Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use terraform cloud API token #6

Open
kief opened this issue Sep 16, 2021 · 1 comment
Open

Use terraform cloud API token #6

kief opened this issue Sep 16, 2021 · 1 comment

Comments

@kief
Copy link

kief commented Sep 16, 2021

Howdy,

I'm using Terraform cloud as a remote backend, and need a way to authenticate. I don't see an obvious way to do it out of the box, is there something I'm missing?

It seems like I'll need to use an API token. Doesn't look like I'll be able to pass it in an environment variable. Potentially it could go into the .terraformrc file, but I don't see a way to inject that in.

What is the best solution that fits with the "dojo way"?
@tomzo
Copy link
Member

tomzo commented Sep 18, 2021

Hi Kief,

Thanks for trying out the image.

If terraform does not define an environment variable that could be passed from outside of docker then .terraformrc might be the way to go.

Having said that, the most dojo way is to make the image support organisation-specific credentials distribution tool. The point is to make usage of the image as straightforward as possible for both users and CI agents, while keeping a good level of isolation from your local laptop setup. That means there shouldn't be additional options passed to dojo (neither via Dojofile or via CLI). It also means, you probably want to use this image as a starting point, fork it and customise rather than use it directly. You can also have a look at secrets considerations here. The ideal setup is: when you run dojo either as CI agent or a human, you land in development-ready container with all secrets that you need for given set of tools.

In this particular image, above approach could mean either:

  1. If the organisation has centralised secrets store, such as hashicorp vault, then image would have a script in /etc/dojo.d/scripts/ that runs on container start. It would authenticate with the vault and create the .terraformrc file in /home/dojo/.terraformrc.

  2. If the organisation uses environment variables to provide secrets, then similar script could be used to generate the .terraformrc from a custom environment variable.

  3. (not recommended) You could be tempted to use the approach of mounting .terraformrc from your laptop directly to the container using Dojofile options:

DOJO_DOCKER_OPTIONS="-v /path/to/local/secret:/home/dojo/.terraformrc"

There are caveats to point 3. though:

  • When working with many organisations you are likely to use the wrong .terraformrc sooner or later.
  • You're also then enforcing that everyone and CI agents have a secret in a file at that local path.
  • You don't get the benefit of being able to check sanity of that file. When using scripts to setup all secrets you're enforcing the file content and validating that user has provided enough input to generate them. It's common to include secret validation and error messages in the image startup script - hence improving the user experience. E.g. "You're missing env. variable MY_ORG_TERRAFORM_CLOUD_API_TOKEN".

I'm happy to discuss this further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kief @tomzo