search

oracle / terraform-provider-oci

Terraform Oracle Cloud Infrastructure provider
https://www.terraform.io/docs/providers/oci/
Mozilla Public License 2.0
760 stars 685 forks source link

Unable to provide private_key to terraform managed services (ENV0 / Terraform Cloud) #1584

Open syberkitten opened 2 years ago

syberkitten commented 2 years ago

Trying to evaluate services such as ENV0 / Terraform Cloud I'm having problems setting up the provider, since it accepts only a private_key_path:

provider "oci" {
  region           = "us-phoenix-1"
  tenancy_ocid     = var.tenancy_ocid
  user_ocid        = var.user_ocid
  fingerprint      = var.fingerprint
  private_key_path = var.private_key_path
}

but when using a Saas managed terraform solution such as ENV0 / Terraform Cloud there is no private_key_path, since we can provide only the whole private key itself as a variable

The error we get says that there is no such properly as private_key in the OCI provider.

How can we overcome this issue? / how to provide the actual private key and not the path to that key? (as you would normally do when running terraform from a local development machine)

ENV0 error:

 Error: can not create client, bad configuration: did not find a proper configuration for private key

   with provider["registry.terraform.io/hashicorp/oci"],
   on main.tf line 33, in provider "oci":
   33: provider "oci" {
jude-chen commented 2 years ago

I am facing the same issue by trying OCI in Env0. It looks like setting the TF_VAR_private_key environment variable with the multiline content (the private key content) does not work. According to this OCI provider document, setting the private_key variable should work.

jude-chen commented 2 years ago

After some research and testing, I think this may not be the OCI provider's issue. I am trying to reach out to Env0 to see what they can say about this issue.

The workaround I have right now is generating an encrypted private key with a really long password (at least 32 chars), and then hard code the private_key value in the tf file while keeping the private_key_password value in the Env0 project settings. This should be reasonably secure for a test/non-prod environment, it might be better if you have a private repository for your code instead of a public one. But for applying this workaround to a prod environment, I would think it twice or maybe consult info security's opinion first.

Also, it looks like you need to keep both private_key and private_key_password as TF variables, you cannot keep one as a TF variable while the other as an environment variable which won't work.

Examples below - 

variable "private_key" {
  type = string
  default = <<EOF
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,9556DA86C57A3252EF7F0D9D8510143F

F+dO1/4F2VEQOl4kHGRMLyL4YgYnOJLVkZSUAJKFtDii4GAnb/Qg7b2rM8infSUN
...
<yanked lines here>
...
bbnly+pCHIiQ5qcaCAZWQkogWtAm/lG/kFLeMEOpYa3Qgz/2cGwWftausBt2he3z
-----END RSA PRIVATE KEY-----
EOF
}

variable "private_key_password" {
  type = string
  sensitive = true
}

provider "oci" {
  private_key = var.private_key
  private_key_password = var.private_key_password
}

image

ravinitp commented 1 year ago

Thank you for reporting the issue. We observed the affected resources are not provided in the description or it's incorrect. We request you to add it in issue description as mentioned in below format. Example: affected_resources = oci_core_instance , oci_core_instances

If it's not related to any particular resource then mention affected resource as terraform. Example: affected_resources = terraform

As this works through automation, request you to follow exact syntax.