aws_ecr_repository auth error on EC2 envbuilder
resource "aws_ecr_repository" "cache_repo" {
name = "coder-${data.coder_workspace.me.id}-${data.coder_workspace.me.name}-cache"
tags = {
Coder_Provisioned = "true"
}
}
output "cache_repo_url" {
value = aws_ecr_repository.cache_repo.repository_url
}
locals {
...
#!/bin/bash
# Install Docker
if ! command -v docker &> /dev/null
then
echo "Docker not found, installing..."
curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh 2>&1 >/dev/null
usermod -aG docker ${local.linux_user}
newgrp docker
else
echo "Docker is already installed."
fi
# Authenticate Docker to ECR
aws ecr get-login-password --region ${module.aws_region.value} | docker login --username AWS --password-stdin ${cache_repo_url}
# Encode the Docker config to base64
DOCKER_CONFIG_BASE64=$(base64 -w0 /home/${local.linux_user}/.docker/config.json)
# Start envbuilder
docker run --rm \
-h ${lower(data.coder_workspace.me.name)} \
-v /home/${local.linux_user}/envbuilder:/workspaces \
-e CODER_AGENT_TOKEN="${try(coder_agent.dev[0].token, "")}" \
-e CODER_AGENT_URL="${data.coder_workspace.me.access_url}" \
-e GIT_URL="${data.coder_parameter.repo_url.value}" \
-e INIT_SCRIPT="echo ${base64encode(try(coder_agent.dev[0].init_script, ""))} | base64 -d | sh" \
-e FALLBACK_IMAGE="codercom/enterprise-base:ubuntu" \
-e ENVBUILDER_CACHE_REPO="${cache_repo_url}" \
-e ENVBUILDER_PUSH_IMAGE=1 \
-e ENVBUILDER_DOCKER_CONFIG_BASE64="$DOCKER_CONFIG_BASE64" \
ghcr.io/coder/envbuilder
--//--
EOT
}
resource "aws_ecr_repository" "cache_repo" {
name = "coder-${data.coder_workspace.me.id}-${data.coder_workspace.me.name}-cache"
tags = {
Coder_Provisioned = "true"
}
}
output "cache_repo_url" {
value = aws_ecr_repository.cache_repo.repository_url
}
locals {
...
#!/bin/bash
# Install Docker
if ! command -v docker &> /dev/null
then
echo "Docker not found, installing..."
curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh 2>&1 >/dev/null
usermod -aG docker ${local.linux_user}
newgrp docker
else
echo "Docker is already installed."
fi
# Authenticate Docker to ECR
aws ecr get-login-password --region ${module.aws_region.value} | docker login --username AWS --password-stdin ${cache_repo_url}
# Encode the Docker config to base64
DOCKER_CONFIG_BASE64=$(base64 -w0 /home/${local.linux_user}/.docker/config.json)
# Start envbuilder
docker run --rm \
-h ${lower(data.coder_workspace.me.name)} \
-v /home/${local.linux_user}/envbuilder:/workspaces \
-e CODER_AGENT_TOKEN="${try(coder_agent.dev[0].token, "")}" \
-e CODER_AGENT_URL="${data.coder_workspace.me.access_url}" \
-e GIT_URL="${data.coder_parameter.repo_url.value}" \
-e INIT_SCRIPT="echo ${base64encode(try(coder_agent.dev[0].init_script, ""))} | base64 -d | sh" \
-e FALLBACK_IMAGE="codercom/enterprise-base:ubuntu" \
-e ENVBUILDER_CACHE_REPO="${cache_repo_url}" \
-e ENVBUILDER_PUSH_IMAGE=1 \
-e ENVBUILDER_DOCKER_CONFIG_BASE64="$DOCKER_CONFIG_BASE64" \
ghcr.io/coder/envbuilder
--//--
EOT
}
4 Replies
<#1286376282984026226>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
I don’t see anything immediately jumping out at me there, I’ll try with my own setup and try to repro.
OK, I tried the following Terraform and works for me. I think you will probably have an easier time if you just use the aws provider to get the authorization token and then do the JSON/base64 encoding in Terraform.
Relevant bits:
data "aws_ecr_authorization_token" "envbuilder_cache" {
...
dockerconfig_json = jsonencode({
"auths" : {
"${var.cache_repo}" : {
"auth" : data.aws_ecr_authorization_token.envbuilder_cache.authorization_token
}
}
})
...
"ENVBUILDER_DOCKER_CONFIG_BASE64" : base64encode(local.dockerconfig_json),
data "aws_ecr_authorization_token" "envbuilder_cache" {
...
dockerconfig_json = jsonencode({
"auths" : {
"${var.cache_repo}" : {
"auth" : data.aws_ecr_authorization_token.envbuilder_cache.authorization_token
}
}
})
...
"ENVBUILDER_DOCKER_CONFIG_BASE64" : base64encode(local.dockerconfig_json),
It's working here it's the fix for anyone in the future.
resource "aws_ecr_repository" "cache_repo" {
name = "coder-${data.coder_workspace.me.id}-${data.coder_workspace.me.name}-cache"
tags = {
Coder_Provisioned = "true"
}
}
data "aws_ecr_authorization_token" "envbuilder_cache" {}
locals {
...
dockerconfig_json = jsonencode({
"auths" = {
"${aws_ecr_repository.cache_repo.repository_url}" = {
"auth" = data.aws_ecr_authorization_token.envbuilder_cache.authorization_token
}
}
})
envbuilder_env = {
"CODER_AGENT_TOKEN" = try(coder_agent.dev[0].token, "")
"CODER_AGENT_URL" = data.coder_workspace.me.access_url
"GIT_URL" = data.coder_parameter.repo_url.value
"FALLBACK_IMAGE" = "codercom/enterprise-base:ubuntu"
"ENVBUILDER_CACHE_REPO" = aws_ecr_repository.cache_repo.repository_url
"ENVBUILDER_PUSH_IMAGE" = 1
"AWS_SDK_LOAD_CONFIG" = true
"ENVBUILDER_DOCKER_CONFIG_BASE64" = base64encode(local.dockerconfig_json)
}
docker_env = [
for k, v in local.envbuilder_env : "${k}=${v}"
]
user_data = <<-EOT
...
# Create the necessary environment variables
ENV_VARS=$(
echo "${join(" ", [for k, v in local.envbuilder_env : "-e ${k}=${v}"])}"
)
# Start envbuilder
docker run --rm \
-h ${lower(data.coder_workspace.me.name)} \
-v /home/${local.linux_user}/envbuilder:/workspaces \
-e INIT_SCRIPT="echo ${base64encode(try(coder_agent.dev[0].init_script, ""))} | base64 -d | sh" \
$ENV_VARS \
ghcr.io/coder/envbuilder
...
EOT
}
resource "aws_ecr_repository" "cache_repo" {
name = "coder-${data.coder_workspace.me.id}-${data.coder_workspace.me.name}-cache"
tags = {
Coder_Provisioned = "true"
}
}
data "aws_ecr_authorization_token" "envbuilder_cache" {}
locals {
...
dockerconfig_json = jsonencode({
"auths" = {
"${aws_ecr_repository.cache_repo.repository_url}" = {
"auth" = data.aws_ecr_authorization_token.envbuilder_cache.authorization_token
}
}
})
envbuilder_env = {
"CODER_AGENT_TOKEN" = try(coder_agent.dev[0].token, "")
"CODER_AGENT_URL" = data.coder_workspace.me.access_url
"GIT_URL" = data.coder_parameter.repo_url.value
"FALLBACK_IMAGE" = "codercom/enterprise-base:ubuntu"
"ENVBUILDER_CACHE_REPO" = aws_ecr_repository.cache_repo.repository_url
"ENVBUILDER_PUSH_IMAGE" = 1
"AWS_SDK_LOAD_CONFIG" = true
"ENVBUILDER_DOCKER_CONFIG_BASE64" = base64encode(local.dockerconfig_json)
}
docker_env = [
for k, v in local.envbuilder_env : "${k}=${v}"
]
user_data = <<-EOT
...
# Create the necessary environment variables
ENV_VARS=$(
echo "${join(" ", [for k, v in local.envbuilder_env : "-e ${k}=${v}"])}"
)
# Start envbuilder
docker run --rm \
-h ${lower(data.coder_workspace.me.name)} \
-v /home/${local.linux_user}/envbuilder:/workspaces \
-e INIT_SCRIPT="echo ${base64encode(try(coder_agent.dev[0].init_script, ""))} | base64 -d | sh" \
$ENV_VARS \
ghcr.io/coder/envbuilder
...
EOT
}