-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub private repo archive URL now requires token in the header during Build #321
Comments
Due to the dependency on a Heroku API (& Builds service) change for new authorization path with GitHub API, I strongly doubt this will be fixed in the elegant way wished for here. The
Embedding a secret key in the URL was never advised, as this is typically considered a bad security practice. Alternative solutionClone the private source repo before the Terraform run, and use
|
✅ Using a script like this to populate the Sample private repo clone script. Expects env vars:
#!/bin/bash
set -eu
set -o pipefail
echo "🔐 setup GitHub deploy key" >&2
mkdir -p ~/.ssh/
# Fix for "The authenticity of host 'github.com (…)' can't be established."
ssh-keyscan github.com >> ~/.ssh/known_hosts
# Save user's config value to ssh key file, named as default key so ssh will use it.
echo "$GITHUB_DEPLOY_KEY" > ~/.ssh/id_ed25519
echo "⬇️ clone private GitHub repo" >&2
git clone "git@github.com:${GITHUB_SOURCE_REPO}.git" --branch "$GITHUB_SOURCE_BRANCH" "$GITHUB_SOURCE_DIRECTORY" Beware that |
This workaround is great, thanks.
I used it and ran into this issue when running
Configuration:
|
@laurawadden that error indicates that |
@mars The issue, in this case, is when @laurawadden did u find a solution for the issue? |
@levivm Clone the source before running Terraform. |
@mars I tried to upload my code base to S3 and created a pre-signed URL with expiration and pass it to |
@mars So, If I want to build an heroku app from terraform and avoid downloading the code before, it needs to be a public file, it can't be from a private repo, right? |
@levivm then, perform that download before running Terraform, so that the source code is already at a consistent |
The options here are:
If either |
|
or you make use of the |
This does not work at all with null_resource. if you pass path a location that does not exist yet, it will error and so no file found. If you create an empty directory, pass it to "path", and then populate the contents of said directory with null_resource, then you will get this error:
Of course, I am not going to have my source code in a public repo. And it is highly inefficient to have to create an entirely different process outside of terraform to download it locally. If you use terragrunt, this won't even work at all. |
When this The challenge with local It's possible to make changes to the provider that would allow populating the
But, such a change would mean that The The notion of supporting GitHub Deploy Keys (git+ssh) for private access to remote source seems good, but the standard way of doing that requires So, @DanielViglione, the workaround to download via git+ssh script (or any other private access strategy) before Terraform runs is the solution here. In fact, thank you for your coarse comment that made me really reconsider the options and realize that the workaround is really the solution. |
While you would still have the tainted problem, the |
✅ updated the solution to mention that, Terraform Cloud now offers a pre-plan hook, the perfect place to run the source checkout, before the Terraform run. |
Recently GitHub changed their access policy that you are no longer able to use URL query params for access_token to access private repos and instead must use HTTP header. This can cause issues with
build
functionality on Terraform Heroku Provider when source URL is a private GitHub archive link.Terraform/Heroku Provider vers:
Affected Resource(s)
heroku_build
(will also log an issue on Platform API as well)
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
source_blob.url
when sourcing from a private GitHub repoImportant Factoids
Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?
Using GitHub private repo, access via access_token
References
Breaking change took place (github) 9/8/21:
https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/#changes-to-make
The text was updated successfully, but these errors were encountered: