-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_codepipeline with Github OAuth still breaking auth #15200
Comments
Hi @ybron. I'm not sure I fully understand the error you're encountering. I have a few questions that should help clarify this.
If it is neither of these cases, can you provide the before-and-after Terraform configurations as well as indicate how the Github token is being passed to Terraform in both cases? |
I'm experiencing this too.
On initial creation, source works fine. Change to resource and apply the update, now source is broken: If I taint and recreate the pipeline, the source works again. |
Hi @gdavison, thanks for commenting. Re: #1, This is after I have updated the provider to 3.0.0 and re-initialized. It is when I update the resource (by making changes to a step, adding actions, etc.) that the OAuthToken is removed. Re: #2, that would explain why #1 happens... I had hoped that not providing it would leave it in-place as already established, or at least a notice that it was clearing it (maybe I just missed this in the output though?). Nobody wants to dig up the/an OAuthToken any/every time they make a change to the pipeline, nor check it into the code. From that perspective, it sounds like @luhn has a great solution, utilizing a I probably misunderstood what was being addressed in #2854 - I thought that the hashed value of the token (or some similar non-plaintext version) would be kept in the state, without needing to keep providing it on every single apply. |
Hello folks. I wanted to report a bug regarding this issue. Below is a Step 1: I'm creating a CodePipeline
It seems to do the correct thing and my CodePipeline is working well. Step 2: Update the name of an action from "Approve" to "Approve2"
As you can see it's sending the
Step 3: Run
I'm not sure what the correct fix would be but I wanted demonstrate that this is a bug and consequently when you configure a bogus token in AWS CodePipeline, the GitHub Source stage/action will not work. I look forward to what TF folks think. Thank you! |
I face similar problems as described above. Also, I noticed that Terraform shows the OAuthToken in its CLI/log output, but I think it should be marked as a sensitive value. Is this a small enough issue that can be addressed at the same time or should I make a new issue for it? |
I've also been affected by the bug mentioned by @mchoi-truework and @luhn. Please let us know if we should create a separate issue for it. This bug unfortunately seems difficult to work around based on the current design of the aws_codepipeline resource provider. The unhashed OAuthToken value is needed for the AWS It seems like a useful fix for this bug could be removing the hashing and instead creating provider-specific configuration blocks to represent configuration objects, as mentioned here #14175 (comment), rather than treating the config as a map. This would then allow the OAuthToken to be marked as sensitive and hidden from output, which seems like it was the intent of #14175 in the first place. The token would still be stored in cleartext in the statefile, but that seems unavoidable based on the current design of Terraform. |
AWS CodeStarConnections now support Github: #15453 Once you have a connection set up there you can use that as your source connection to bypass the entire OAuth song and dance: stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "AWS"
provider = "CodeStarSourceConnection"
version = "1"
output_artifacts = ["source_output"]
configuration = {
ConnectionArn = var.codestar_connection_arn
FullRepositoryId = "${var.github_organization}/${var.repo_name}"
BranchName = var.branch_name
}
}
} Edit: According the the AWS Docs this old way of connecting to Github is deprecated and will be unsupported "soon" (not sure what that means). |
Well, can't argue with AWS here, but this solution requires some manual steps to set up the connection. This is might be a minor inconvenience for one AWS account + connection. It gets troublesome when dealing with automation across multiple AWS accounts (and connections), which is common in larger organizations/enterprises. |
You can reuse the one installed app on your GitHub org across all of your AWS accounts. Not sure if that's what you meant? If it's the manual set up process of the connection each one takes a minute or two, so even large-ish orgs should be doable. Maybe Oauth Device Flow could simplify the initial set up if they supported that? |
Yes, it's the manual set-up process. Formerly, I worked at an enterprise where AWS accounts were created on-demand, in full automation and multiple times per day. In such an environment the central team managing AWS can quickly become a bottleneck if any manual steps get involved in the process. It's true that I describe a very specific situation here, but I think a central repository in GitHub with multiple CodePipeline 'listeners' would scale very well to do maintenance over many accounts in (such) an enterprise. I had never heard of Oauth Device Flow tbh. I looked into it a bit and it seems quite some hassle to set-up. Especially considering that the same functionality could 'just work' out of the box by providing a token to CodePipeline. |
Is there a mechanism to taint a record if TF detects a change or a lifecycle declaration we can set that forces a 'delete' on change to overcome this bug? |
Hi Any update on fix of this bug ? |
It looks like the Github V1 provider in codepipeline is being deprecated which will likely result in this bug going away: https://docs.aws.amazon.com/codepipeline/latest/userguide/update-github-action-connections.html Related Issue(s): |
Thanks for the deprecation information, @bhudgens. For better or worse, deprecated with AWS almost never means it's actually going away, so the provider will still likely need to be able to handle this. There are several positive notes, however:
|
This absolutely remains a critical bug. There are significant permissions issues when using the CodeStar Connections approach with a GitHub Organization. The only way to provide discrete permission granularity without delegating your GitHub Organizations permissions to IAM is to use Personal Access Tokens, or some kind of nasty hack that pre-checks-out code with a Deploy Key and puts it into a bucket for the CodePipeline source stage to use, and the manual configuration requirement is also a problem. Where this leaves us is the need to continue to use GitHub v1 connections in CodePipeline, and this is something we are addressing with our Technical Account Manager. The problem we have is that any time we update a pipeline, we have to manually taint the pipeline so that it gets re-created because on every update the OAuth token is being broken. Any support in getting this fixed so that we can continue to use this mechanism without breaking our pipelines would be fantastic. |
This has been released in version 3.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
N/A
Panic Output
N/A
Expected Behavior
The existing OAuthToken should have been left in-place when the
aws_codepipeline
resource was updated.Actual Behavior
Same behaviour as before, when you were forced to push a broken placeholder
OAuthToken
resource in order to update it. Only now you don't have to comment-in theOAuthToken
placeholder to update the resource.Steps to Reproduce
terraform apply
(after triggering authorizing to github, and forcing an update to theaws_codepipeline
resourceImportant Factoids
N/A
References
The text was updated successfully, but these errors were encountered: