Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Persist environment variables from commands #1008

Open
aacuadras opened this issue Jun 24, 2024 · 3 comments
Open

Persist environment variables from commands #1008

aacuadras opened this issue Jun 24, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@aacuadras
Copy link

Feature description 💡

Currently when environment variables are set in a BASH command, those variables do not persist in the flow. For example, let's say I want to assume a role in AWS and then run terraform plan. I want to accomplish this with the following template:

flow:
  - type: "terraformPlan"
    name: "Init and Plan"
    step: 100
    commands:
      - runtime: "BASH"
        priority: 100
        before: true
        script: |
          creds=$(aws sts assume-role --role-arn 'arn:aws:iam::123456789012:role/terrakube-role' --role-session-name session --output json)
          export AWS_ACCESS_KEY_ID=$(echo $creds | jq '.Credentials.AccessKeyId')
          export AWS_SECRET_ACCESS_KEY=$(echo $creds | jq '.Credentials.SecretAccessKey')
          export AWS_SESSION_TOKEN=$(echo $creds | jq '.Credentials.SessionToken')

That way, terraform can plan and apply using the designated role

Anything else?

No response
@aacuadras aacuadras added the enhancement New feature or request label Jun 24, 2024
@alfespa17
Copy link
Member

I think you could write a "auto.tfvars" file so terraform can pick the values from there

@aacuadras
Copy link
Author

That works if we need them as terraform variables, but this is a session that expires and our terraform code expects the user to be already authenticated to AWS, that's why there is a need for injecting these environment variables to the job.

@alfespa17
Copy link
Member

alfespa17 commented Jun 24, 2024
edited
Loading

That works if we need them as terraform variables, but this is a session that expires and our terraform code expects the user to be already authenticated to AWS, that's why there is a need for injecting these environment variables to the job.

Adding that to save the environment variables will require some work.

Another alternative will be that you use "aws dynamic credentials" so the workspace can authenticate automatically with AWS without any kind of secrets, instead of defining "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY" and "AWS_SESSION_TOKEN" terrakube will use the role that you define in the env variable "WORKLOAD_IDENTITY_ROLE_AWS" and you dont have to worry about any secrets

You could check here for the AWS dynamic credentials support:

https://docs.terrakube.io/user-guide/workspaces/dynamic-provider-credentials/aws-dynamic-provider-credentials

In that way your workspace will be "passwordless" and you will get the same effect as the above example using "aws sts assume-role --role-arn "

@jcanizalez jcanizalez mentioned this issue Jun 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alfespa17 @aacuadras