WIP: POC for terraform backend
What does this MR do?
DO NOT MERGE This MR is only a rough POC for terraform http backend.
What we can observe here is that terraform http backend only works with basic http authentication. It does not work with passing a Personal Access Token as a query string parameter in the address
option of terraform http backend, as that query string parameter is stripped away.
To see it happening
- checkout the branch locally, run the migrations
- create a simple terraform project using the terraform http backend
terraform {
backend "http" {
address = "http://localhost:3333/api/v4/projects/[project_id]/terraform_states/[state_name]"
}
}
- comment out
before { authenticate! }
inlib/api/project_terraform_states.rb
to disable authentication - run
terraform init
andterraform apply
from your terraform project directory - you can see that the backend is working correctly (you can curl the endpoint to see the state
curl http://localhost:3333/api/v4/projects/[project_id]/terraform_states/[state_name]
or you can check in the database) - uncomment back in
before { authenticate! }
inlib/api/project_terraform_states.rb
to enable authentication - create an Personal Access Token and add it to your terraform project backend config
terraform {
backend "http" {
address = "http://localhost:3333/api/v4/projects/[project_id]/terraform_states/[state_name]?private_token=[my-personal-access-token]"
}
}
- run
terraform init
again - you will see an authentication error
If you inspect the Rails logs, you will see that the terraform http backend strips the query string parameters. The same request made with curl works fine:
curl http://localhost:3333/api/v4/projects/[project_id]/terraform_states/[state_name]?private_token=[my-personal-access-token]
Http basic authentication would work with terraform backend, but it is not implemented on GitLab as an authentication method, as far as I can see.
UPDATE
The problem was solved thanks to @mattkasa knowing about the nuget helpers. The API endpoint is able to find the personal access token from http basic authentication. To see it working:
- checkout the branch locally, run the migrations
- create a simple terraform project using the terraform http backend
terraform {
backend "http" {
address = "http://localhost:3333/api/v4/projects/[project_id]/terraform_states/[state_name]"
username = "something"
password = [your-personal-access-token]
}
}
- run
terraform init
from your terraform project directory
Important: It seems the username
has to be passed and cannot be an empty string, although is't not really being used.
UPDATE (LOCKING/UNLOCKING ADDED)
To see it working:
- checkout the branch locally, run the migrations (I edited migration for
terraform_states
table, if you had it before, you should rollback and migrate again) - create a simple terraform project using the terraform http backend
terraform {
backend "http" {
address = "http://localhost:3333/api/v4/projects/[project_id]/terraform_states/[state_name]"
username = "something"
password = [your-personal-access-token]
lock_address = "http://localhost:3333/api/v4/projects/[project_id]/terraform_states/[state_name]/lock"
unlock_address = "http://localhost:3333/api/v4/projects/[project_id]/terraform_states/[state_name]/lock"
lock_method = "POST"
unlock_method = "DELETE"
}
}
- run
terraform init
from your terraform project directory