1

I working on automating CI/CD pipeline using GitHub Actions. I have already set up Terraform that deploys the infrastructure on GCP. GitHub Actions is authenticated to Google Cloud via the following actions:

    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v1'
      with:
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

In the current stage, I want to use Terraform to create an inventory file for Ansible automatically. I prepared a template and want to create the inventory file using the local_file resource:

resource "local_file" "hosts_cfg" {
  content = templatefile("${path.module}/templates/hosts.tpl",
    {
      target_hosts = module.target_hosts.external_ips
    }
  )
  filename = "/etc/ansible/hosts"
}

The problem is, when I execute the terraform apply command using GitHub Actions, I receive the following error:

│ Error: Create local file error
│ 
│   with local_file.hosts_cfg,
│   on main.tf line 183, in resource "local_file" "hosts_cfg":
│  183: resource "local_file" "hosts_cfg" {
│ 
│ An unexpected error occurred while writing the file
│ 
│ +Original Error: open /etc/ansible/hosts: permission denied
╵
Error: Process completed with exit code 1.

So it seems that the GitHub Runner is not allowed to create files and folders in locations that require elevated privileges.

On the other hand, when I run the action with sudo terraform apply, I got the following error message:

╷
│ Error: storage.NewClient() failed: dialing: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
│ 
│ 
╵
Error: Process completed with exit code 1.

What I don't understand is:

  1. If I use the google-github-actions/auth@v1 to authenticate, I bestow the same rights the service account has on the GitHub Runner, right? If it is so, why can't the GitHub Runner create a directory in /etc/?
  2. Does using sudo only give GitHub Runner the same rights as a service account? This is only partially true because I can't access the bucket where the state is stored. What baffles me is that the Runner can access the state without sudo and can't with it.
  3. What is the relationship between the GitHub Runner's privileges and the service account that is used to run Terraform commands
  4. What can be done to bestow the same right on the GitHub Runner as the service account has?
SkogensKonung
  • 601
  • 1
  • 9
  • 22
  • 1
    Why does the inventory file need to exist on the runner file system at `/etc/ansible/hosts`? – Matthew Schuchard Jun 12 '23 at 17:40
  • Well, it is not strictly necessary. I could save it to ../random/inv, then point the ANSIBLE_CONFIG to this file. Nevertheless, I would like to further deepen my knowledge about the mentioned technologies and get answers to the posed questions. – SkogensKonung Jun 12 '23 at 17:45
  • Q: I don't full understand which machines' hosts file is being updated. First say we have a machine `github-actions-runner` and second a service accounts `my-service-account` that belong to a GCP environment. How are both connected? (I think Service Account has nothing to do with `github-actions-runner` machine) – sam Jun 27 '23 at 16:09

0 Answers0