`packer validate` failures when using the data "sshkey" source

ivoronin / packer-plugin-sshkey

Packer plugin used to generate SSH keys.

18 stars 10 forks source link

`packer validate` failures when using the data "sshkey" source #3

Closed puetzk closed 1 year ago

puetzk commented 3 years ago

When given input like sshkey.pkr.hcl

packer {
  required_plugins {
    sshkey = {
      version = ">= 0.1.0"
      source = "github.com/ivoronin/sshkey"
    }
  }
}

data "sshkey" "packer" {}

source "null" "test" {
#  cd_content = {
#    meta-data = "instance-id: \"${uuidv4()}\""
#    user-data = <<-EOF
#      #cloud-config
#      ssh_authorized_keys:
#        - ${data.sshkey.packer.public_key}
#      EOF
#  }
#  cd_label             = "cidata"
  communicator         = "ssh"
  ssh_host             = "localhost"
  ssh_private_key_file = data.sshkey.packer.private_key_path
  ssh_username         = "root"
}

build {
  sources = ["source.null.test"]
}

packer validate sshkey.pkr.hcl fails with

Error: 1 error(s) occurred:

ssh_private_key_file is invalid: CreateFile : The filename, directory name, or volume label syntax is incorrect.

on sshkey.pkr.hcl line 12: (source code not available)

(the same is true for real builders, but this minimal example shows the issue)

ivoronin commented 3 years ago

Unfortunately, that's Packer's limitation - it doesn't execute datasources in validation mode:

https://github.com/hashicorp/packer/blob/29d751a17c9677e91b18e98412f379f780023370/command/validate.go#L59-L61

Therefore data.sshkey.packer.private_key_path is undefined during validate run. Would running packer validate -syntax-only . serve as a workaround?

puetzk commented 3 years ago

I suppose it could, though it's obviously lets more things slip through.

It looks like when it skips executing, in places specific cty.UnknownVal placeholders. I wonder if one could build on that to realize that these are values that (presumably) will be supplied by the datasource in a real run (maybe using https://github.com/zclconf/go-cty/blob/main/docs/marks.md), and then ignore only those fields during validation, and ignore validation of fields that come out incompletely-defined because they have a datasource-provided thing in them.

https://github.com/hashicorp/packer/blob/a534c743cf21e9cd6bcb97367254f99767a24582/hcl2template/types.packer_config.go#L299-L301

But that would indeed be an issue for packer, not your plugin.

ivoronin commented 3 years ago

FYI, there is a dev's reply regarding this behavior in a similar issue: https://github.com/hashicorp/packer/issues/11197#issuecomment-903578817 I'll leave this issue open and wait for updates from the Packer team.

ivoronin commented 2 years ago

Another possible workaround is to exclude all builds and perform a dry run:

$ packer build -only=non-existant openbsd.pkr.hcl
Warning: an 'only' option was passed, but not all matches were found for the given build.
Possible build names: [qemu.base.img qemu.full.img].
These could also be matched with a glob pattern like: 'happycloud.*'
==> Wait completed after 2 microseconds
==> Builds finished but no artifacts were created.

ivoronin commented 2 years ago

https://github.com/hashicorp/packer/pull/12106

danaelg commented 1 year ago

As mentioned in https://github.com/hashicorp/packer/pull/12106 packer 1.8.5 now has a -evaluate-datasources parameter which solves this issue.

Thanks @ivoronin for the link ! it helped me find the solution