Comments (11)
@larivierec I see :/ I don't know how the Bitwarden CLI is built, but for tf-runner
is seems to be rather simple.
What about doing it the other way around then, with something in this direction ?
FROM ubuntu
LABEL org.opencontainers.image.source="https://github.com/weaveworks/tf-controller"
RUN apt-get update -y \
&& apt-get install -y \
ca-certificates \
git \
gnupg \
libssl-dev \
openssh-client \
tini \
unzip \
wget
RUN wget https://github.com/bitwarden/clients/releases/download/cli-v2023.1.0/bw-linux-2023.1.0.zip \
&& unzip bw-linux-2023.1.0.zip \
&& chmod +x bw \
&& mv bw /usr/local/bin
COPY --from=ghcr.io/weaveworks/tf-runner:main-19027da5 /usr/local/bin/tf-runner /usr/local/bin/tf-runner
COPY --from=ghcr.io/weaveworks/tf-runner:main-19027da5 /usr/local/bin/terraform /usr/local/bin/terraform
RUN echo 'hosts: files dns' > /etc/nsswitch.conf
RUN addgroup --gid 65532 --system runner \
&& adduser --uid 65532 --system runner --group \
&& chmod +x /usr/local/bin/terraform
USER 65532:65532
ENV GNUPGHOME=/tmp
ENTRYPOINT [ "/bin/tini", "--", "tf-runner" ]
I haven't tried the image in a complete setup, but I can at least execute tf-runner
, terraform
and bw
without any crash.
from terraform-provider-bitwarden.
Hi @maxirus !
No serious plans to be honest.
I spent some time working on a partial Go implementation of the Bitwarden CLI because I needed it for testing:
https://github.com/maxlaverse/terraform-provider-bitwarden/tree/main/internal/bitwarden/webapi
There are quite a few cryptographic parameters and initialization processes required, and they most likely have to be done right in order to keep people's Vaults safe. I wouldn't have enough time to spend, to bring such an implementation in a state where I would feel confident people can safely use it.
from terraform-provider-bitwarden.
The lack of this feature means that it won't work with Terraform Cloud as a backend, right? It'll result in:
Error: exec: "bw": executable file not found in $PATH
Just making sure I understand that correctly.
from terraform-provider-bitwarden.
Good question @wscourge !
I think I read that Terraform Cloud allows you to host the runners when you have a business license, which likely opens the possibility to customize their environments. and add the Bitwarden CLI.
I wouldn't know how to run it on Terraform Cloud's free plan right now. I had a quick look in the developer documentation, searching for something that would hint at how to handle external tools, and found nothing. Looking into the Terraform projects I have, it seems all their providers are a single binary using Go SDKs to access external services.
from terraform-provider-bitwarden.
Have you tried a combination of null_resource
and provisioner "local-exec" {}
@wscourge ?
from terraform-provider-bitwarden.
I haven't, just opted-out of the TF Cloud for various reasons. I guess it could work tho, definitely worth trying by anyone who ends up here.
from terraform-provider-bitwarden.
While I do agree that the dependency should be removed as it removes the ability to use this in GitOps tools like tf-runner/tf-controller.
I recently tried integrating this and stumped onto the issue.
I think the issue here is without the CLI, the RestAPI is not exposed and therefore, we can't interact with our Vaults.
Do you think instead adding support for self-hosting the bitwarden-cli elsewhere and using that URL without credentials could be an alternative? (if yes, I could possibly look at this)
Is it possible to create a second provider
that wouldn't require downloading of bw-cli?
provider "bitwarden" {
internal_api = "https://bitwarden-cli.bitwarden.svc.cluster.local.:8087"
}
along side the standard ones that are already available in this project?
Another way, would could be to create a docker container with the GitOps tool and the bitwarden-cli, I still haven't figured it out though.
from terraform-provider-bitwarden.
Hi @larivierec,
Do you think instead adding support for self-hosting the bitwarden-cli elsewhere and using that URL without credentials could be an alternative?
It's appealing in a way, because the REST API is a documented interface, and the tests run so fast when you don't have to spawn a process & load the Vault all the time. Have this bw serve
API available in a cluster or even locally makes me anxious. It becomes suddenly so easy to leak the Vault, and for now I'd prefer to avoid that. The implementation itself is not too complicated.
Is it possible to create a second provider that wouldn't require downloading of bw-cli?
Potentially there could also be a toggle to enable downloading the binary but I have to see what are the best practices here.
Another way, would could be to create a docker container with the GitOps tool and the bitwarden-cli, I still haven't figured it out though.
That would be my recommended approached at this point. I don't see how we can't get this to work, but I don't know how much effort it is. I have tried it myself, but something like this might work ?
- Build a custom Docker image for the tf-runner with the Bitwarden CLI inside:
FROM ghcr.io/weaveworks/tf-runner:main-19027da5
RUN wget https://github.com/bitwarden/clients/releases/download/cli-v2023.1.0/bw-linux-2023.1.0.zip \
&& unzip bw-linux-2023.1.0.zip \
&& chmod +x bw \
&& mv bw /usr/local/bin
- Tell the tf-controller to use that image. If you're using Helm, that would be changing those values here: https://github.com/weaveworks/tf-controller/blob/main/charts/tf-controller/values.yaml#L111-L117
If the approach works, I can document it and parametrize all the versions. There is more documentation here on how to run custom runner Pods here as well: https://weaveworks.github.io/tf-controller/use_tf_controller/to_provision_resources_with_customized_Runner_Pods/
Interestingly, tf-controller has this notion of packages, maybe something we can use to ship the CLI is those environments ? https://weaveworks.github.io/tf-controller/use_tf_controller/with_the_ready_to_use_AWS_package/
from terraform-provider-bitwarden.
Yeah.
point 1, it can be scary but it's the responsibility of the one deploying to keep the vault safe. I do agree that it can be a major security risk even internally. whoever has the url, technically can access the vault.
point 2: ok ✅
point 3:
i tried that, the issue is that tf-runner uses alpine. i tried quite hard to get bw cli running on alpine there's always dependency problems. the closest i got was a segmentation fault. this would also be my preferred option by creating a new alpine image and adding all the proper dependencies from both but alpine and bw seem to be a no go.
also, this is also my preferred solution 💯
https://github.com/larivierec/containers/blob/main/apps/tf-runner-bw/Dockerfile
if you have any ideas, let me know
i also tried just to get bw-cli run in alpine without tf-runner (below).
FROM alpine:3.18
WORKDIR /usr/local/bin
RUN apk update && apk add curl unzip jq
RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \
curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \
&& unzip *.zip && chmod +x ./bw && rm *.zip
# ATTEMPT #1
RUN apk add --no-cache libc6-compat \
&& apk add --no-cache gcompat=1.1.0-r1 \
&& apk add --no-cache libstdc++=12.2.1_git20220924-r10 \
&& rm -rf /var/cache/apk/*
# ATTEMPT #2
# RUN export GLIBC_VERSION=2.35-r1 && export GLIBC_REPO=https://github.com/sgerrand/alpine-pkg-glibc && \
# apk --update add libstdc++ curl ca-certificates && \
# for pkg in glibc-${GLIBC_VERSION} glibc-bin-${GLIBC_VERSION}; \
# do curl -sSL ${GLIBC_REPO}/releases/download/${GLIBC_VERSION}/${pkg}.apk -o /tmp/${pkg}.apk; done && \
# apk add --allow-untrusted /tmp/*.apk && \
# rm -v /tmp/*.apk
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
from terraform-provider-bitwarden.
I didn't try it that way around I assumed it couldn't be done. Probably an error on my part!
Ill try and see how it pans out :)
from terraform-provider-bitwarden.
For an idea, Spacelift free tier allows you to specify a custom Docker runner image for the public worker pool - see here.
from terraform-provider-bitwarden.
Related Issues (16)
- [Incident] Cannot access self hosed bitwarden instance because of self-signed certificate HOT 1
- Expired GPG key for provider breaks usage with Terraform 1.6.0+ HOT 5
- [ISSUE] GPG Key expired HOT 2
- Unable to unlock Vault when using Session Key HOT 4
- Flag passwords as sensitive HOT 5
- [Feature request] Support Bitwarden SSO/BW_SESSION environment variable HOT 38
- [Feature request] Ability to support URI on item login resource HOT 2
- Receiving 'Rate limit exceeded' error on high number of api calls HOT 10
- [Feature Request] Add organization collection `data` type and `resource` type HOT 2
- Terraform plan/refresh produces "Not found" errors HOT 2
- apikey: exit status 1, Cannot read properties of null (reading 'profile') HOT 4
- A specific example in the documentation HOT 3
- [bug] Possible bug when using apikey login HOT 7
- Using session key when applying from plan produces unauthenticated error HOT 7
- Text fields created by provider are not visible by GUI clients HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-bitwarden.