Make it possible to pass host AWS credentials to docker build

[pbn4]

Description

I'm trying to use docker_additional_options to authenticate with CodeArtifact to build a lambda dependent on some private python packages. The problem is: it's not possible to have idempotent builds, each apply has a non-empty plan because of variable authorization token created by CodeArtifact authorization token data source. Moving authentication logic to the entrypoint is not possible due to lack of environment variables expansion in docker run.

• [*] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version: 4.13

• Terraform version: 1.3.7

Reproduction Code

data "aws_codeartifact_authorization_token" "this" {
  domain       = var.codeartifact_domain
  domain_owner = var.codeartifact_domain_owner
}
  ...
  build_in_docker = true
  docker_additional_options = [
    "-eCODEARTIFACT_AUTH_TOKEN=${data.aws_codeartifact_authorization_token.this.authorization_token}",
    "-eCODEARTIFACT_HOSTNAME=${local.codeartifact_hostname}",
    "-v", "${abspath(path.module)}/my_entrypoing.sh:/entrypoint/entrypoint.sh:ro",
  ]
  docker_entrypoint = "/entrypoint/entrypoint.sh"
  ...

and in the entrypoint.sh I configure pip.conf:

#!/bin/sh
set -e

export PIP_CONFIG_FILE=/$PWD/pip.conf

cat <<EOF > pip.conf
[global]
index-url = https://pypi.org/simple
trusted-host = pypi.org
               $CODEARTIFACT_HOSTNAME
extra-index-url = https://aws:${CODEARTIFACT_AUTH_TOKEN}@${CODEARTIFACT_HOSTNAME}/pypi/my-package/simple
EOF

"$@"

Additional context

Now the problem with this approach is that

    "-eCODEARTIFACT_AUTH_TOKEN=${data.aws_codeartifact_authorization_token.this.authorization_token}",

is different on every terraform run. Now, my solution to this is to move the authentication to entrypoint.sh, but docker does not have any AWS credentials, no ~/.aws/ nor environment variables. For this I see follow user approaches:

1. Pass session environment variables:

   "-eAWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID",
   "-eAWS_SECRET_ACCES_KEY=$AWS_SECRET_ACCESS_KEY",
   "-eAWS_SESSION_TOKEN=$AWS_SESSION_TOKEN",

2. Pass AWS_PROFILE and mount AWS config directory:

   "-eAWS_PROFILE=$AWS_PROFILE",
   "-v", '${pathexpand("~/.aws")}:/root/.aws:ro',

3. Both

Unfortunately all 3 require some way of passing environment variables of the host to the docker container. Maybe I'm missing something, but at the moment I do not see a way to do this.

I cannot pass an environment variable to the run because parameters passed to docker_additional_options are no expanded e.g. -eAWS_PROFILE=$AWS_PROFILE will result in docker searching for profile named literally $AWS_PROFILE.

I consider lack of variable expansion in docker options a bug, please correct me if I'm wrong so I'll open a feature request, not an expected behavior, hence the bug report and not feature request.

[antonbabenko]

If I understand the problem correctly, you should be able to pass AWS_PROFILE (option 2 in your list) like this:

docker_additional_options = [
  "-eAWS_PROFILE=${aws_profile}",
# ...
]

And make aws_profile a variable:

variable "aws_profile" {
  type = string
  default = "my-awesome-aws-profile-for-docker"
}

Alternatively, you should be able to use more complex Docker settings if you use docker-build submodule.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.