1

I am using bbrun to simulate the pipeline run locally. Essentially what I need (not the issue) is to automate terragrunt deployment of an infrastructure on GCP. So every time it's pushed with a tag it deploys a certain environment.

This is my bitbucket-pipelines.yml (simplified for bbrun):

image: alpine/terragrunt:latest

definitions:
  steps:
    - step: &terragrunt
        name: run terragrunt
        script:
            - cd ./env/dev
            - terragrunt validate-all


pipelines:
  default:
    - step: *terragrunt

And everything works when I run this with bbrun when I have a credentials.json file (which is in /env/dev) that has a hardcoded secretes in it. So how can I add variables to the credentials.json file so that pipelines knows that there is a variable in that file?

For instance if I add a secrete variable in bitbucket-piplines console PRIVATE_KEY I want terragrunt to read this line

"private_key": "-----BEGIN PRIVATE KEY-----\${env:PRIVATE_KEY}\n-----END PRIVATE KEY-----\n",
#I also tried $PRIVATE_KEY and ${PRIVATE_KEY} when running bbrun with -e PRIVATE_KEY=***

in credentials.json as a value of the variable.

I am not sure if bbrun is just wrong here and bitbucket pipelines would actually pass the variables value but I get this error when running with variables:

Error: Error in function call

---

Call to function "jsondecode" failed: invalid character '$' in string escape
code.

I also tired adding:

            variables:
              PRIVATE_KEY_ID: $PRIVATE_KEY_ID
              PRIVATE_KEY: $PRIVATE_KEY

Didn't work.

I also tried editing the file the the step script with envsubst command which works but this seems kinda dumb to use.

KatranPlague
  • 117
  • 1
  • 12
  • Can you paste the json files you used when trying to pass the `private_key` variable ? – Wojtek_B Nov 25 '20 at 08:42
  • Solved it by base64-in the entire credentials file and then adding the encode line as a variable in the pipelines then echoing that variable and decoding it to a file. – KatranPlague Nov 26 '20 at 16:32
  • Great to hear - can you explain more clearly how you solved it (attach some code etc) - it would be very beneficial for the community. – Wojtek_B Nov 27 '20 at 07:57
  • Essentially you want to run `cat credentials.json | base64` and put the outputs of the command as a secrete value of the variable named **CREDS** in the pipelines repo so in the first step of the pipeline set the command `echo $CREDS | base64 -d > ./wherever/it/is/credentials.json` – KatranPlague Nov 27 '20 at 08:35
  • Great :) Can you post it as an answer ? – Wojtek_B Nov 27 '20 at 08:46

1 Answers1

3

Essentially you want to run

cat credentials.json | base64

and then put the output of the command as a secrete value of the variable named CREDS in the pipeline's repo so in the first step of the pipeline set the command

echo $CREDS | base64 -d > ./wherever/it/is/credentials.json

Don't forget to use artifacts so that the files is saved for the next step if needed.

KatranPlague
  • 117
  • 1
  • 12