1

I working on automating CI/CD pipeline using GitHub Actions. I have already set up Terraform that deploys the infrastructure on GCP. GitHub Actions is authenticated to Google Cloud via the following actions:

    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v1'
      with:
        service_account: '[email protected]'

In the current stage, I want to use Terraform to create an inventory file for Ansible automatically. I prepared a template and want to create the inventory file using the local_file resource:

resource "local_file" "hosts_cfg" {
  content = templatefile("${path.module}/templates/hosts.tpl",
    {
      target_hosts = module.target_hosts.external_ips
    }
  )
  filename = "/etc/ansible/hosts"
}

The problem is, when I execute the terraform apply command using GitHub Actions, I receive the following error:

│ Error: Create local file error
│ 
│   with local_file.hosts_cfg,
│   on main.tf line 183, in resource "local_file" "hosts_cfg":
│  183: resource "local_file" "hosts_cfg" {
│ 
│ An unexpected error occurred while writing the file
│ 
│ +Original Error: open /etc/ansible/hosts: permission denied
╵
Error: Process completed with exit code 1.

So it seems that the GitHub Runner is not allowed to create files and folders in locations that require elevated privileges.

On the other hand, when I run the action with sudo terraform apply, I got the following error message:

╷
│ Error: storage.NewClient() failed: dialing: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
│ 
│ 
╵
Error: Process completed with exit code 1.

What I don't understand is:

  1. If I use the google-github-actions/auth@v1 to authenticate, I bestow the same rights the service account has on the GitHub Runner, right? If it is so, why can't the GitHub Runner create a directory in /etc/?
  2. Does using sudo only give GitHub Runner the same rights as a service account? This is only partially true because I can't access the bucket where the state is stored. What baffles me is that the Runner can access the state without sudo and can't with it.
  3. What is the relationship between the GitHub Runner's privileges and the service account that is used to run Terraform commands
  4. What can be done to bestow the same right on the GitHub Runner as the service account has?
Improve this question
3
  • 1
    Why does the inventory file need to exist on the runner file system at /etc/ansible/hosts? Commented Jun 12, 2023 at 17:40
  • Well, it is not strictly necessary. I could save it to ../random/inv, then point the ANSIBLE_CONFIG to this file. Nevertheless, I would like to further deepen my knowledge about the mentioned technologies and get answers to the posed questions. Commented Jun 12, 2023 at 17:45
  • Q: I don't full understand which machines' hosts file is being updated. First say we have a machine github-actions-runner and second a service accounts my-service-account that belong to a GCP environment. How are both connected? (I think Service Account has nothing to do with github-actions-runner machine) Commented Jun 27, 2023 at 16:09
Related questions
2
Unable to run GCP terraform commands from GitHub Actions
0
adding existing GCP service account to Terraform root module for cloudbuild to build Terraform configuration
2
Unable to create GCP resource using terraform apply although service account has required permissions
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.