how to pass in google provider credentials file to each run

[jeff-knurek]

Firstly, we're using the google provider https://www.terraform.io/docs/providers/google/index.html which makes use of a local service account credentials file to execute terraform.

Second, we're running atlantis in k8s, so basically via docker. With k8s, its very easy to mount our credentials file as a secret, however it's unclear how to add this file to each project/PR.

The closest thing I got from the documentation is that we can add a custom script to copy this file from the mounted path to the workspace using the atlantis.yaml file and custom commands https://www.runatlantis.io/guide/atlantis-yaml-use-cases.html#running-custom-commands

[psalaberria002]

The credentials can be mounted as a secret as you mentioned. Then you only need to point to the file in the provider definition.

provider "google" {
  credentials = "${file("~/path/to/credentials.json")}"
  region      = "europe-west1"
  version     = "~> 1.8"
}

You should have that block in each of your terraform projects. If you want different credentials for different projects, then point to a different file. No need to hack with the atlantis.yaml

[lkysow]

Hi Jeff,
Like @psalaberria002 you don't need to do anything per pull request. Atlantis just ends up executing terraform plan and apply so as long as those commands would work where Atlantis is running then you'll be okay.

So in your example, if you were in the container where Atlantis was running and you wanted to execute terraform plan then you'd need your provider credentials to look like the ones @psalaberria002 pasted.

Another thing worth mentioning is if your k8s cluster is running in GKE? In the docs for the google provider it says:

If no credentials are specified, the provider will fall back to using the Google Application Default Credentials. If you are running Terraform from a GCE instance, see Creating and Enabling Service Accounts for Instances for details.

This means if you enabled service account credentials for the instances in your k8s cluster then you could do away with specifying the credentials = block.

I know that's a lot to process so please post back if you have any questions or feel free to jump into our slack channel.

[jeff-knurek]

@psalaberria002 the suggestion works (if we fully adopt atlantis for all our terraform), but until then, each person who runs terraform will need to have the same path configured on their machine. I guess that'll be an easy enough workaround to get by.

It's still less than ideal, because different terraform projects operate on different gke projects, which often use different service accounts. This is why we keep the service_accounts.json local to the terraform project. (It's also why the alternative suggested by @lkysow doesn't work either).

[lkysow]

When you're running TF locally right now what do you do? Do you use a custom terraform init command?

[lkysow]

Actually nvm, that doesn't matter. That's only if you were using a different backend. But right now how does your workflow work locally?

[jeff-knurek]

our current setup (subject to change, but not any time soon):
we have about 4 different google projects that are managed by terraform. each google project has it's own github repo with the relevant terraform code (so, 4 terraform repos to 4 google projects). in each google project, we have the IAM setup for the users who have permission to execute the terraform code. the users who have this access, save manually their service account credentials.json file into the code folder (which is gitignored). (so basically, each user saves 4 different json files into 4 different directories)

if you mean the workflow of terraform plan/apply and PRs, that's pretty loose and not really well defined, which is why we're looking into atlantis

[lkysow]

Okay gotcha. Here's what I would do. I'd mount the 4 credentials.json files as you talked about above. Then I'd use a custom workflow via an atlantis.yaml file to copy the credentials file into the right location as Atlantis executes. Each repo would have an atlantis.yaml file like this:

version: 2
projects:
- dir: .
  workflow: myworkflow
workflows:
  myworkflow:
    plan:
      steps:
      - cp ~/project1-creds.json credentials.json # the steps run in the project's directory, in this case since it's dir: . then it'll run in the root of the repo
      - init
      - plan
    apply:
      steps:
      - cp ~/project1-creds.json credentials.json
      - apply

[jeff-knurek]

yeah, I think these work arounds are as good as it'll get (without significant change for a less common usecase)
I'll close the ticket