NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit847e2b1

authored

Don't use parameters to pass secrets to GCP or AWS (#2039)

* Don't use parameters to pass secrets to GCP or AWSSigned-off-by: Spike Curtis <spike@coder.com>* Fix fmtSigned-off-by: Spike Curtis <spike@coder.com>

1 parent43f622a commit847e2b1Copy full SHA for 847e2b1

File tree

11 files changed

+180

-96

lines changed

docs
- templates.md
examples/templates
- aws-linux
  - README.md
  - main.tf
- aws-windows
  - README.md
  - main.tf
- gcp-linux
  - README.md
  - main.tf
- gcp-vm-container
  - README.md
  - main.tf
- gcp-windows
  - README.md
  - main.tf

11 files changed

+180

-96

lines changed

`‎docs/templates.md`

Lines changed: 36 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,8 +23,6 @@ vim <template-name>/main.tf`
`23`	`23`	`coder templates<create/update><template-name>`
`24`	`24`	```
`25`	`25`
`26`		`->We recommend source controlling your templates.`
`27`		`-`
`28`	`26`	`##Persistent and ephemeral resources`
`29`	`27`
`30`	`28`	`Coder supports both ephemeral and persistent resources in workspaces. Ephemeral`
`@@ -53,6 +51,42 @@ Templates often contain parameters. In Coder, there are two types of parameter`
`53`	`51`	`each workspace, often personalization settings such as "preferred`
`54`	`52`	`region" or "workspace image".`
`55`	`53`
	`54`	`+`
	`55`	`+##Best Practices`
	`56`	`+`
	`57`	`+###Template Changes`
	`58`	`+`
	`59`	`+We recommend source controlling your templates.`
	`60`	`+`
	`61`	`+###Authenticating with Cloud Providers`
	`62`	`+`
	`63`	`+Coder's provisioner process needs to authenticate with cloud provider APIs to provision`
	`64`	`+workspaces. We strongly advise against including credentials directly in your templates. You`
	`65`	`+can either pass credentials to the provisioner as parameters, or execute Coder`
	`66`	`+in an environment that is authenticated with the cloud provider.`
	`67`	`+`
	`68`	`+We encourage the latter where supported. This approach simplifies the template, keeps cloud`
	`69`	`+provider credentials out of Coder's database (making it a less valuable target for attackers),`
	`70`	`+and is compatible with agent-based authentication schemes (that handle credential rotation`
	`71`	`+and/or ensure the credentials are not written to disk).`
	`72`	`+`
	`73`	`+Cloud providers for which the Terraform provider supports authenticated environments include`
	`74`	`+`
	`75`	`+*[Google Cloud](https://registry.terraform.io/providers/hashicorp/google/latest/docs)`
	`76`	`+*[Amazon Web Services](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)`
	`77`	`+*[Microsoft Azure](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)`
	`78`	`+*[Kubernetes](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs)`
	`79`	`+`
	`80`	`+Additional providers may be supported; check the`
	`81`	`+[documentation of the Terraform provider](https://registry.terraform.io/browse/providers) for`
	`82`	`+details.`
	`83`	`+`
	`84`	`+The way these generally work is via the credentials being available to Coder either in some`
	`85`	+well-known location on disk (e.g.`~/.aws/credentials` for AWS on posix systems), or via
	`86`	`+environment variables. It is usually sufficient to authenticate using the CLI or SDK for the`
	`87`	`+cloud provider before running Coder for this to work, but check the Terraform provider`
	`88`	`+documentation for details.`
	`89`	`+`
`56`	`90`	`---`
`57`	`91`
`58`	`92`	`Next:[Workspaces](./workspaces.md)`

`‎examples/templates/aws-linux/README.md`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,13 @@ tags: [cloud, aws]`
`10`	`10`
`11`	`11`	Pick this template in`coder templates init` and follow instructions.
`12`	`12`
	`13`	`+##Authentication`
	`14`	`+`
	`15`	`+This template assumes that coderd is run in an environment that is authenticated`
	`16`	+with AWS. For example, run`aws configure import` to import credentials on the
	`17`	`+system and user running coderd. For other ways to authenticate[consult the`
	`18`	`+Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration).`
	`19`	`+`
`13`	`20`	`##Required permissions / policy`
`14`	`21`
`15`	`22`	`This example policy allows Coder to create EC2 instances and modify instances provisioned by Coder.`

`‎examples/templates/aws-linux/main.tf`

Lines changed: 1 addition & 23 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,26 +7,6 @@ terraform {`
`7`	`7`	`}`
`8`	`8`	`}`
`9`	`9`
`10`		`-variable"access_key" {`
`11`		`-description=<<EOT`
`12`		`-Create an AWS access key to provision resources with Coder:`
`13`		`-- https://console.aws.amazon.com/iam/home#/users`
`14`		`-`
`15`		`-See the template README for an example permissions policy,`
`16`		`-if needed.`
`17`		`-`
`18`		`-AWS Access Key ID`
`19`		`-EOT`
`20`		`-sensitive=true`
`21`		`-}`
`22`		`-`
`23`		`-variable"secret_key" {`
`24`		`-description=<<EOT`
`25`		`-AWS Secret Key`
`26`		`-EOT`
`27`		`-sensitive=true`
`28`		`-}`
`29`		`-`
`30`	`10`	`# Last updated 2022-05-31`
`31`	`11`	`# aws ec2 describe-regions \| jq -r '[.Regions[].RegionName] \| sort'`
`32`	`12`	`variable"region" {`
`@@ -70,9 +50,7 @@ variable "disk_size" {`
`70`	`50`	`}`
`71`	`51`
`72`	`52`	`provider"aws" {`
`73`		`-region=var.region`
`74`		`-access_key=var.access_key`
`75`		`-secret_key=var.secret_key`
	`53`	`+region=var.region`
`76`	`54`	`}`
`77`	`55`
`78`	`56`	`data"coder_workspace""me" {`

`‎examples/templates/aws-windows/README.md`

Lines changed: 66 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,3 +3,69 @@ name: Develop in Windows on AWS`
`3`	`3`	`description:Get started with Windows development on AWS.`
`4`	`4`	`tags:[cloud, aws]`
`5`	`5`	`---`
	`6`	`+`
	`7`	`+#aws-windows`
	`8`	`+`
	`9`	`+##Getting started`
	`10`	`+`
	`11`	+Pick this template in`coder templates init` and follow instructions.
	`12`	`+`
	`13`	`+##Authentication`
	`14`	`+`
	`15`	`+This template assumes that coderd is run in an environment that is authenticated`
	`16`	+with AWS. For example, run`aws configure import` to import credentials on the
	`17`	`+system and user running coderd. For other ways to authenticate[consult the`
	`18`	`+Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration).`
	`19`	`+`
	`20`	`+##Required permissions / policy`
	`21`	`+`
	`22`	`+This example policy allows Coder to create EC2 instances and modify instances provisioned by Coder.`
	`23`	`+`
	`24`	+```json
	`25`	`+{`
	`26`	`+"Version":"2012-10-17",`
	`27`	`+"Statement": [`
	`28`	`+ {`
	`29`	`+"Sid":"VisualEditor0",`
	`30`	`+"Effect":"Allow",`
	`31`	`+"Action": [`
	`32`	`+"ec2:GetDefaultCreditSpecification",`
	`33`	`+"ec2:DescribeIamInstanceProfileAssociations",`
	`34`	`+"ec2:DescribeTags",`
	`35`	`+"ec2:CreateTags",`
	`36`	`+"ec2:RunInstances",`
	`37`	`+"ec2:DescribeInstanceCreditSpecifications",`
	`38`	`+"ec2:DescribeImages",`
	`39`	`+"ec2:ModifyDefaultCreditSpecification",`
	`40`	`+"ec2:DescribeVolumes"`
	`41`	`+ ],`
	`42`	`+"Resource":"*"`
	`43`	`+ },`
	`44`	`+ {`
	`45`	`+"Sid":"CoderResouces",`
	`46`	`+"Effect":"Allow",`
	`47`	`+"Action": [`
	`48`	`+"ec2:DescribeInstances",`
	`49`	`+"ec2:DescribeInstanceAttribute",`
	`50`	`+"ec2:UnmonitorInstances",`
	`51`	`+"ec2:TerminateInstances",`
	`52`	`+"ec2:StartInstances",`
	`53`	`+"ec2:StopInstances",`
	`54`	`+"ec2:DeleteTags",`
	`55`	`+"ec2:MonitorInstances",`
	`56`	`+"ec2:CreateTags",`
	`57`	`+"ec2:RunInstances",`
	`58`	`+"ec2:ModifyInstanceAttribute",`
	`59`	`+"ec2:ModifyInstanceCreditSpecification"`
	`60`	`+ ],`
	`61`	`+"Resource":"arn:aws:ec2:::instance/*",`
	`62`	`+"Condition": {`
	`63`	`+"StringEquals": {`
	`64`	`+"aws:ResourceTag/Coder_Provisioned":"true"`
	`65`	`+ }`
	`66`	`+ }`
	`67`	`+ }`
	`68`	`+ ]`
	`69`	`+}`
	`70`	+```
	`71`	`+`

`‎examples/templates/aws-windows/main.tf`

Lines changed: 1 addition & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,23 +7,6 @@ terraform {`
`7`	`7`	`}`
`8`	`8`	`}`
`9`	`9`
`10`		`-variable"access_key" {`
`11`		`-description=<<EOT`
`12`		`-Create an AWS access key to provision resources with Coder:`
`13`		`-- https://console.aws.amazon.com/iam/home#/users`
`14`		`-`
`15`		`-AWS Access Key`
`16`		`-EOT`
`17`		`-sensitive=true`
`18`		`-}`
`19`		`-`
`20`		`-variable"secret_key" {`
`21`		`-description=<<EOT`
`22`		`-AWS Secret Key`
`23`		`-EOT`
`24`		`-sensitive=true`
`25`		`-}`
`26`		`-`
`27`	`10`	`# Last updated 2022-05-31`
`28`	`11`	`# aws ec2 describe-regions \| jq -r '[.Regions[].RegionName] \| sort'`
`29`	`12`	`variable"region" {`
`@@ -54,9 +37,7 @@ variable "region" {`
`54`	`37`	`}`
`55`	`38`
`56`	`39`	`provider"aws" {`
`57`		`-region=var.region`
`58`		`-access_key=var.access_key`
`59`		`-secret_key=var.secret_key`
	`40`	`+region=var.region`
`60`	`41`	`}`
`61`	`42`
`62`	`43`	`data"coder_workspace""me" {`

`‎examples/templates/gcp-linux/README.md`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,3 +3,22 @@ name: Develop in Linux on Google Cloud`
`3`	`3`	`description:Get started with Linux development on Google Cloud.`
`4`	`4`	`tags:[cloud, google]`
`5`	`5`	`---`
	`6`	`+`
	`7`	`+#gcp-linux`
	`8`	`+`
	`9`	`+##Getting started`
	`10`	`+`
	`11`	+Pick this template in`coder templates init` and follow instructions.
	`12`	`+`
	`13`	`+##Authentication`
	`14`	`+`
	`15`	`+This template assumes that coderd is run in an environment that is authenticated`
	`16`	+with Google Cloud. For example, run`gcloud auth application-default login` to import
	`17`	`+credentials on the system and user running coderd. For other ways to authenticate`
	`18`	`+[consult the Terraform docs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#adding-credentials).`
	`19`	`+`
	`20`	`+##Required permissions / policy`
	`21`	`+`
	`22`	`+The user or service account used by the Terraform provisioner should have the following roles`
	`23`	`+`
	`24`	`+- Compute Admin`

`‎examples/templates/gcp-linux/main.tf`

Lines changed: 4 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,20 +11,8 @@ terraform {`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`
`14`		`-variable"service_account" {`
`15`		`-description=<<EOF`
`16`		`-Coder requires a Google Cloud Service Account to provision workspaces.`
`17`		`-`
`18`		`-1. Create a service account:`
`19`		`- https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create`
`20`		`-2. Add the roles:`
`21`		`- - Compute Admin`
`22`		`- - Service Account User`
`23`		`-3. Click on the created key, and navigate to the "Keys" tab.`
`24`		`-4. Click "Add key", then "Create new key".`
`25`		`-5. Generate a JSON private key, and paste the contents below.`
`26`		`-EOF`
`27`		`-sensitive=true`
	`14`	`+variable"project_id" {`
	`15`	`+description="Which Google Compute Project should your workspace live in?"`
`28`	`16`	`}`
`29`	`17`
`30`	`18`	`variable"zone" {`
`@@ -37,9 +25,8 @@ variable "zone" {`
`37`	`25`	`}`
`38`	`26`
`39`	`27`	`provider"google" {`
`40`		`-zone=var.zone`
`41`		`-credentials=var.service_account`
`42`		`-project=jsondecode(var.service_account).project_id`
	`28`	`+zone=var.zone`
	`29`	`+project=var.project_id`
`43`	`30`	`}`
`44`	`31`
`45`	`32`	`data"google_compute_default_service_account""default" {`

`‎examples/templates/gcp-vm-container/README.md`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,3 +3,22 @@ name: Develop in a container on a Google Cloud VM`
`3`	`3`	`description:Get started with Linux development on Google Cloud.`
`4`	`4`	`tags:[cloud, google, container]`
`5`	`5`	`---`
	`6`	`+`
	`7`	`+#gcp-vm-container`
	`8`	`+`
	`9`	`+##Getting started`
	`10`	`+`
	`11`	+Pick this template in`coder templates init` and follow instructions.
	`12`	`+`
	`13`	`+##Authentication`
	`14`	`+`
	`15`	`+This template assumes that coderd is run in an environment that is authenticated`
	`16`	+with Google Cloud. For example, run`gcloud auth application-default login` to import
	`17`	`+credentials on the system and user running coderd. For other ways to authenticate`
	`18`	`+[consult the Terraform docs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#adding-credentials).`
	`19`	`+`
	`20`	`+##Required permissions / policy`
	`21`	`+`
	`22`	`+The user or service account used by the Terraform provisioner should have the following roles`
	`23`	`+`
	`24`	`+- Compute Admin`

`‎examples/templates/gcp-vm-container/main.tf`

Lines changed: 4 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,20 +11,8 @@ terraform {`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`
`14`		`-variable"service_account" {`
`15`		`-description=<<EOF`
`16`		`-Coder requires a Google Cloud Service Account to provision workspaces.`
`17`		`-`
`18`		`-1. Create a service account:`
`19`		`- https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create`
`20`		`-2. Add the roles:`
`21`		`- - Compute Admin`
`22`		`- - Service Account User`
`23`		`-3. Click on the created key, and navigate to the "Keys" tab.`
`24`		`-4. Click "Add key", then "Create new key".`
`25`		`-5. Generate a JSON private key, and paste the contents below.`
`26`		`-EOF`
`27`		`-sensitive=true`
	`14`	`+variable"project_id" {`
	`15`	`+description="Which Google Compute Project should your workspace live in?"`
`28`	`16`	`}`
`29`	`17`
`30`	`18`	`variable"zone" {`
`@@ -37,9 +25,8 @@ variable "zone" {`
`37`	`25`	`}`
`38`	`26`
`39`	`27`	`provider"google" {`
`40`		`-zone=var.zone`
`41`		`-credentials=var.service_account`
`42`		`-project=jsondecode(var.service_account).project_id`
	`28`	`+zone=var.zone`
	`29`	`+project=var.project_id`
`43`	`30`	`}`
`44`	`31`
`45`	`32`	`data"google_compute_default_service_account""default" {`

`‎examples/templates/gcp-windows/README.md`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,3 +3,22 @@ name: Develop in Windows on Google Cloud`
`3`	`3`	`description:Get started with Windows development on Google Cloud.`
`4`	`4`	`tags:[cloud, google]`
`5`	`5`	`---`
	`6`	`+`
	`7`	`+#gcp-windows`
	`8`	`+`
	`9`	`+##Getting started`
	`10`	`+`
	`11`	+Pick this template in`coder templates init` and follow instructions.
	`12`	`+`
	`13`	`+##Authentication`
	`14`	`+`
	`15`	`+This template assumes that coderd is run in an environment that is authenticated`
	`16`	+with Google Cloud. For example, run`gcloud auth application-default login` to import
	`17`	`+credentials on the system and user running coderd. For other ways to authenticate`
	`18`	`+[consult the Terraform docs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#adding-credentials).`
	`19`	`+`
	`20`	`+##Required permissions / policy`
	`21`	`+`
	`22`	`+The user or service account used by the Terraform provisioner should have the following roles`
	`23`	`+`
	`24`	`+- Compute Admin`

`‎examples/templates/gcp-windows/main.tf`

Lines changed: 4 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,20 +11,8 @@ terraform {`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`
`14`		`-variable"service_account" {`
`15`		`-description=<<EOF`
`16`		`-Coder requires a Google Cloud Service Account to provision workspaces.`
`17`		`-`
`18`		`-1. Create a service account:`
`19`		`- https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create`
`20`		`-2. Add the roles:`
`21`		`- - Compute Admin`
`22`		`- - Service Account User`
`23`		`-3. Click on the created key, and navigate to the "Keys" tab.`
`24`		`-4. Click "Add key", then "Create new key".`
`25`		`-5. Generate a JSON private key, and paste the contents below.`
`26`		`-EOF`
`27`		`-sensitive=true`
	`14`	`+variable"project_id" {`
	`15`	`+description="Which Google Compute Project should your workspace live in?"`
`28`	`16`	`}`
`29`	`17`
`30`	`18`	`variable"zone" {`
`@@ -37,9 +25,8 @@ variable "zone" {`
`37`	`25`	`}`
`38`	`26`
`39`	`27`	`provider"google" {`
`40`		`-zone=var.zone`
`41`		`-credentials=var.service_account`
`42`		`-project=jsondecode(var.service_account).project_id`
	`28`	`+zone=var.zone`
	`29`	`+project=var.project_id`
`43`	`30`	`}`
`44`	`31`
`45`	`32`	`data"coder_workspace""me" {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit847e2b1

File tree

11 files changed

11 files changed

`‎docs/templates.md`

`‎examples/templates/aws-linux/README.md`

`‎examples/templates/aws-linux/main.tf`

`‎examples/templates/aws-windows/README.md`

`‎examples/templates/aws-windows/main.tf`

`‎examples/templates/gcp-linux/README.md`

`‎examples/templates/gcp-linux/main.tf`

`‎examples/templates/gcp-vm-container/README.md`

`‎examples/templates/gcp-vm-container/main.tf`

`‎examples/templates/gcp-windows/README.md`

`‎examples/templates/gcp-windows/main.tf`

0 commit comments