:
echo "::error:: output not set correctly"
exit 1
fi

# Check the credential file is as before
diff tests/workflows/test-http/http-module/netrc ${{ runner.temp }}/_github_home/.netrc

http_no_credentials:
runs-on: ubuntu-latest
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/test-registry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,14 @@ jobs:
- name: Checkout
uses: actions/checkout@v3

- name: Create dummy credential file
run:
ls -la ${{ runner.temp }}
mkdir -p ${{ runner.temp }}/_github_home
ls -la ${{ runner.temp }}
cp tests/workflows/test-registry/terraformrc ${{ runner.temp }}/_github_home/.terraformrc
ls -la ${{ runner.temp }}

- name: Plan
uses: ./terraform-plan
env:
Expand All @@ -37,6 +45,9 @@ jobs:
echo "::error:: output not set correctly"
exit 1
fi

# Check that terraformrc is as before
diff tests/workflows/test-registry/terraformrc ${{ runner.temp }}/_github_home/.terraformrc

multiple_registry_module:
runs-on: ubuntu-latest
Expand Down
66 changes: 43 additions & 23 deletions image/actions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,23 +33,14 @@ repair_environment
source /usr/local/workflow_commands.sh

function debug() {
debug_cmd ls -la /root
debug_cmd pwd
debug_cmd ls -la
debug_cmd printenv

if [[ -L "$HOME" ]]; then
debug_cmd ls -la "$HOME"
fi

debug_cmd ls -la "$HOME/"
debug_tree "$HOME"
debug_file "$GITHUB_EVENT_PATH"
echo
}

function detect-terraform-version() {
debug_cmd ls -la "/usr/local/bin"
debug_cmd ls -la "$JOB_TMP_DIR/terraform-bin-dir"
TERRAFORM_BIN_CACHE_DIR="/var/terraform:$JOB_TMP_DIR/terraform-bin-dir" TERRAFORM_BIN_CHECKSUM_DIR="/var/terraform" terraform-version
debug_cmd ls -la "$(which terraform)"

Expand Down Expand Up @@ -393,8 +384,6 @@ function set-remote-plan-args() {
cp "$STEP_TMP_DIR/variables.tfvars" "$INPUT_PATH/zzzz-dflook-terraform-github-actions-$AUTO_TFVARS_COUNTER.auto.tfvars"
fi

debug_cmd ls -la "$INPUT_PATH"

export PLAN_ARGS
}

Expand All @@ -408,18 +397,36 @@ function random_string() {
}

function write_credentials() {
format_tf_credentials >>"$HOME/.terraformrc"
chown --reference "$HOME" "$HOME/.terraformrc"
netrc-credential-actions >>"$HOME/.netrc"
chown --reference "$HOME" "$HOME/.netrc"
CREDS_DIR="$STEP_TMP_DIR/credentials"
mkdir -p "$CREDS_DIR"

if [[ -f "$HOME/.terraformrc" ]]; then
cp "$HOME/.terraformrc" "$CREDS_DIR/.terraformrc"
mv "$HOME/.terraformrc" "$HOME/.dflook-terraformrc-backup"
else
touch "$CREDS_DIR/.terraformrc"
fi
ln -s "$CREDS_DIR/.terraformrc" "$HOME/.terraformrc"

format_tf_credentials >>"$CREDS_DIR/.terraformrc"
chown --reference "$HOME" "$CREDS_DIR/.terraformrc"

if [[ -f "$HOME/.netrc" ]]; then
cp "$HOME/.netrc" "$CREDS_DIR/.netrc"
mv "$HOME/.netrc" "$HOME/.dflook-netrc-backup"
else
touch "$CREDS_DIR/.netrc"
fi
ln -s "$CREDS_DIR/.netrc" "$HOME/.netrc"

netrc-credential-actions >>"$CREDS_DIR/.netrc"
chown --reference "$HOME" "$CREDS_DIR/.netrc"

chmod 700 /.ssh
if [[ -v TERRAFORM_SSH_KEY ]]; then
echo "$TERRAFORM_SSH_KEY" >>/.ssh/id_rsa
chmod 600 /.ssh/id_rsa
fi

debug_cmd git config --list
}

function plan() {
Expand Down Expand Up @@ -478,25 +485,38 @@ readonly STEP_TMP_DIR JOB_TMP_DIR WORKSPACE_TMP_DIR
export STEP_TMP_DIR JOB_TMP_DIR WORKSPACE_TMP_DIR

function fix_owners() {
debug_cmd ls -la "$GITHUB_WORKSPACE"
if [[ -d "$GITHUB_WORKSPACE/.dflook-terraform-github-actions" ]]; then
chown -R --reference "$GITHUB_WORKSPACE" "$GITHUB_WORKSPACE/.dflook-terraform-github-actions" || true
debug_cmd ls -la "$GITHUB_WORKSPACE/.dflook-terraform-github-actions"
debug_tree "$GITHUB_WORKSPACE/.dflook-terraform-github-actions"
fi

debug_cmd ls -la "$HOME"
if [[ -d "$HOME/.dflook-terraform-github-actions" ]]; then
chown -R --reference "$HOME" "$HOME/.dflook-terraform-github-actions" || true
debug_cmd ls -la "$HOME/.dflook-terraform-github-actions"
fi
if [[ -d "$HOME/.terraform.d" ]]; then
chown -R --reference "$HOME" "$HOME/.terraform.d" || true
debug_cmd ls -la "$HOME/.terraform.d"
fi
debug_tree "$HOME"

if [[ -d "$INPUT_PATH" ]]; then
debug_cmd find "$INPUT_PATH" -regex '.*/zzzz-dflook-terraform-github-actions-[0-9]+\.auto\.tfvars' -print -delete || true
fi

if [[ -f "$HOME/.terraformrc" ]]; then
rm -f "$HOME/.terraformrc"
fi
if [[ -f "$HOME/.dflook-terraformrc-backup" ]]; then
mv "$HOME/.dflook-terraformrc-backup" "$HOME/.terraformrc"
fi

if [[ -f "$HOME/.netrc" ]]; then
rm -f "$HOME/.netrc"
fi
if [[ -f "$HOME/.dflook-netrc-backup" ]]; then
mv "$HOME/.dflook-netrc-backup" "$HOME/.netrc"
fi

debug_tree "$HOME"
}

trap fix_owners EXIT
8 changes: 8 additions & 0 deletions image/workflow_commands.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,14 @@ function debug_file() {
fi
}

##
# Print a directory tree to the debug log
#
# This will be visible in the workflow log if ACTIONS_STEP_DEBUG workflow secret is set.
function debug_tree () {
tree -ahuF --du "$@" | while IFS= read -r line; do echo "::debug::tree:${line}"; done
}

##
# Set an output value
#
Expand Down
3 changes: 3 additions & 0 deletions tests/workflows/test-http/http-module/netrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
machine example.com
login dflook
password 123456
3 changes: 3 additions & 0 deletions tests/workflows/test-registry/terraformrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
credentials "terraform.example.com" {
token = "abcdefg"
}
Loading