0

I am trying to build a btd pipeline for my code which involves AWS as well. I am using teamcity in which I run docker. For AWS resources dynamic creation I am using terraform. I have my AWS access and secret key set in teamcity environment variables, but passing those credentials to terraform cmd is not working

The dockerfile has all terraform command, while terraform initialises fine, it fails to run apply because of invalid AWS credentials

docker file

RUN apt-get -y install wget unzip
RUN wget https://releases.hashicorp.com/terraform/0.11.11/terraform_0.11.11_linux_amd64.zip
RUN unzip terraform_0.11.11_linux_amd64.zip
RUN mv terraform /usr/local/bin/

ADD main.tf /usr/local/bin

RUN chmod +x /usr/local/bin

RUN terraform init
RUN terraform apply -auto-approve /usr/local/bin/terraform -var 'access_key=${AWS_ACCESS_KEY}' -var 'secret_key=${AWS_SECRET_KEY}'

AWS_ACCESS_KEY and AWS_SECRET_KEY are stored in teamcity as environment variables. main.tf

provider "aws" {
    region = "region-name"
}

resource "aws_instance" "aws_test" {
  ami = "ami"
  instance_type = "t2.micro"

  subnet_id = "subnet-id"

  #Security group
  security_groups = ["security-group"]

}
RohitS
  • 157
  • 2
  • 6
  • 21

1 Answers1

0

For detailed information on using ARG and ENV instructions, see the Dockerfile reference.

https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact

In Dockerfile

`ARG CODE_VERSION=latest FROM base:${CODE_VERSION} CMD /code/run-app

FROM extras:${CODE_VERSION} CMD /code/run-extras`

To build the docker image, you can use command below. docker build --build-arg some_variable_name=a_value

To pass pasword in secret file,

version: "3.1"
services:

  database:
    image: postgres:9.6
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
    secrets:
      - postgres_password

secrets:
  postgres_password:
    external: true

https://github.com/docker-library/postgres/issues/111#issuecomment-293053904

In teamcity,you can config hidden parameter, refer to http://pinter.org/archives/3681 enter image description here

paco alcacer
  • 381
  • 2
  • 13
  • I am fairly new to docker, so may be I am wrong here, but this suggestion would require me to declare the access and secret key in the docker file as the environment variable, which is not recommended My question is how to pass the environment variable declared in teamcity, to be consumed by docker. – RohitS Mar 27 '19 at 05:38
  • @Akshay if you use swarmkit, you can use secret. In kubernetes, you can use Secret as well. You may refer to https://stackoverflow.com/questions/22651647/docker-and-securing-passwords . – paco alcacer Mar 27 '19 at 06:36
  • unfortunately that is not the option for me here, I am bound to use teamcity, docker and terraform – RohitS Mar 28 '19 at 12:13
  • edited above. You may try hidden parameter in teamcity. And `docker build --build-arg pass=%password%` @Akshay – paco alcacer Mar 28 '19 at 14:10
  • I already have AWS_ACCESS_KEY and AWS_SECRET_KEY variables defined as environment variables in my local teamcity. Post that my run terraform command looks like this `RUN terraform apply -auto-approve /usr/local/bin/terraform -var 'access_key=%AWS_ACCESS_KEY%' -var 'secret_key=%AWS_SECRET_KEY%' ` this still does not work My main concern right now is how to provide the access and secret key to terraform, I cannot push the credentials to my git repo, neither can hard code this, any other suggestion is most welcome – RohitS Apr 01 '19 at 11:21