CE-258 Handle a recursive copy if artifact source is a directory

[danjoneslf]

For things like the ssh config we want to copy in both the deploy key and the ssh config from the build_ssh_config module. You could do this with multiple entries in the copy_artifacts list but with this you can just do

copy_artifacts  = [
      {
        artifact = "ssh_config",
        source   = ".ssh"
        target   = "/root/.ssh"
      }
]

.. and copy the whole .ssh directory. Then you just have to ensure that $HOME=/root/ or wherever you've set the target to.

[gds-ahine]

Would there be a risk that a private key could be copied ?

Would the module need to check that a file hasn't been copied over contains -----BEGIN OPENSSH PRIVATE KEY----- for example ?

[danjoneslf]

Would there be a risk that a private key could be copied ?

Would the module need to check that a file hasn't been copied over contains -----BEGIN OPENSSH PRIVATE KEY----- for example ?

What are you imagining? This is replicating what we do in concourse at present. It's explicitly for copying a private key into codebuild.

What's happening here is we need terraform to checkout a private repo to get a module (typically from cyber-security-terraform). For that to work terraform needs an SSH key. The SSH key is in SSM. We get the SSH key from SSM and stick it in a .ssh folder along with a .ssh/config for github.com. That ends up in an output artifact in code pipeline and this just copies it from the output artifact to the home directory for the codebuild job.

eg here: https://github.com/alphagov/cyber-security-alert-processor/blob/d891a85563a26fbe2bcda30b7c653e336caa0e8f/concourse/pipeline.yml#L132

[gds-ahine]

I thought that was the case, cheers 👍