[英]AWS Codebuild terraform provider
Running terraform deploy in codebuild with the following buildspec.yml. 使用以下buildspec.yml在codebuild中运行terraform部署。 Seems terraform isn't picking up the IAM permissions provided by the codebuild role. 似乎terraform没有获得codebuild角色提供的IAM权限。 We're using terraform's remote state (state file is stored in s3), when terraform attempts to contact the S3 bucket containing the state file it dies asking for the terraform provider
to be configured: 我们正在使用terraform的远程状态(状态文件存储在s3中),当terraform尝试联系包含该状态文件的S3存储桶时,它死亡,要求配置terraform provider
:
Downloading modules (if any)...
Get: file:///tmp/src486521661/src/common/byu-aws-accounts-tf
Get: file:///tmp/src486521661/src/common/base-aws-account-
...
Error configuring the backend "s3": No valid credential sources found for AWS Provider.
Here's the buildspec.yml: 这是buildspec.yml:
version: 0.1
phases:
install:
commands:
- cd common && git clone https://eric.w.nord@gitlab.com/aws-account-tools/acs.git
- export TerraformVersion=0.9.3 && cd /tmp && curl -o terraform.zip https://releases.hashicorp.com/terraform/${TerraformVersion}/terraform_${TerraformVersion}_linux_amd64.zip && unzip terraform.zip && mv terraform /usr/bin
build:
commands:
- cd accounts/00/dev-stack-oit-byu && terraform init && terraform plan && echo terraform apply
EDIT: THE BUG HAS BEEN FIXED SO PLEASE DELETE these lines below if you added them on your buildspec file. 编辑:已修复该错误,因此,如果将它们添加到buildspec文件中,请删除下面的这些行。
Before terraform init
, add these lines: 在terraform init
之前,添加以下行:
export AWS_ACCESS_KEY_ID=`curl --silent 169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.AccessKeyId'`
export AWS_SECRET_ACCESS_KEY=`curl --silent 169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.SecretAccessKey'`
export AWS_SESSION_TOKEN=`curl --silent 169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.Token'`
It is more readable. 它更具可读性。
In you buildspec.yml try: 在您的buildspec.yml中,尝试:
env:
variables:
AWS_METADATA_ENDPOINT: "http://169.254.169.254:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
You need this is because TF will look for the meta data in the env var that is not set in the container. 您需要这样做是因为TF会在容器中未设置的env var中查找元数据。
I hate to post this but it will allow terraform to access the codebuild IAM STS access keys and execute terraform commands from within codebuild as a buildspec.yml 我不喜欢发布此内容,但是它将允许terraform访问codebuild IAM STS访问密钥,并从build内部执行buildform.yml中的Terraform命令。
It's pretty handy for automated deploys of AWS infrastructure as you can drop a CodeBuild into all your AWS accounts and fire them with a CodePipeline. 这对于自动部署AWS基础设施非常方便,因为您可以将CodeBuild放到所有AWS账户中,然后使用CodePipeline触发它们。
Please note the version: 0.2 This passes envars between commands where as version 0.1 had a clean shell for each command 请注意版本:0.2这会在命令之间传递envar,而版本0.1的每个命令都有一个干净的shell
Please update if you find something better: 如果发现更好的地方,请更新:
version: 0.2
env:
variables:
AWS_DEFAULT_REGION: "us-west-2"
phases:
install:
commands:
- apt-get -y update
- apt-get -y install jq
pre_build:
commands:
# load acs submodule (since codebuild doesn't pull the .git folder from the repo
- cd common
- git clone https://gituser@gitlab.com/aws-account-tools/acs.git
- cd ../
#install terraform
- other/install-tf-linux64.sh
- terraform --version
#set env variables for terraform provider
- curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq 'to_entries | [ .[] | select(.key | (contains("Expiration") or contains("RoleArn")) | not) ] | map(if .key == "AccessKeyId" then . + {"key":"AWS_ACCESS_KEY_ID"} else . end) | map(if .key == "SecretAccessKey" then . + {"key":"AWS_SECRET_ACCESS_KEY"} else . end) | map(if .key == "Token" then . + {"key":"AWS_SESSION_TOKEN"} else . end) | map("export \(.key)=\(.value)") | .[]' -r > /tmp/cred.txt # work around https://github.com/hashicorp/terraform/issues/8746
- chmod +x /tmp/cred.txt
- . /tmp/cred.txt
build:
commands:
- ls
- cd your/repo's/folder/with/main.tf
- terraform init
- terraform plan
- terraform apply
Terraform AWS provider offers the following method of authentication: Terraform AWS提供程序提供以下身份验证方法:
Static credentials 静态凭证
In this case you can add the access and secrete keys directly into the tf config file as follow: 在这种情况下,您可以将访问和秘密密钥直接添加到tf配置文件中,如下所示:
provider "aws" {
region = "us-west-2"
access_key = "anaccesskey"
secret_key = "asecretkey"
}
Environment variables 环境变量
You import the access and secrete key into the the environment variable. 您将访问和秘密密钥导入到环境变量中。 Do this using the export command 使用导出命令执行此操作
$ export AWS_ACCESS_KEY_ID="anaccesskey"
$ export AWS_SECRET_ACCESS_KEY="asecretkey"
Shared Credentials file 共享凭证文件
If Terraform fail to detect credentials inline, or in the environment, Terraform will check this location, $HOME/.aws/credentials in which case you don't need to mention or put the credential in your Terraform config 如果Terraform无法在线或在环境中检测到凭据,则Terraform将检查此位置$ HOME / .aws / credentials,在这种情况下,您无需提及或将凭据放入Terraform配置中
EC2 Role EC2角色
If you're running Terraform from an EC2 instance with IAM Instance Profile using IAM Role, Terraform will just ask the metadata API endpoint for credentials. 如果您正在使用IAM角色从具有IAM实例配置文件的EC2实例运行Terraform,则Terraform只会向元数据API端点询问凭据。 In which case, you don't have to mention the access and secrete keys in any config. 在这种情况下,您无需在任何配置中提及访问和秘密密钥。 This is the preferred way 这是首选方式
https://www.terraform.io/docs/providers/aws/ http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials https://www.terraform.io/docs/providers/aws/ http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-安全证书
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.