What's the best way to store GitHub PAT for main.tf?
I have a GitHub repo that I want all workspace to pull on creation. So I created a read only PAT for that repo, and stored in the env where coder service is running (export TF_VAR_GITHUB_TOKEN=).
However when I use the
variable "GIT_TOKEN" {
type = string
description = "GitHub Personal Access Token"
sensitive = true
}, it prompts me to type in the variable instead reading it from the env.
My current workaround is store this PAT directly in the main.tf, since it's read only so it's not really the end of world, but is there a better way to do this?30 Replies
<#1273787507397492799>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
hello, what's your end goal?
end goal is not storing the PAT in the main.tf directly, but still allow script in main.tf to use this token to pull a private repo.
alright, I would recommend using external auth instead of storing a PAT
https://coder.com/docs/admin/external-auth#git-providers
for the
startup_script to be able to clone the repo, you can enforce external auth in the templatemy understanding of this is it would require user of that workspace to log in/put in the authentication? is there a way to set it for all the workspace as default?
external authentication works by using an OAuth app and storing the resulting token in Coder
that token is then stored within Coder for that user and available to all workspaces
i see, i'll look into it. Thank you!
this link should have everything that you need but feel free to ask any questions :-)
sorry I want to circle back to set up env variable. I can see in the log it detects the env variable:
terraform environment variable: TF_VAR_GITHUB_TOKEN=<value redacted>
but when I call var.GITHUB_TOKEN, it said it hasn't been declared:
Error: Reference to undeclared input variable
on main.tf line 351, in resource "null_resource" "clone_code_vault":
351: TOKEN = coalesce(data.coder_parameter.code_vault_token.value, data.coder_external_auth.github.access_token, var.GITHUB_TOKEN)
An input variable with the name "GITHUB_TOKEN" has not been declared. This variable can be declared with a variable "GITHUB_TOKEN" {} block.
and when I create variable "GITHUB_TOKEN" {}, it asks me to manually put in the varible.
how come it detects it but still ask me to declare it? is this expected?
could you send your main.tf over?
var won't work in this case as it is only used to refer to variables defined via variable
AFAIK getting environment requires running a script which isn't great
but this isn't very secure either, why not use an external secrets provider like Vault?what kind of script should I prepare? If environment variable and external-auth#git-providers both don't work out I might look into Vault.
HashiCorp Help Center
Reading and using environment variables in Terraform runs
Introduction
This article describes a method for reading environment variables using Terraform that makes their values available for use in the Terraform configuration.
Expected Outcome
An extern...
if I am using external-auth#git-providers,
is this the correct way to access the token?
it's
CODER_EXTERNAL_AUTH_0_ID
which you usually name after the provider, so something like "github" or whateveris it the USER_DEFINED_ID in the callback URL https://coder.example.com/external-auth/USER_DEFINED_ID/callback of the github app?
yes, all three of those are the same value, i guess the docs could be clearer on that though
In the documents, it says Terraform can directly access environment variables that are named using the pattern TFVAR, for example TF_VAR_foo=bar will provide the value bar to the variable declared using variable "foo" {} .
so I think it's an unexpected behavior for coder to ask for input?
ahh problem sovled. as long as I add an empty default value to the variable clause, then it would stop asking for inputs
External auth is a 1 time thing and Coder auto refreshes the token when required. So your users will only need to authenticate once.
Now I've met the problem that only in
resource "null_resource" the main.tf could read the env variable, when I put it in the startup_script of resource "coder_agent" "main", it's empty againplease show how you're accessing the variable
so I set up the env variable at where coder service is running,
TF_VAR_GITHUB_TOKEN. Then in the main.tf, I declare the variable:
variable "GITHUB_TOKEN" {
default = ""
}
I have to set a default value otherwise it prompts me to give it a value.
and this is my resource "null_resource"
and I could see it in the log. it's not empty.
however when I set it in coder_agent.main:
it's emptyyes,
var.<name> is only for variables defined via variableI suspect the reason is "null_resource" run on outer layer where coder service runs, and the coder_agent.main startup script runs in the actual workspace layer
Hi @Phorcys yes i managed to get it work in the end with TF_VAR
the key change is not use
coalesce on TF_VAR
if I use coalesce(TF_VAR_XXX, OPTIONAL_XXX) it would fail to compile, coalesce would complain two null value.oh, alright, that makes sense yeah
thanks for the info, glad you got it sorted out!
@Phorcys closed the thread.