Not using IAM Role from within CodeBuild build to fetch S3 remote state

819 views
Skip to first unread message

Imran M Yousuf

unread,
Feb 8, 2017, 5:47:07 AM2/8/17
to Terraform
Hi guys. 

I am trying to run terraform plan and terraform apply from within AWS CodeBuild. And I am trying to use IAM Role for achieving it. Just before doing terraform plan we are running docker push to ECR and that is working successfully. Here is the relevant log output - http://pastebin.com/R3w9C0Bs

Here is how we defined the provider -
provider "aws" {
access_key = "${var.aws_access_key}"
secret_key = "${var.aws_secret_key}"
region = "${var.aws_region}"
}

In the build environment var.aws_access_key and var.aws_secret_key is set to "" (blank) string.

The IAM Role setting has the following preset policies -
AmazonEC2FullAccess
AWSCodeCommitFullAccess
AmazonEC2ContainerRegistryFullAccess
AmazonS3FullAccess
CloudWatchFullAccess
AWSCodeDeployRole
AmazonEC2ContainerServiceFullAccess
CloudWatchEventsFullAccess

Is it a terraform bug or am I missing something?

Thank you,
_

Imran M Yousuf

Andrew Langhorn

unread,
Feb 8, 2017, 8:19:13 AM2/8/17
to terrafo...@googlegroups.com
Are the access and secret keys definitely set when you run Terraform? Do you, for instance, run your ECR push in a previous stage of your pipeline, and that runs in a different build environment?

Imran M Yousuf

unread,
Feb 8, 2017, 8:27:52 AM2/8/17
to terrafo...@googlegroups.com
Hi Andrew,

From gitter convo discovered this issue -

Most likely related to it. I will try to submit a PR upgrading the aws-sdk-go lib and try out again.

To answer your question on the build step and env, its a shell script running from within CodeBuild -
docker-helper build
docker-helper login
docker-helper push
cd conf-mgmt/system/
/opt/bin/terraform get
/opt/bin/terraform plan -var-file ../vars/common/main.tfvars -var-file ../vars/staging/main.tfvars

Yes they are definitely set to blank string in TF code, and they are definitely not set in Environment Variables. The TF code looks like -
variable "aws_access_key" {
  default=""
}
variable "aws_secret_key" {
  default=""
}
provider "aws" {
  access_key = "${var.aws_access_key}"
  secret_key = "${var.aws_secret_key}"
  region     = "${var.aws_region}"
}

Looking forward to further advice.

Thank you,

Imran


On Wed, Feb 8, 2017 at 7:19 PM, Andrew Langhorn <lang...@thoughtworks.com> wrote:
Are the access and secret keys definitely set when you run Terraform? Do you, for instance, run your ECR push in a previous stage of your pipeline, and that runs in a different build environment?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAEpa1D%2BYkSgCp0YB3_VBn2g-XBP2QYEA8m_65aeLF%3DX_tHb_3A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--

Lowe Schmidt

unread,
Feb 8, 2017, 8:44:14 AM2/8/17
to terrafo...@googlegroups.com
Hey Imran,

What did you expect would happen? 

AFAIK you still need to supply the initial credentials, be it secret and access keys or a profile name and credentials file to be able to assumeRole

Have a look at the documentation for the AWS Provider and it's assume role section (https://www.terraform.io/docs/providers/aws/)

Regards,

--
Lowe Schmidt | +46 723 867 157

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.

Imran M Yousuf

unread,
Feb 8, 2017, 8:59:40 AM2/8/17
to terrafo...@googlegroups.com
Hi Lowe,

My expectation is, like other AWS API access terraform should be able to access the services it has permission to to via the IAM Role assigned to the build job. In my case the other systems are ECR, S3 (from shell script it works from terraform it doesn't). With IAM role assigned it should not require any credentials, that is how we are currently doing authorization to other AWS services from within AWS env (Jenkins running in EC2) from Ansible. Does it make sense? 

Thank you,

Imran


For more options, visit https://groups.google.com/d/optout.

Lowe Schmidt

unread,
Feb 8, 2017, 10:00:08 AM2/8/17
to terrafo...@googlegroups.com
Hi again Imran,

that does make sense but I'm not sure if terraform is aware of those properties.

I looked through the EC2 Role documentation it seems like terraform will ask the metadata api for credentials for the instance role its running under. 

I'm not sure if that's applicable here and my experience with CodeBuild and running terraform from an EC2 instance is basically none. 



--
Lowe Schmidt | +46 723 867 157

soe...@ruempler.eu

unread,
Feb 26, 2017, 11:56:09 AM2/26/17
to Terraform
Hi,

the problem is that there are two metadata APIs, the classic EC2 one (works ootb with TF), and the newer one for containerized services like ECS and CodeBuild (does not work yet ootb with TF). I just finished a blog post how to integrate CodeBuild and Terraform, and how to get the attached IAM role credentials working: https://www.ruempler.eu/2017/02/26/continuous-infrastructure-delivery-pipeline-aws-codepipeline-codebuild-terraform/
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

Tom Davidson

unread,
May 17, 2017, 12:33:37 AM5/17/17
to Terraform
try setting the var in your buildspec.yml

env:
  variables:
    AWS_METADATA_ENDPOINT: "http://169.254.169.254:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"


TF looks for AWS_METADATA_ENDPOINT but ECS is not setting the variable for you. Fortunately it does give you AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.

Giuseppe Borgese

unread,
Aug 22, 2017, 6:06:38 AM8/22/17
to Terraform
Hi to all 
I have a working version for terraform with codebuild, I used the default ubuntu docker image provided by Codebuild

Here a working buildspec.yml

phases:
  install:
    commands:
      - unzip terraform_0.10.2_linux_amd64.zip
      - sudo mv terraform /bin
      - rm terraform_0.10.2_linux_amd64.zip
      - apt-get update
      - apt-cache search source
      - apt-get install -y curl jq
      - curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq 'to_entries | [ .[] | select(.key | (contains("Expiration") or contains("RoleArn"))  | not) ] |  map(if .key == "AccessKeyId" then . + {"key":"AWS_ACCESS_KEY_ID"} else . end) | map(if .key == "SecretAccessKey" then . + {"key":"AWS_SECRET_ACCESS_KEY"} else . end) | map(if .key == "Token" then . + {"key":"AWS_SESSION_TOKEN"} else . end) | map("export \(.key)=\(.value)") | .[]' -r > /tmp/aws_cred_export.txt # work around https://github.com/hashicorp/terraform/issues/8746
      - terraform --version
      - terraform init
      - cat /tmp/aws_cred_export.txt
  build:
    commands:
      - . /tmp/aws_cred_export.txt && terraform apply
      - echo "Post apply build"
  post_build:
    commands:
      - command
      - echo 'post_build nothing to do for now'


Basically I started from the example posted already in the discussion https://ruempler.eu/2017/02/26/continuous-infrastructure-delivery-pipeline-aws-codepipeline-codebuild-terraform/ and adapt to work on ubuntu container . 

You need to add also the command to save the state in the s3 bucket 
terraform remote config -backend=s3 -backend-config="bucket=${TerraformStateBucket}" -backend-config="key=terraform.tfstate"
but It is not the purpose of this message. 

I post also the .tf file used in my test that create a bucket (no variables necessary for this example)
resource "aws_s3_bucket" "testvycjet" {
  bucket = "test-tf-bucket-giuseppe-codebuild"
  acl    = "private"
}

provider "aws" {
  profile                  = "default"
  region     = "eu-central-1"
}




If you need help let me know

Giuseppe

Giuseppe Borgese

unread,
Aug 22, 2017, 8:00:16 AM8/22/17
to Terraform
small correction if you want save the state in a s3 bucket following also the page https://www.terraform.io/docs/backends/types/s3.html
it is enough create a bucket called my-personal-state-terraform-bucket
and add to the code the following code

terraform {
  backend "s3" {
    bucket = "my-personal-state-terraform-bucket"
    key    = "terraform.tfstate"
    region = "eu-central-1"
  }
}

the file is saved in the bucket 
Reply all
Reply to author
Forward
0 new messages