search

cyrilgdn / terraform-provider-postgresql

Terraform PostgreSQL provider
https://www.terraform.io/docs/providers/postgresql/
Mozilla Public License 2.0
393 stars 200 forks source link

Unable to authenticate with gcppostgres while in Terraform Cloud #138

Open MrPickles opened 3 years ago

MrPickles commented 3 years ago

Hey there. I'm looking to manage an existing postgres instance that lives in GCP. Everything works fine when I apply changes from a local machine, but I'm running into trouble when applying the same changes via Terraform Cloud. Specifically, running the apply from Terraform Cloud complains because it doesn't have the application default credentials.

The documentation mentions that you need to set the GOOGLE_APPLICATION_CREDENTIALS environment variable to be the path to the credentials file. However, to my knowledge, there's no way to create or store a hard drive file with Terraform Cloud, meaning there's nothing for the GOOGLE_APPLICATION_CREDENTIALS to point to.

Are there any known workarounds for situations where you're working on Terraform Cloud or don't have direct hard drive access? Thanks in advance for the help.

Terraform Version

v0.14.11

Affected Resource(s)

Expected Behavior

Running terraform apply from Terraform Cloud connects to postgres in GCP.

Actual Behavior

Running terraform apply from Terraform Cloud fails to authenticate with postgres because there's no path to the Google application credentials. (Note that this is only an issue for Terraform Cloud. Everything works fine from a local machine.)

Error: Error connecting to PostgreSQL server mygcpproject:myregion:mydbinstance (scheme: gcppostgres): gcppostgres open gcppostgres://terraform:imagineapasswordhere@smygcpproject:myregion:mydbinstance:5432/postgres?fallback_application_name=Terraform+provider: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

Steps to Reproduce

  1. Create a postgres instance in GCP.
  2. Use the postgres provider to connect to that DB instance. It should work fine on a local machine.
  3. Use the same configs on Terraform Cloud. The apply fails because there's no good way to get the application default credentials.

Important Factoids

Here's a granular list representation of the previously-mentioned context:

References

Deiz commented 3 years ago

Ran into this one too, as a fellow Terraform Cloud user leveraging Hashicorp's remote executors.

To unblock myself, I forked the provider and threw in a simplistic shim that copies GOOGLE_CREDENTIALS (JSON, in-memory) to a temporary file and points GOOGLE_APPLICATION_CREDENTIALS at that file if the provider can't obtain application default credentials via other means. It's published at https://registry.terraform.io/providers/Deiz/postgresql/latest.

I'm only okay with this for the following reason, from Hashicorp's documentation:

Terraform Cloud is designed as an execution platform for Terraform, and can perform Terraform runs on its own disposable virtual machines.

That said, this feels like a missing Terraform Cloud feature more than a provider issue, so unless there's an appetite for it (@cyrilgdn - thoughts?) I won't attempt to push https://github.com/Deiz/terraform-provider-postgresql/commit/17109e15950faaa7ba9d05cf4e9f73cbc47edadb upstream.

jeremylvln commented 3 years ago

That said, this feels like a missing Terraform Cloud feature more than a provider issue, so unless there's an appetite for it (@cyrilgdn - thoughts?) I won't attempt to push Deiz@17109e1 upstream.

It will be highly appreciated having this feature in this provider directly!

LiuVII commented 2 years ago

I think it'd be even better to make this provider utilize GOOGLE_CREDENTIALS var directly instead of writing/reading it from the file but I'd take even the workaround