search

ljfranklin / terraform-resource

A concourse resource to create infrastructure via Terraform
MIT License
185 stars 85 forks source link

Unable to pass gcp json to tf plan #144

Closed ralphpi closed 3 years ago

ralphpi commented 3 years ago

There doesn't seem to be easy way to allow json content provided in credentials for the GCS to also be used to run as the terraform creds for GCP using $GOOGLE_APPLICATION_CREDENTIAL being that its expecting a file. I also believe the gcs bucket backend isnt working properly. With the current setup below I keep getting returned

open gce-subnet-test-repo/path/to/tf/files/testing/resource_backend_override.tf: no such file or directory


- name: terraform
  type: docker-image
  source:
    repository: ljfranklin/terraform-resource
    tag: latest

resources:
- name: gce-subnet-test-repo
  type: git
  source:
    uri: https://test.com/scm/tf-gcp/networks.git
    branch: master
    private_key: ((private-repo-key))
- name: terraform
  type: terraform
  source:
    env_name: development
    backend_type: gcs
    backend_config:
      bucket: saas-terraform
      prefix: dev/networks/us-east4/subnets/test/state
      credentials: ((gcp-json-key))
    env:
       GOOGLE_APPLICATION_CREDENTIALS: ((gcp-json-key))
       GCP_JSON_KEY: ((gcp-json-key))
    vars:
      env: dev
jobs:
- name: terraform-plan
  plan:
  - get: gce-subnet-test-repo
  - task: gcp-auth
    config:
      platform: linux
      image_resource:
        type: registry-image
        source: {repository: alpine}
      outputs:
        - name: creds
      run:
        path: /bin/sh
        args:
          - -cx
          - |
            echo $GOOGLE_APPLICATION_CREDENTIALS > /tmp/build/cred.json
  - put: terraform
    params:
      env_name: development
      terraform_source: gce-subnet-test-repo/networks/envs/dev/us-east4/testing
      plan_only: true
ljfranklin commented 3 years ago

For the backend config, set credentials to the JSON contents rather than a path. The docs don't say it explicitly, but that key accepts a path or the contents of the file. Similarly the GCP provider itself accepts a JSON string as either an explicit credentials value in the provider config or any of these env vars, but not GOOGLE_APPLICATION_CREDENTIALS.

But the actual error message, open gce-subnet-test-repo/path/to/tf/files/testing/resource_backend_override.tf: no such file or directory, it sounds like the directory path/to/tf/files/testing doesn't exist in your git repo. I would double-check that directory exists and try again. If you need to troubleshoot further you can try running fly intercept to SSH into the job container and look around at the files directly.

ljfranklin commented 3 years ago

Also ourcelan_only should be plan_only, hopefully just a typo when you pasted in the example

ralphpi commented 3 years ago

Sorry yeah copy paste typo. Im not to worried about the GOOGLE_APPLICATION_CREDENTIALS since im building the file in the task and setting env:GOOGLE_APPLICATION_CREDENTIALS value to that path (Winging that part, not sure if thats the right thing to do). I updated git uri and terraform source to real value for more clarity. I must be doing something wrong with the terraform_source

ralphpi commented 3 years ago

Closing non-issue, using in correct paths for ref built cred file.