search

microsoft / azure-pipelines-terraform

Azure Pipelines tasks for installing Terraform and running Terraform commands in a build or release pipeline.
MIT License
101 stars 62 forks source link

Terraform Init does not expose AWS_ACCESS_KEY_ID and AWS_ACCESS_KEY as environment variables #74

Open tksrc opened 2 years ago

tksrc commented 2 years ago

Hi,

It looks like there is a difference how the Terraform init command works in regards to AWS credentials.

The credentials from the service connection are only passed as CLI arguments -backend-config=access_key=xxx and -backend-config=secret_key=xxx and not as env variables too.

As you can see from the log below, we are unable to download modules hosted in a bucket as Terraform cannot locate credentials to make that request.

Is it possible to expose the access key id and access key as environment variables for the init command?

Starting: Terraform : init
==============================================================================
Task         : Terraform
Description  : Execute terraform commands to manage resources on AzureRM, Amazon Web Services(AWS) and Google Cloud Platform(GCP)
Version      : 3.201.18
Author       : Microsoft Corporation
Help         : [Learn more about this task](https://aka.ms/AAf0uqr)
==============================================================================
/opt/hostedtoolcache/terraform/1.2.5/x64/terraform init -backend-config=bucket=xxx -backend-config=key=terraform.tfstate -backend-config=region=*** -backend-config=access_key=*** -backend-config=secret_key=***
Initializing modules...
Downloading s3::[https://xxx.s3.***.amazonaws.com/xxx/module.zip](https://xxxxx.amazonaws.com/xxxx/module.zip) for xxxx...
Downloading s3::[https://xxxx.s3.***.amazonaws.com/xxxxx/module.zip](https://xxxx.amazonaws.com/xxxx/module.zip) for xxxx...
╷
│ Error: Failed to download module
│ 
│ Could not download module "xxxxxx" (main.tf:4) source code
│ from
│ "s3::[https://xxxxx.s3.***.amazonaws.com/xxxxx/module.zip"](https://xxxxx.amazonaws.com/xxxx/module.zip%22):
│ NoCredentialProviders: no valid providers in chain
│ caused by: EnvAccessKeyNotFound: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY not
│ found in environment
│ SharedCredsLoad: failed to load shared credentials file
│ caused by: FailedRead: unable to open file
│ caused by: open /home/vsts/.aws/credentials: no such file or directory
│ EC2RoleRequestError: no EC2 instance role found
│ caused by: 400 Bad Request: Bad Request
│   status code: 400, request id: 
│ caused by: EC2MetadataError: failed to make EC2Metadata request
│ <?xml version="1.0" encoding="utf-8"?>
│ <Error xmlns:xsi="[http://www.w3.org/2001/XMLSchema-instance"](http://www.w3.org/2001/XMLSchema-instance%22)
│ xmlns:xsd="[http://www.w3.org/2001/XMLSchema">](http://www.w3.org/2001/XMLSchema%22%3E)
│     <Code>InvalidHttpVerb</Code>
│     <Message>The HTTP verb specified was not recognized by the server.</Message>
│     <Details>'PUT' is not a supported verb.</Details>
│ </Error>
│   status code: 400, request id: 
╵
mericstam commented 2 years ago

Hi, I will add this task to our internal board.

biscuitcakes commented 1 year ago

Any chance there has been any movement on this in the past year?

mericstam commented 11 months ago

Hi, Sorry for late reply. No movement on this. I have very limited bandwidth. I am mostly focusing security updates. The actual change is not so big, but I have no way of testing it. Perhaps a workaround is to set the environment variables in the step where you do terraform init, if you have access to the values