search

hashicorp / packer-plugin-googlecompute

Packer plugin for Google Compute Builder
https://www.packer.io/docs/builders/googlecompute
Mozilla Public License 2.0
23 stars 51 forks source link

impersonate_service_account configuration is no longer working in version 1.1.4 #204

Open shpml opened 6 months ago

shpml commented 6 months ago

Overview of the Issue

The impersonate_service_account configuration is no longer working in version 1.1.4. It seems to have been removed but there is no mention in the releases page, the full changelog shows it has been changed and now looks like there is a dependency on Hashicorp Vault. 

ImpersonateServiceAccount string `mapstructure:"impersonate_service_account" required:"false"`
// Can be set instead of account_file. If set, this builder will use
// HashiCorp Vault to generate an Oauth token for authenticating against
// Google Cloud. The value should be the path of the token generator
// within vault.

Plugin and Packer version

Tested with 

Packer v1.9.5
http://github.com/hashicorp/googlecompute v1.1.4
Packer v1.10.0
http://github.com/hashicorp/googlecompute v1.1.4

Simplified Packer Buildfile

source "googlecompute" "my_project" {
  image_name                  = "custom-image"
  impersonate_service_account = "packer-builder-svc@my-project.iam.gserviceaccount.com"
  instance_name               = "custom-image"
  machine_type                = "e2-medium"
  project_id                  = var.gcp_project_id
  source_image_family         = var.base_image_family
  ssh_username                = "packer"
}

build {
  sources = ["source.googlecompute.my_project"]

  provisioner "ansible" {
    playbook_file   = "${var.home}/.ansible/playbooks/${var.playbook_file}"
    roles_path      = "${var.home}/.ansible/roles"
    user            = "packer"
  }
}

Log Fragments and crash.log files

packer init image/my-project.pkr.hcl

Installed plugin github.com/hashicorp/ansible v1.1.1 in "/root/.config/packer/plugins/github.com/hashicorp/ansible/packer-plugin-ansible_v1.1.1_x5.0_linux_amd64"

Installed plugin github.com/hashicorp/googlecompute v1.1.4 in "/root/.config/packer/plugins/github.com/hashicorp/googlecompute/packer-plugin-googlecompute_v1.1.4_x5.0_linux_amd64"

packer build -timestamp-ui -on-error=cleanup \
-var-file=env/env_vars.pkrvars.hcl \
image/my-project.pkr.hcl

googlecompute.my_project: output will be in this color.

2023-12-11T05:34:03Z: Build 'googlecompute.my_project' errored after 812 microseconds: impersonate: scopes must be provided

Work Around

Version lock to 1.1.3

packer {
  required_plugins {
    ansible = {
      version = "~> 1.1"
      source  = "github.com/hashicorp/ansible"
    }

    googlecompute = {
      source  = "github.com/hashicorp/googlecompute"
      version = "1.1.3"
    }
  }
}
scottjab commented 6 months ago

I am also seeing this exact issue.

histamineblkr commented 6 months ago

We are experiencing the same issue on all of our pipelines using the google compute module and need to pin to 1.1.3 to maintain successful builds.

DaveSchile-Zonar commented 4 months ago

Same.

ruettenm commented 2 months ago

We have the same problem with version 1.1.4. A rollback to 1.1.3 also solved the problem on our side.

If impersonate_service_account is really not supported anymore I would have assumed that it is a breaking change and a new major version.

jfpanisset commented 1 month ago

Same experience here trying to use the code in:

https://github.com/GoogleCloudPlatform/cloud-builders-community/tree/master/packer/examples/gce

and found a similar issue against that repo:

https://github.com/GoogleCloudPlatform/cloud-builders-community/issues/641

Rolling back the googlecompute plugin to 1.1.3 allowed the build to complete.