-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use env var for AWS credentials #1190
Conversation
It is not a best practice to hard code credentials into terraform.tfvars because there a high risk of leakage. This commit defaults to using default environment variables for AWS credentials. It also adds two more packages to remove when bootstrapping on a CHOST, without these two packages, containerd cannot be uninstalled, hence cloud-init does not complete. Also add the same values in the .example file as in the official documentation. Signed-off-by: lcavajani <lcavajani@suse.com> (cherry picked from commit 260a53a)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good to me, however I'm a bit conflicted... What I personally do is to define these variables inside of a secrets.auto.tfvars
file, which is inside of my .gitignore
.
@innobead : what is your opinion on this topic? AFAIK the Azure integration doesn't have the credentials stored inside of terraform at all, I know something got changed by your team recently.
|
@flavio this is a common practice to use environment variables and that's what we do with the other platforms so it would be consistent |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" | ||
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | ||
export AWS_DEFAULT_REGION="eu-central-1" | ||
set -o history | ||
``` | ||
|
||
It can also be stored in a file, for example `aws-credentials` | ||
|
||
``` | ||
AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE" | ||
AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | ||
AWS_DEFAULT_REGION="eu-central-1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say let's just follow up the suggested ways provided by cloud providers like |
Why is this PR needed?
It is not a best practice to hard code credentials into
terraform.tfvars
because there a high risk of leakage.What does this PR do?
This commit defaults to using default environment variables for AWS credentials. Having these variables exported is also handy as it allows one to use
aws-cli
as well.It also adds two more packages to remove when bootstrapping on a
CHOST
, without these two packages,containerd
cannot be uninstalled, hencecloud-init
does not complete.Anything else a reviewer needs to know?
Info for QA
Status BEFORE applying the patch
values must be hardcoded in
terraform.tfvars
Status AFTER applying the patch
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,AWS_DEFAULT_REGION
must be exported before running terraform.Docs
SUSE/doc-caasp#903
Merge restrictions
(Please do not edit this)
We are in v4-maintenance phase, so we will restrict what can be merged to prevent unexpected surprises: