Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use env var for AWS credentials #1190

Merged
merged 1 commit into from
Jun 29, 2020
Merged

Use env var for AWS credentials #1190

merged 1 commit into from
Jun 29, 2020

Conversation

spiarh
Copy link
Contributor

@spiarh spiarh commented Jun 24, 2020
edited
Loading

Why is this PR needed?

It is not a best practice to hard code credentials into terraform.tfvars because there a high risk of leakage.

What does this PR do?

This commit defaults to using default environment variables for AWS credentials. Having these variables exported is also handy as it allows one to use aws-cli as well.

It also adds two more packages to remove when bootstrapping on a CHOST, without these two packages, containerd cannot be uninstalled, hence cloud-init does not complete.

Anything else a reviewer needs to know?

Info for QA

Status BEFORE applying the patch

values must be hardcoded in terraform.tfvars

Status AFTER applying the patch

AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION must be exported before running terraform.

Docs

SUSE/doc-caasp#903

Merge restrictions

(Please do not edit this)

We are in v4-maintenance phase, so we will restrict what can be merged to prevent unexpected surprises:

What can be merged (merge criteria):
    2 approvals:
        1 developer: code is fine
        1 QA: QA is fine
    there is a PR for updating documentation (or a statement that this is not needed)

Use env var for AWS credentials
5b4a01f 
It is not a best practice to hard code credentials
into terraform.tfvars because there a high risk
of leakage. This commit defaults to using default
environment variables for AWS credentials.

It also adds two more packages to remove when bootstrapping
on a CHOST, without these two packages, containerd cannot
be uninstalled, hence cloud-init does not complete.

Also add the same values in the .example file as in the
official documentation.

Signed-off-by: lcavajani <lcavajani@suse.com>
(cherry picked from commit 260a53a)
@spiarh spiarh added enhancement New feature or request documentation labels Jun 24, 2020
@spiarh spiarh mentioned this pull request Jun 24, 2020
Merged
@spiarh spiarh requested a review from maximenoel8 June 25, 2020 08:43
flavio
flavio reviewed Jun 25, 2020
View reviewed changes
Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good to me, however I'm a bit conflicted... What I personally do is to define these variables inside of a secrets.auto.tfvars file, which is inside of my .gitignore.

@innobead : what is your opinion on this topic? AFAIK the Azure integration doesn't have the credentials stored inside of terraform at all, I know something got changed by your team recently.

@flavio
Copy link
Member

flavio commented Jun 25, 2020
edited
Loading

@lcavajani : however, if we are going to merge that we will need to update the official documentation too. scratch it, I found your PR against the docs 👏

@spiarh
Copy link
Contributor Author

spiarh commented Jun 25, 2020

@flavio this is a common practice to use environment variables and that's what we do with the other platforms so it would be consistent

flavio
flavio approved these changes Jun 25, 2020
View reviewed changes
Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jenting
jenting approved these changes Jun 29, 2020
View reviewed changes
ci/infra/aws/README.md
Comment on lines +42 to +53
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_DEFAULT_REGION="eu-central-1"
set -o history
```

It can also be stored in a file, for example `aws-credentials`

```
AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
AWS_DEFAULT_REGION="eu-central-1"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

@c3y1huang c3y1huang merged commit b625aae into SUSE:master Jun 29, 2020
@innobead
Copy link
Contributor

innobead commented Jun 29, 2020
edited
Loading

Overall looks good to me, however I'm a bit conflicted... What I personally do is to define these variables inside of a secrets.auto.tfvars file, which is inside of my .gitignore.

@innobead : what is your opinion on this topic? AFAIK the Azure integration doesn't have the credentials stored inside of terraform at all, I know something got changed by your team recently.

I would say let's just follow up the suggested ways provided by cloud providers like env (at least aws, azure, and gcp), then the authentication will be implicitly injected and consumed by the terrfoarm runtime so obviously there is no need to specify in terraform vars.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flavio flavio flavio approved these changes

@innobead innobead innobead approved these changes

@jenting jenting jenting approved these changes

@thehejik thehejik Awaiting requested review from thehejik

@kravciak kravciak Awaiting requested review from kravciak

@maximenoel8 maximenoel8 Awaiting requested review from maximenoel8

Assignees
No one assigned
Labels
documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@spiarh @flavio @innobead @jenting @c3y1huang