gitlab - 如何使用 GitLab 和 AWS 更正 Terraform 中的隐藏秘密
问题描述
我想使用 GitLab 自动化 Terraforms 的工作。我有可以在本地机器上运行的工作代码,并且可以正常工作。现在我想把它转移到 GitLab。我需要隐藏我的私钥(在本地机器上我使用环境变量)。根据这个答案 [https://stackoverflow.com/questions/56461518/inject-gitlab-ci-variables-into-terraform-variables][1] 我可以仅使用 GitLab 功能设置环境变量。我的gitlab.yml
image: registry.gitlab.com/gitlab-org/terraform-images/stable:latest
variables:
TF_ROOT: ${CI_PROJECT_DIR}
TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${CI_PROJECT_NAME}
cache:
key: production
paths:
- ${TF_ROOT}/.terraform
before_script:
- cd ${TF_ROOT}
stages:
- prepare
- build
- deploy
init:
stage: prepare
script:
- gitlab-terraform init
plan:
stage: build
variables:
aws_access_key: ${TF_AWS_SECRET_KEY}
aws_secter_key: ${TF_AWS_SECRET_KEY}
aws_region: ${TF_AWS_REGION}
script:
- gitlab-terraform plan
- gitlab-terraform plan-json
artifacts:
name: plan
paths:
- ${TF_ROOT}/plan.cache
reports:
terraform: ${TF_ROOT}/plan.json
apply:
stage: deploy
variables:
aws_access_key: ${TF_AWS_SECRET_KEY}
aws_secter_key: ${TF_AWS_SECRET_KEY}
aws_region: ${TF_AWS_REGION}
environment:
name: production
script:
- gitlab-terraform apply
dependencies:
- plan
when: manual
only:
- master
我的provide.tf:
variable "aws_access_key" {}
variable "aws_secter_key" {}
variable "aws_region" {}
provider "aws" {
region = var.aws_region
access_key = var.aws_access_key
secret_key = var.aws_secter_key
}
我的环境变量已在 GitLab->Setting->CI/CD->Variables 中创建
TF_AWS_ACCESS_KEY,TF_AWS_REGION, TF_AWS_SECRET_KEY
但是当我运行 CI/CD 管道时,出现错误,记录:
+ TF_USERNAME=
+ '[' -z ]
+ TF_USERNAME=
+ TF_PASSWORD=
+ '[' -n ]
+ export 'TF_HTTP_ADDRESS=
+ export 'TF_HTTP_LOCK_ADDRESS=
+ export 'TF_HTTP_LOCK_METHOD=POST'
+ export 'TF_HTTP_UNLOCK_ADDRESS=
+ export 'TF_HTTP_UNLOCK_METHOD=DELETE'
+ export 'TF_HTTP_USERNAME=
+ export 'TF_HTTP_PASSWORD=
+ export 'TF_HTTP_RETRY_WAIT_MIN=
+ init
+ terraform_is_at_least 0.13.2
+ head -n1
+ sort -V
+ awk -v 'min=0.13.2' '/^Terraform v/{ sub(/^v/, "", $2); print min; print $2 }'
+ terraform -version
+ '[' 0.13.2 '=' 0.13.2 ]
+ return 0
+ terraform init -reconfigure
Initializing the backend...
Successfully configured the backend "http"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Using previously-installed hashicorp/aws v3.20.0
- Using previously-installed hashicorp/archive v2.0.0
The following providers do not have any version constraints in configuration,
so the latest version was installed.
To prevent automatic upgrades to new major versions that may contain breaking
changes, we recommend adding version constraints in a required_providers block
in your configuration, with the constraint strings suggested below.
* hashicorp/archive: version = "~> 2.0.0"
* hashicorp/aws: version = "~> 3.20.0"
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
+ terraform plan '-out=plan.cache'
var.aws_access_key
Enter a value:
var.aws_region
Enter a value:
var.aws_secter_key
Enter a value:
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.archive_file.init: Refreshing state...
------------------------------------------------------------------------
Error: Invalid AWS Region:
Uploading artifacts for failed job
00:01
Uploading artifacts...
Cleaning up file based variables
00:01
ERROR: Job failed: exit code 1
当我在本地机器上运行相同的代码时,我没有遇到任何问题。我认为在provide.tf 中没有替换环境变量。如何正确组织我的私钥的隐藏以及如何在 GitLab 上运行代码?一个小问题,我没有弄清楚如何将.tfstate文件远程存储在app.terraform.io服务器上,有初学者的手册吗?[1]:将 GitLab CI 变量注入 Terraform 变量
解决方案
推荐阅读
- java - 使用 .compareTo 比较日期时,为什么不考虑月份?
- php - 如果数据不匹配,如何比较 2 个 PHP 对象数组然后填充空字符串?
- .htaccess - 如何将 Nginx 规则转换为 htaccess?
- django - 尝试以更新配置文件表单获取用户数据时,“用户”对象没有属性“获取”
- javascript - 当图像在视图中时开始视差滚动
- android - 为什么无法将 apk 上传到 google play 控制台?
- c++ - 为什么相同的字符不相等
- php - 使用关联和索引数组循环多维数组
- c# - 添加绑定到在代码隐藏中创建的元素
- bootstrap-4 - Angular8 - 错误 TS2304:找不到名称