Not using IAM Role from within CodeBuild build to fetch S3 remote state

[Imran M Yousuf]

Hi guys. 

I am trying to run terraform plan and terraform apply from within AWS CodeBuild. And I am trying to use IAM Role for achieving it. Just before doing terraform plan we are running docker push to ECR and that is working successfully. Here is the relevant log output - http://pastebin.com/R3w9C0Bs

Here is how we defined the provider -

provider "aws" {

access_key = "${var.aws_access_key}"

secret_key = "${var.aws_secret_key}"

region = "${var.aws_region}"

}

In the build environment var.aws_access_key and var.aws_secret_key is set to "" (blank) string.

The IAM Role setting has the following preset policies -

AmazonEC2FullAccess
AWSCodeCommitFullAccess
AmazonEC2ContainerRegistryFullAccess
AmazonS3FullAccess
CloudWatchFullAccess
AWSCodeDeployRole
AmazonEC2ContainerServiceFullAccess
CloudWatchEventsFullAccess

Is it a terraform bug or am I missing something?

Thank you,

_

Imran M Yousuf

[Andrew Langhorn]

Are the access and secret keys definitely set when you run Terraform? Do you, for instance, run your ECR push in a previous stage of your pipeline, and that runs in a different build environment?

[Imran M Yousuf]

Hi Andrew,

From gitter convo discovered this issue -

https://github.com/hashicorp/terraform/issues/8746

Most likely related to it. I will try to submit a PR upgrading the aws-sdk-go lib and try out again.

To answer your question on the build step and env, its a shell script running from within CodeBuild -

docker-helper build

docker-helper login

docker-helper push

cd conf-mgmt/system/

/opt/bin/terraform get

/opt/bin/terraform plan -var-file ../vars/common/main.tfvars -var-file ../vars/staging/main.tfvars

Yes they are definitely set to blank string in TF code, and they are definitely not set in Environment Variables. The TF code looks like -

variable "aws_access_key" {

  default=""

}

variable "aws_secret_key" {

  default=""

}

provider "aws" {

  access_key = "${var.aws_access_key}"

  secret_key = "${var.aws_secret_key}"

  region     = "${var.aws_region}"

}

Looking forward to further advice.

Thank you,

Imran

On Wed, Feb 8, 2017 at 7:19 PM, Andrew Langhorn <lang...@thoughtworks.com> wrote:

Are the access and secret keys definitely set when you run Terraform? Do you, for instance, run your ECR push in a previous stage of your pipeline, and that runs in a different build environment?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAEpa1D%2BYkSgCp0YB3_VBn2g-XBP2QYEA8m_65aeLF%3DX_tHb_3A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Imran M Yousuf
Twitter: @imyousuf - http://twitter.com/imyousuf
Blog: http://imyousuf-tech.blogs.smartitengineering.com/
LinkedIn: http://www.linkedin.com/in/imyousuf
GitHub: https://github.com/imyousuf/
oDesk: https://www.odesk.com/users/~012c947401dfd52fae
StackOverflow: http://stackoverflow.com/users/440264/imyousuf
Mobile: +880-1711402557

[Lowe Schmidt]

Hey Imran,

What did you expect would happen? 

AFAIK you still need to supply the initial credentials, be it secret and access keys or a profile name and credentials file to be able to assumeRole

Have a look at the documentation for the AWS Provider and it's assume role section (https://www.terraform.io/docs/providers/aws/)

Regards,

--

Lowe Schmidt | +46 723 867 157

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/1a5ba1a6-8d9c-4301-80f8-1c97f3016086%40googlegroups.com.

[Imran M Yousuf]

Hi Lowe,

My expectation is, like other AWS API access terraform should be able to access the services it has permission to to via the IAM Role assigned to the build job. In my case the other systems are ECR, S3 (from shell script it works from terraform it doesn't). With IAM role assigned it should not require any credentials, that is how we are currently doing authorization to other AWS services from within AWS env (Jenkins running in EC2) from Ansible. Does it make sense? 

Thank you,

Imran

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAC-wWcSPPsuxMuqBWDoSAJ%2Bs05wYOmAJZLycuyFVHd4FjRScag%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Lowe Schmidt]

Hi again Imran,

that does make sense but I'm not sure if terraform is aware of those properties.

I looked through the EC2 Role documentation it seems like terraform will ask the metadata api for credentials for the instance role its running under. 

I'm not sure if that's applicable here and my experience with CodeBuild and running terraform from an EC2 instance is basically none. 

--

Lowe Schmidt | +46 723 867 157

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CADOtw50tD0bsqa%2B5znFxVYxr9eGjR-mtL_fewZY9O90S-ivp-Q%40mail.gmail.com.

[soe...@ruempler.eu]

Hi,

the problem is that there are two metadata APIs, the classic EC2 one (works ootb with TF), and the newer one for containerized services like ECS and CodeBuild (does not work yet ootb with TF). I just finished a blog post how to integrate CodeBuild and Terraform, and how to get the attached IAM role credentials working: https://www.ruempler.eu/2017/02/26/continuous-infrastructure-delivery-pipeline-aws-codepipeline-codebuild-terraform/

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/1a5ba1a6-8d9c-4301-80f8-1c97f3016086%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAC-wWcSPPsuxMuqBWDoSAJ%2Bs05wYOmAJZLycuyFVHd4FjRScag%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Imran M Yousuf
Twitter: @imyousuf - http://twitter.com/imyousuf
Blog: http://imyousuf-tech.blogs.smartitengineering.com/
LinkedIn: http://www.linkedin.com/in/imyousuf
GitHub: https://github.com/imyousuf/
oDesk: https://www.odesk.com/users/~012c947401dfd52fae
StackOverflow: http://stackoverflow.com/users/440264/imyousuf
Mobile: +880-1711402557

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

[Tom Davidson]

try setting the var in your buildspec.yml

env:

  variables:

    AWS_METADATA_ENDPOINT: "http://169.254.169.254:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

TF looks for AWS_METADATA_ENDPOINT but ECS is not setting the variable for you. Fortunately it does give you AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.

[Giuseppe Borgese]

Hi to all 

I have a working version for terraform with codebuild, I used the default ubuntu docker image provided by Codebuild

Imageaws/codebuild/python:2.7.12

Environment typeLinux

Compute3 GB memory, 2 vCPU

Privilegedfalse

Here a working buildspec.yml

phases:

  install:

    commands:

         - wget https://releases.hashicorp.com/terraform/0.10.2/terraform_0.10.2_linux_amd64.zip

      - unzip terraform_0.10.2_linux_amd64.zip

      - sudo mv terraform /bin

      - rm terraform_0.10.2_linux_amd64.zip

      - apt-get update

      - apt-cache search source

      - apt-get install -y curl jq

      - curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq 'to_entries | [ .[] | select(.key | (contains("Expiration") or contains("RoleArn"))  | not) ] |  map(if .key == "AccessKeyId" then . + {"key":"AWS_ACCESS_KEY_ID"} else . end) | map(if .key == "SecretAccessKey" then . + {"key":"AWS_SECRET_ACCESS_KEY"} else . end) | map(if .key == "Token" then . + {"key":"AWS_SESSION_TOKEN"} else . end) | map("export \(.key)=\(.value)") | .[]' -r > /tmp/aws_cred_export.txt # work around https://github.com/hashicorp/terraform/issues/8746

      - terraform --version

      - terraform init

      - cat /tmp/aws_cred_export.txt

  build:

    commands:

      - . /tmp/aws_cred_export.txt && terraform apply

      - echo "Post apply build"

  post_build:

    commands:

      - command

      - echo 'post_build nothing to do for now'

Basically I started from the example posted already in the discussion https://ruempler.eu/2017/02/26/continuous-infrastructure-delivery-pipeline-aws-codepipeline-codebuild-terraform/ and adapt to work on ubuntu container . 

You need to add also the command to save the state in the s3 bucket 

terraform remote config -backend=s3 -backend-config="bucket=${TerraformStateBucket}" -backend-config="key=terraform.tfstate"

but It is not the purpose of this message. 

I post also the .tf file used in my test that create a bucket (no variables necessary for this example)

resource "aws_s3_bucket" "testvycjet" {

  bucket = "test-tf-bucket-giuseppe-codebuild"

  acl    = "private"

}

provider "aws" {

  profile                  = "default"

  region     = "eu-central-1"

}

If you need help let me know

Giuseppe

[Giuseppe Borgese]

small correction if you want save the state in a s3 bucket following also the page https://www.terraform.io/docs/backends/types/s3.html

it is enough create a bucket called my-personal-state-terraform-bucket

and add to the code the following code

terraform {

  backend "s3" {

    bucket = "my-personal-state-terraform-bucket"

    key    = "terraform.tfstate"

    region = "eu-central-1"

  }

}

the file is saved in the bucket