【问题标题】:Terraform webhook organization and token errorTerraform webhook 组织和令牌错误
【发布时间】:2019-08-04 14:55:25
【问题描述】:

我正在按照 HashiCorp 的说明使用 webhook here 预置 AWS CodePipeline。我不断收到错误:

$ terraform plan -var-file="secret.tfvars" -out=tfplan -input=false 

Error: provider.github: "organization": required field is not set
Error: provider.github: "token": required field is not set

但是他们的文档中没有说明在哪里添加这些字段。我尝试将它们添加到所有阶段,或者只是 Source 阶段,因为这是唯一一次提到 GitHub 作为提供者。

我能够在没有 webhook here 的情况下预置他们的 AWS CodePipeline。那个可以选择定期轮询,但不像我可以使用控制台设置的 webhook 选项那样立即进行轮询。

为方便起见,这是tf 文件:

resource "aws_codepipeline" "bar" {
  name     = "tf-test-pipeline"
  role_arn = "${aws_iam_role.bar.arn}"

  artifact_store {
    location = "${aws_s3_bucket.bar.bucket}"
    type     = "S3"

    encryption_key {
      id   = "${data.aws_kms_alias.s3kmskey.arn}"
      type = "KMS"
    }
  }

  stage {
    name = "Source"

    action {
      name             = "Source"
      category         = "Source"
      owner            = "ThirdParty"
      provider         = "GitHub"
      version          = "1"
      output_artifacts = ["test"]

      configuration = {
        Owner  = "my-organization"
        Repo   = "test"
        Branch = "master"
      }
    }
  }

  stage {
    name = "Build"

    action {
      name            = "Build"
      category        = "Build"
      owner           = "AWS"
      provider        = "CodeBuild"
      input_artifacts = ["test"]
      version         = "1"

      configuration = {
        ProjectName = "test"
      }
    }
  }
}

# A shared secret between GitHub and AWS that allows AWS
# CodePipeline to authenticate the request came from GitHub.
# Would probably be better to pull this from the environment
# or something like SSM Parameter Store.
locals {
  webhook_secret = "super-secret"
}

resource "aws_codepipeline_webhook" "bar" {
  name            = "test-webhook-github-bar"
  authentication  = "GITHUB_HMAC"
  target_action   = "Source"
  target_pipeline = "${aws_codepipeline.bar.name}"

  authentication_configuration {
    secret_token = "${local.webhook_secret}"
  }

  filter {
    json_path    = "$.ref"
    match_equals = "refs/heads/{Branch}"
  }
}

# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "bar" {
  repository = "${github_repository.repo.name}"

  name = "web"

  configuration {
    url          = "${aws_codepipeline_webhook.bar.url}"
    content_type = "form"
    insecure_ssl = true
    secret       = "${local.webhook_secret}"
  }

  events = ["push"]
}

更新

我尝试过的其中一件事是:

stage {
    name = "Source"

    action {
        name = "Source"
        category = "Source"
        owner = "ThirdParty"
        provider = "GitHub"
        token = "${var.github_token}"
        organization = "${var.github_username}"   
        version = "1"
        output_artifacts = ["SourceArtifact"]

        configuration {
            # Owner = "${var.github_username}"
            # OAuthToken = "${var.github_token}"
            Repo = "${var.github_repo}"
            Branch = "master"
            PollForSourceChanges = "true"
        }
    }
}

【问题讨论】:

  • provider的代码在哪里?

标签: amazon-web-services terraform aws-codepipeline terraform-provider-aws


【解决方案1】:

所以你需要先设置Github provider

示例:

# Configure the GitHub Provider
provider "github" {
  token        = "${var.github_token}"
  organization = "${var.github_organization}"
}

【讨论】:

  • 它在舞台源。我尝试在那里添加organizationtoken,但没有成功。我是否必须像那样在顶部指定提供程序“github”?
  • 舞台从何而来?代码管道?你有 provider "github" {} 的 tf 文件吗?
  • 另外,请理解我只是使用了 HashiCorp 的示例。没有 webhook 的那个在没有提供者 "github" var 的情况下工作得很好。
  • 是的,这些阶段是代码管道的一部分。不,我没有任何带有provider "github" 的 tf 文件,因为另一个示例(没有 webhook)不需要它。
  • 这是对您在 Terraform 抱怨您未在提供程序配置或环境变量中定义 tokenorganization 的问题中遇到的实际错误的正确答案.如果您遇到多个问题,则应将问题拆分或重新处理此问题,以更正确地指定您的答案解决的问题。
【解决方案2】:

我已经找出了我遇到的问题:

terraform 模板有一个名为

locals {
  webhook_secret = "super-secret"
}

这将用于在部署模板时使用 GitHub 创建一个 webhook 密码。没有webhook_secret。如果没有webhook_secret,即使您添加了像宝马对token 和问题organization 的回答这样的提供程序,错误仍然存​​在。

HashiCorp 还建议从环境或 SSM Parameter Store 之类的东西中创建、存储和提取 webhook 机密。

您还可以检查GitHub's guide to generate and secure your webhook secret(例如,通过在终端获取 ruby​​ -rsecurerandom -e 'puts SecureRandom.hex(20)' 的输出)

这是工作模板,我只粘贴了更改,其余 (...) 看起来与 HashiCorp 的示例相同:

# Input variables
variable "aws_region" {
    type = "string"
    default = "us-east-1"
}

variable "pipeline_name" {
    type = "string"
    default = "static-website-terraform"
}

variable "github_username" {
    type = "string"
    default = "nditech"
}

variable "github_token" {
    type = "string"
}

variable "webhook_secret" {
    type = "string"
}
...
# Add webhook to pipeline
resource "aws_codepipeline_webhook" "codepipeline" {
    name            = "${var.pipeline_name}-codepipeline-webhook"
    authentication  = "GITHUB_HMAC"
    target_action   = "Source"
    target_pipeline = "${aws_codepipeline.codepipeline.name}"

    authentication_configuration {
        secret_token = "${var.webhook_secret}"
    }

    filter {
        json_path    = "$.ref"
        match_equals = "refs/heads/{Branch}"
    }
}

# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "codepipeline" {
    repository = "${var.github_repo}"

    name = "web"

    configuration {
        url          = "${aws_codepipeline_webhook.codepipeline.url}"
        content_type = "form"
        insecure_ssl = true
        secret       = "${var.webhook_secret}"
    }

    events = ["push"]
}

【讨论】:

  • 这与您在问题中遇到的错误无关,Terraform 说您没有在提供程序配置或环境变量中定义所需的 tokenorganization
  • 感谢您的通知。
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 2021-08-06
  • 2016-12-12
  • 2022-07-23
  • 2021-06-03
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多