Permission fixes and paths

- fix permissions - write to /tmp path and not directly in repo for transcrypt - fix backend config path
autonomys · Oct 3, 2023 · 99a5ac2 · 99a5ac2
1 parent 55c06e4
commit 99a5ac2
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 28 deletions.
diff --git a/.github/workflows/terraform_gh_runner.yml b/.github/workflows/terraform_gh_runner.yml
@@ -56,12 +56,12 @@ jobs:
 
       - name: Fetch and write terraform.tfvars
         run: |
-          echo ${{ secrets.TF_VARS_FILE }} > terraform.tfvars
-          chmod 600 terraform.tfvars
+          echo ${{ secrets.TF_VARS_FILE }} > /tmp/terraform.tfvars
+          chmod 600 /tmp/terraform.tfvars
 
       - name: Run Terraform
         working-directory: ./github-runners/terraform/base
         run: |
           terraform init-backend-config="organization=subspace" -backend-config="workspaces=${{ secrets.WORKSPACE_NAME }}"
-          terraform plan -var-file=terraform.tfvars
-          terraform apply -auto-approve -var "gh_token=${{ env.RUNNER_TOKEN }}"
+          terraform plan -var-file=/tmp/terraform.tfvars
+          terraform apply -auto-approve -var "gh_token=${{ env.RUNNER_TOKEN }}" -var-file=/tmp/terraform.tfvars
diff --git a/.github/workflows/terraform_template_deploy.yml b/.github/workflows/terraform_template_deploy.yml
@@ -49,8 +49,7 @@ jobs:
 
       - name: Decrypt the secrets
         run: |
-          chmod +x ./scripts/transcrypt
-          scripts/transcrypt -c aes-256-cbc -p ${{ secrets.TRANSCRYPT }} -y
+          bash scripts/transcrypt -c aes-256-cbc -p ${{ secrets.TRANSCRYPT }} -y
 
       - uses: hashicorp/setup-terraform@v2
         with:
@@ -60,11 +59,11 @@ jobs:
 
       - name: Setup Remote Config Backend
         run: |
-          cat > config.remote.tfbackend <<EOT
+          cat > /tmp/config.remote.tfbackend <<EOF
             workspaces { name = "${{ inputs.tf_workspace_name }}"}
             hostname = "app.terraform.io"
             organization = "${{ inputs.tf_organization }}"
-          EOT
+          EOF
 
       - name: Terraform fmt
         working-directory: ${{ inputs.project }}/${{ inputs.resource }}
@@ -74,33 +73,33 @@ jobs:
       - name: Terraform Init for ${{ inputs.project }}/${{ inputs.resource }}
         working-directory: ${{ inputs.project }}/${{ inputs.resource }}
         run: |
-          cat config.remote.tfbackend
-          terraform init -backend-config=config.remote.tfbackend
+          cat /tmp/config.remote.tfbackend
+          terraform init -backend-config=/tmp/config.remote.tfbackend
 
       - name: Terraform Validate
         working-directory: ${{ inputs.project }}/${{ inputs.resource }}
         run: terraform validate
 
       - name: Fetch and write terraform.tfvars
         run: |
-          echo ${{ secrets.TF_VARS_FILE }} > terraform.tfvars
-          chmod 600 terraform.tfvars
+          echo ${{ secrets.TF_VARS_FILE }} > /tmp/terraform.tfvars
+          chmod 600 /tmp/terraform.tfvars
 
       - name: Terraform Plan for ${{ inputs.project }}/${{ inputs.resource }}
         if: ${{ (inputs.run_destroy == 'no') }}
         working-directory: ${{ inputs.project }}/${{ inputs.resource }}
         run: |
-          terraform plan -var-file=terraform.tfvars
+          terraform plan -var-file=/tmp/terraform.tfvars
 
       - name: Terraform Apply for ${{ inputs.project }}/${{ inputs.resource }}
         if: ${{ (inputs.run_apply == 'yes') && (inputs.run_destroy == 'no') }}
         working-directory: ${{ inputs.project }}/${{ inputs.resource }}
         run: |
-          terraform apply -auto-approve -var-file=terraform.tfvars
+          terraform apply -auto-approve -var-file=/tmp/terraform.tfvars
 
       - name: Terraform Destroy for ${{ inputs.project }}/${{ inputs.resource }}
         if: ${{ (inputs.run_destroy == 'yes') }}
         working-directory: ${{ inputs.project }}/${{ inputs.resource }}
         run: |
-          terraform plan -destroy -var-file=terraform.tfvars
-          terraform destroy -auto-approve -var-file=terraform.tfvars
+          terraform plan -destroy -var-file=/tmp/terraform.tfvars
+          terraform destroy -auto-approve -var-file=/tmp/terraform.tfvars
diff --git a/.github/workflows/terraform_template_ephemeral_deploy.yml b/.github/workflows/terraform_template_ephemeral_deploy.yml
@@ -53,8 +53,7 @@ jobs:
 
       - name: Decrypt the secrets
         run: |
-          chmod +x ./scripts/transcrypt
-          scripts/transcrypt -c aes-256-cbc -p ${{ secrets.TRANSCRYPT }} -y
+          bash scripts/transcrypt -c aes-256-cbc -p ${{ secrets.TRANSCRYPT }} -y
 
       - uses: hashicorp/setup-terraform@v2
         with:
@@ -64,11 +63,11 @@ jobs:
 
       - name: Setup Remote Config Backend
         run: |
-          cat > config.remote.tfbackend <<EOT
+          cat > /tmp/config.remote.tfbackend <<EOF
             workspaces { name = "${{ inputs.tf_workspace_name }}"}
             hostname = "app.terraform.io"
             organization = "${{ inputs.tf_organization }}"
-          EOT
+          EOF
 
       - name: Terraform fmt
         working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
@@ -78,33 +77,33 @@ jobs:
       - name: Terraform Init for ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         run: |
-          cat config.remote.tfbackend
-          terraform init -backend-config=config.remote.tfbackend
+          cat /tmp/config.remote.tfbackend
+          terraform init -backend-config=/tmp/config.remote.tfbackend
 
       - name: Terraform Validate
         working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         run: terraform validate
 
       - name: Fetch and write terraform.tfvars
         run: |
-          echo ${{ secrets.TF_VARS_FILE }} > terraform.tfvars
-          chmod 600 terraform.tfvars
+          echo ${{ secrets.TF_VARS_FILE }} > /tmp/terraform.tfvars
+          chmod 600 /tmp/terraform.tfvars
 
       - name: Terraform Plan for ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         if: ${{ (inputs.run_destroy == 'no') }}
         working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         run: |
-          terraform plan -var-file=terraform.tfvars
+          terraform plan -var-file=/tmp/terraform.tfvars
 
       - name: Terraform Apply for ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         if: ${{ (inputs.run_apply == 'yes') && (inputs.run_destroy == 'no') }}
         working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         run: |
-          terraform apply -auto-approve -var-file=terraform.tfvars
+          terraform apply -auto-approve -var-file=/tmp/terraform.tfvars
 
       - name: Terraform Destroy for ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         if: ${{ (inputs.run_destroy == 'yes') }}
         working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }}
         run: |
-          terraform plan -destroy -var-file=terraform.tfvars
-          terraform destroy -auto-approve -var-file=terraform.tfvars
+          terraform plan -destroy -var-file=/tmp/terraform.tfvars
+          terraform destroy -auto-approve -var-file=/tmp/terraform.tfvars
diff --git a/scripts/transcrypt b/scripts/transcrypt