Skip to content

Step 7 - Utils pipeline

This pipeline is created for adding some more functionalities to the infrastsructure for e.g. creating a console user in client's env. This is not necessary to be deployed for the application to work rather it acts as a supportive utility pipeline.

  1. All the below operations are to be performed under the terraform organization created in the step 2.
  2. Setting up the workspace
    • Create a workspace with name utils prefixed with the organization's environment type. For e.g. if env is prod then the workspace name will be prod-utils.
    • Choose /utils in the terraform github repository for version control with default branch pointing to master.
    • Configure the following variables for the workspace
      1. console_user - (HCL)(sensitive) user details and the permissions to attach to the user. set enable to true, give a name to the user in username field, attach policies like [admin] and give base64 encoded public key (password protected) to encrypt the credentials generated for the user in the pipeline.
            enable   = true
            username = ""
            policies = [
              # list of policies to attach
            public_key = ""
  3. Attach this workspace to the respective variable set of the organization created in Step 2.
  4. Run the pipeline by Actions.
    • Click on Actions and then Start new run to start a new run.
    • Below variables are present in the output
      1. user_details - (sensitive) encrypted details of the user with credentials
  5. To obtain the credentials for the AWS console user we need to first obtain the token and the workspace ID.
    • Token is used to authenticate to the terraform cloud. To obtain Token
      1. click on your profile in terraform cloud
      2. click on User settings
      3. click on Tokens
      4. click on Create an API token.
    • Workspace ID is the unique ID of the workspace.
      1. go inside your terraform organization.
      2. Enter your workspace (here: <ENV>-utils)
      3. Just below the name of the workspace you will find your workspace ID starting with ws.
  6. To decrypt the user_details in the output above, we need to have the private key for the corresponding public key and its password.
    # token and workspace ID here
    export TF_TOKEN="xxx"
    export WORKSPACE_ID="xxx"
    # for username
    export CONSOLE_USERNAME=$(curl --silent --header "Authorization: Bearer $TF_TOKEN"$(curl   --silent --header "Authorization: Bearer $TF_TOKEN"   --header "Content-Type: application/vnd.api+json"$WORKSPACE_ID/current-state-version-outputs | jq -r '.data[] | select("user_details") | .links.self') | jq -r '.data.attributes.value | keys[]')
    # for password (requires above command to be executed first and you must have the private key loaded in gpg)
    # enter the password for private key to decrypt
    export CONSOLE_USERNAME_PASSWORD=$(curl --silent --header "Authorization: Bearer $TF_TOKEN"$(curl   --silent --header "Authorization: Bearer $TF_TOKEN"   --header "Content-Type: application/vnd.api+json"$WORKSPACE_ID/current-state-version-outputs | jq -r '.data[] | select("user_details") | .links.self') | jq -r --arg user "${CONSOLE_USERNAME}" '.data.attributes.value[$user]' | base64 -d | gpg --decrypt)
  7. You have your username and password in CONSOLE_USERNAME and CONSOLE_USERNAME_PASSWORD env variables.