Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Use TF output for WinRM password in kitchen.yml #379

Open
anniehedgpeth opened this issue Dec 18, 2019 · 6 comments
Open

Feature Request: Use TF output for WinRM password in kitchen.yml #379

anniehedgpeth opened this issue Dec 18, 2019 · 6 comments
Labels
enhancement ruby gem

Comments

@anniehedgpeth
Copy link

anniehedgpeth commented Dec 18, 2019
edited

I'm creating a random password for my VM and outputting it like so:

output "agent_vm_password" {
  value = random_password.vm_admin_password.result
}

And it would be great to use the TF output of this password for the WinRM backend like so:

    - name: vm
      backend: winrm
      port: 5985
      hosts_output: private_ip_address_1
      user: localadmin
      password: agent_vm_password

But it appears that I need to use either a hard-coded value or an environment variable, which isn't desirable.

Thanks!
@anniehedgpeth anniehedgpeth mentioned this issue Dec 18, 2019
Open
@aaron-lane
Copy link
Collaborator

Thank you for the feature request. I think it's a reasonable thing to support; I'll try to get to that in the near future.

As a work around, you can take advantage of Kitchen's support for interpolation in the configuration file to provide similar behaviour, like the following example:

password: <%= `terraform output -state ROOT_MODULE_DIRECTORY/terraform.tfstate.d/terraform.tfstate agent_vm_password 2>/dev/null || echo ""`.strip %>

That should use the agent_vm_password output for the value of password if its defined or else use an empty string, accounting for the command being executed prior to the Terraform state being created. The caveat to this approach is you will have to run kitchen converge and kitchen verify in separate stages to ensure the configuration file can be rendered with the required output.

@aaron-lane
Copy link
Collaborator

Possibly related to #317

@anniehedgpeth
Copy link
Author

Oh cool, I didn't know you could do that! Thanks!

@anniehedgpeth
Copy link
Author

I tried your example and had some trouble with it (because...Windows).

When I am in the root module directory and I run this (which kitchen would be running in your example above)...

terraform output -state .\test\fixtures\windows-agent-test\terraform.tfstate.d\kitchen-terraform-windows-agent-test-terraform\terraform.tfstate agent_vm_password

...the stderr says that initialization is required.
But when I'm in the root directory and I run this -

Push-Location ./test/fixtures/windows-agent-test | terraform output -state ./terraform.tfstate.d/kitchen-terraform-windows-agent-test-terraform/terraform.tfstate agent_vm_password | Pop-Location

...I get the password (and am returned to the root module directory).

Also, TF wouldn't accept an empty string for the pw, so I ended up doing kind of a funky Powershell workaround like this:

 `powershell.exe Push-Location ./test/fixtures/windows-agent-test; $pw = terraform output -state ./terraform.tfstate.d/kitchen-terraform-windows-agent-test-terraform/terraform.tfstate agent_vm_password 2>&1; if ($pw -eq $null)  {echo \"temppw\"} else {$pw}; Pop-Location`.strip

...which works in irb but not when I put it an ERB or call it from the kitchen.yml like so:

password: <%= `powershell.exe Push-Location ./test/fixtures/windows-agent-test; $pw = terraform output -state ./terraform.tfstate.d/kitchen-terraform-windows-agent-test-terraform/terraform.tfstate agent_vm_password 2>&1; if ($pw -eq $null)  {echo \"temppw\"} else {$pw}; Pop-Location`.strip %>

I don't know if I'm just missing an escape character or what.

Alas, I resorted to creating a template for the kitchen.yml like so in my test module:

data "template_file" "kitchen_template" {
  template = file("${path.module}/../../../templates/kitchen_template.yml")

  vars = {
    vm_admin_password  = random_password.vm_admin_password.result
  }
}

resource "local_file" "create_test_kitchen_yaml" {
    sensitive_content = data.template_file.kitchen_template.rendered
    filename          = "${path.module}/../../../.kitchen.yml"
}

I'm not in love with this approach, but I'm out of time to spend on it.

@lmayorga1980
Copy link

@anniehedgpeth it seems that you spend some time on this. In the case of AWS, kitchen-ec2 decodes the password but I think that is a kitchen-ec2 thing instead of test-kitchen. If you don't depend on kitchen-ec2 then maybe porting that code for decoding would be a good idea? anyone?

@lmayorga1980
Copy link

lmayorga1980 commented Jan 15, 2021
edited

This boy https://github.com/test-kitchen/kitchen-ec2/blob/0c307ab8fa7db922a508b625d6814c03f79964d7/lib/kitchen/driver/ec2.rb#L570-L583

https://github.com/aws/aws-sdk-ruby/blob/203aaba7242357884fe182be8f2d36f77428b8a7/gems/aws-sdk-ec2/lib/aws-sdk-ec2/customizations/instance.rb#L11-L16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement ruby gem
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lmayorga1980 @aaron-lane @anniehedgpeth