Terraform webhook 组织和令牌错误
Terraform webhook organization and token error
我正在按照 HashiCorp 的说明使用 webhook here 配置 AWS CodePipeline。我不断收到错误消息:
$ terraform plan -var-file="secret.tfvars" -out=tfplan -input=false
Error: provider.github: "organization": required field is not set
Error: provider.github: "token": required field is not set
但是他们的文档中没有说明在何处添加这些字段。我已经尝试将它们添加到所有阶段,或者仅添加到 Source 阶段,因为那是唯一一次 GitHub 作为提供者被提及。
我能够在没有 webhook 的情况下配置他们的 AWS CodePipeline here。它有一个选项可以定期进行轮询,但不像我可以使用控制台设置的 webhook 选项那样立即进行轮询。
为方便起见,这里是 tf 文件:
resource "aws_codepipeline" "bar" {
name = "tf-test-pipeline"
role_arn = "${aws_iam_role.bar.arn}"
artifact_store {
location = "${aws_s3_bucket.bar.bucket}"
type = "S3"
encryption_key {
id = "${data.aws_kms_alias.s3kmskey.arn}"
type = "KMS"
}
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
version = "1"
output_artifacts = ["test"]
configuration = {
Owner = "my-organization"
Repo = "test"
Branch = "master"
}
}
}
stage {
name = "Build"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["test"]
version = "1"
configuration = {
ProjectName = "test"
}
}
}
}
# A shared secret between GitHub and AWS that allows AWS
# CodePipeline to authenticate the request came from GitHub.
# Would probably be better to pull this from the environment
# or something like SSM Parameter Store.
locals {
webhook_secret = "super-secret"
}
resource "aws_codepipeline_webhook" "bar" {
name = "test-webhook-github-bar"
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = "${aws_codepipeline.bar.name}"
authentication_configuration {
secret_token = "${local.webhook_secret}"
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "bar" {
repository = "${github_repository.repo.name}"
name = "web"
configuration {
url = "${aws_codepipeline_webhook.bar.url}"
content_type = "form"
insecure_ssl = true
secret = "${local.webhook_secret}"
}
events = ["push"]
}
Update
我试过的其中一件事是:
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
token = "${var.github_token}"
organization = "${var.github_username}"
version = "1"
output_artifacts = ["SourceArtifact"]
configuration {
# Owner = "${var.github_username}"
# OAuthToken = "${var.github_token}"
Repo = "${var.github_repo}"
Branch = "master"
PollForSourceChanges = "true"
}
}
}
所以你需要先设置Github provider。
示例为:
# Configure the GitHub Provider
provider "github" {
token = "${var.github_token}"
organization = "${var.github_organization}"
}
我已经解决了我遇到的问题:
terraform 模板有一个名为
的变量
locals {
webhook_secret = "super-secret"
}
这将用于在部署模板时使用 GitHub 创建一个 webhook 秘密。没有 webhook_secret。如果没有 webhook_secret,即使您添加像 BMW 对 token 和问题 organization 的回答这样的提供商,错误也会持续存在。
HashiCorp 还建议从环境或类似 SSM Parameter Store 中创建、存储和提取 webhook 秘密。
您还可以检查 GitHub's guide to generate and secure your webhook secret(例如,通过在终端获取 ruby -rsecurerandom -e 'puts SecureRandom.hex(20)' 的输出)
这是工作模板,我只粘贴了更改,其余(...)看起来与 HashiCorp 的示例相同:
# Input variables
variable "aws_region" {
type = "string"
default = "us-east-1"
}
variable "pipeline_name" {
type = "string"
default = "static-website-terraform"
}
variable "github_username" {
type = "string"
default = "nditech"
}
variable "github_token" {
type = "string"
}
variable "webhook_secret" {
type = "string"
}
...
# Add webhook to pipeline
resource "aws_codepipeline_webhook" "codepipeline" {
name = "${var.pipeline_name}-codepipeline-webhook"
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = "${aws_codepipeline.codepipeline.name}"
authentication_configuration {
secret_token = "${var.webhook_secret}"
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "codepipeline" {
repository = "${var.github_repo}"
name = "web"
configuration {
url = "${aws_codepipeline_webhook.codepipeline.url}"
content_type = "form"
insecure_ssl = true
secret = "${var.webhook_secret}"
}
events = ["push"]
}
我正在按照 HashiCorp 的说明使用 webhook here 配置 AWS CodePipeline。我不断收到错误消息:
$ terraform plan -var-file="secret.tfvars" -out=tfplan -input=false
Error: provider.github: "organization": required field is not set
Error: provider.github: "token": required field is not set
但是他们的文档中没有说明在何处添加这些字段。我已经尝试将它们添加到所有阶段,或者仅添加到 Source 阶段,因为那是唯一一次 GitHub 作为提供者被提及。
我能够在没有 webhook 的情况下配置他们的 AWS CodePipeline here。它有一个选项可以定期进行轮询,但不像我可以使用控制台设置的 webhook 选项那样立即进行轮询。
为方便起见,这里是 tf 文件:
resource "aws_codepipeline" "bar" {
name = "tf-test-pipeline"
role_arn = "${aws_iam_role.bar.arn}"
artifact_store {
location = "${aws_s3_bucket.bar.bucket}"
type = "S3"
encryption_key {
id = "${data.aws_kms_alias.s3kmskey.arn}"
type = "KMS"
}
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
version = "1"
output_artifacts = ["test"]
configuration = {
Owner = "my-organization"
Repo = "test"
Branch = "master"
}
}
}
stage {
name = "Build"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["test"]
version = "1"
configuration = {
ProjectName = "test"
}
}
}
}
# A shared secret between GitHub and AWS that allows AWS
# CodePipeline to authenticate the request came from GitHub.
# Would probably be better to pull this from the environment
# or something like SSM Parameter Store.
locals {
webhook_secret = "super-secret"
}
resource "aws_codepipeline_webhook" "bar" {
name = "test-webhook-github-bar"
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = "${aws_codepipeline.bar.name}"
authentication_configuration {
secret_token = "${local.webhook_secret}"
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "bar" {
repository = "${github_repository.repo.name}"
name = "web"
configuration {
url = "${aws_codepipeline_webhook.bar.url}"
content_type = "form"
insecure_ssl = true
secret = "${local.webhook_secret}"
}
events = ["push"]
}
Update
我试过的其中一件事是:
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
token = "${var.github_token}"
organization = "${var.github_username}"
version = "1"
output_artifacts = ["SourceArtifact"]
configuration {
# Owner = "${var.github_username}"
# OAuthToken = "${var.github_token}"
Repo = "${var.github_repo}"
Branch = "master"
PollForSourceChanges = "true"
}
}
}
所以你需要先设置Github provider。
示例为:
# Configure the GitHub Provider
provider "github" {
token = "${var.github_token}"
organization = "${var.github_organization}"
}
我已经解决了我遇到的问题:
terraform 模板有一个名为
的变量locals {
webhook_secret = "super-secret"
}
这将用于在部署模板时使用 GitHub 创建一个 webhook 秘密。没有 webhook_secret。如果没有 webhook_secret,即使您添加像 BMW 对 token 和问题 organization 的回答这样的提供商,错误也会持续存在。
HashiCorp 还建议从环境或类似 SSM Parameter Store 中创建、存储和提取 webhook 秘密。
您还可以检查 GitHub's guide to generate and secure your webhook secret(例如,通过在终端获取 ruby -rsecurerandom -e 'puts SecureRandom.hex(20)' 的输出)
这是工作模板,我只粘贴了更改,其余(...)看起来与 HashiCorp 的示例相同:
# Input variables
variable "aws_region" {
type = "string"
default = "us-east-1"
}
variable "pipeline_name" {
type = "string"
default = "static-website-terraform"
}
variable "github_username" {
type = "string"
default = "nditech"
}
variable "github_token" {
type = "string"
}
variable "webhook_secret" {
type = "string"
}
...
# Add webhook to pipeline
resource "aws_codepipeline_webhook" "codepipeline" {
name = "${var.pipeline_name}-codepipeline-webhook"
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = "${aws_codepipeline.codepipeline.name}"
authentication_configuration {
secret_token = "${var.webhook_secret}"
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "codepipeline" {
repository = "${var.github_repo}"
name = "web"
configuration {
url = "${aws_codepipeline_webhook.codepipeline.url}"
content_type = "form"
insecure_ssl = true
secret = "${var.webhook_secret}"
}
events = ["push"]
}