-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
how to pass in google provider credentials file to each run #223
Comments
The credentials can be mounted as a secret as you mentioned. Then you only need to point to the file in the provider definition.
You should have that block in each of your terraform projects. If you want different credentials for different projects, then point to a different file. No need to hack with the atlantis.yaml |
Hi Jeff, So in your example, if you were in the container where Atlantis was running and you wanted to execute Another thing worth mentioning is if your k8s cluster is running in GKE? In the docs for the google provider it says:
This means if you enabled service account credentials for the instances in your k8s cluster then you could do away with specifying the I know that's a lot to process so please post back if you have any questions or feel free to jump into our slack channel. |
@psalaberria002 the suggestion works (if we fully adopt atlantis for all our terraform), but until then, each person who runs terraform will need to have the same path configured on their machine. I guess that'll be an easy enough workaround to get by. It's still less than ideal, because different terraform projects operate on different gke projects, which often use different service accounts. This is why we keep the service_accounts.json local to the terraform project. (It's also why the alternative suggested by @lkysow doesn't work either). |
When you're running TF locally right now what do you do? Do you use a custom |
Actually nvm, that doesn't matter. That's only if you were using a different backend. But right now how does your workflow work locally? |
our current setup (subject to change, but not any time soon): if you mean the workflow of terraform plan/apply and PRs, that's pretty loose and not really well defined, which is why we're looking into atlantis |
Okay gotcha. Here's what I would do. I'd mount the 4 version: 2
projects:
- dir: .
workflow: myworkflow
workflows:
myworkflow:
plan:
steps:
- cp ~/project1-creds.json credentials.json # the steps run in the project's directory, in this case since it's dir: . then it'll run in the root of the repo
- init
- plan
apply:
steps:
- cp ~/project1-creds.json credentials.json
- apply |
yeah, I think these work arounds are as good as it'll get (without significant change for a less common usecase) |
Firstly, we're using the google provider https://www.terraform.io/docs/providers/google/index.html which makes use of a local service account credentials file to execute terraform.
Second, we're running atlantis in k8s, so basically via docker. With k8s, its very easy to mount our credentials file as a secret, however it's unclear how to add this file to each project/PR.
The closest thing I got from the documentation is that we can add a custom script to copy this file from the mounted path to the workspace using the
atlantis.yaml
file and custom commands https://www.runatlantis.io/guide/atlantis-yaml-use-cases.html#running-custom-commandsThe text was updated successfully, but these errors were encountered: