-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add manta remote state backend #8830
Conversation
Hi @watters! I strongly approve of this PR, obviously! I'll look at getting it tested and merged into Terraform shortly. |
Hi @watters - I've made a quick review of this, but can't figure out via the various layers of indirection which environment variables need to be set to make the tests run here? Can you shed some light on this (and maybe fix up the "MANTA_USER and friends" comment to reflect that 😆)? Thanks! |
23db975
to
7bedd2b
Compare
@jen20 thanks so much for taking a look at this so soon! I've updated the skip message in the tests to be explicit about all three Manta environment variables that must be set. I also added a link to the Manta documentation for setting up the environment in the website documentation. When running Let me know if there are any other changes you'd like to see. |
Hi @watters - those changes look good to me. Running the tests I'm still seeing "Error getting Manta credentials: An error occurred while parsing the key: asn1: structure error: length too large" however - the key is in the agent and available unencrypted on disk, though it's unclear where it would be loaded from? FWIW, the manta command line tools work correctly with the same environment variables set. |
I'll see if I can repro. That error is coming from the underlying auth bits in
|
…e and link to Manta docs for env setup
…kend - expose MANTA_KEY_MATERIAL environment variable (previously specified via keyName parameter) and make it required; no defaults - stop relying on some of the Joyent go libraries' underlying environment variable config magic (it doesn't appear to play nice if you have different values in MANTA_USER and SDC_ACCOUNT) - explicitly check for passphrase-protected SSH keys, which are currently unsupported, and generate a more helpful error (borrowed from Packer's solution to the same problem): https://github.com/mitchellh/packer/blob/master/common/ssh/key.go#L27 - update documentation to reflect these changes
188ebc4
to
63b068d
Compare
return nil, fmt.Errorf("Error reading key material from %s: %s", | ||
keyMaterial, err) | ||
} else { | ||
block, _ := pem.Decode(keyBytes) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was cribbed directly from https://github.com/mitchellh/packer/blob/master/common/ssh/key.go#L27
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, this is working now.
@jen20 I was able to reproduce the error message you described when using a passphrase-protected 4096-bit SSH key. The underlying auth code chokes on passphrase-protected keys and currently only supports keys specified by file path or decrypted into an environment variable. I've exposed the key path via environment the variable Hopefully, this gets the tests passing for you. I'd already determined before submitting this PR that Joyent's Go library for Manta probably needed a re-write, and now I'm only even more convinced. |
That explains a lot - I have a separate unencrypted key for testing with HashiCorp's Joyent account rather than my personal (encrypted) key, so |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
return nil, fmt.Errorf("Error reading key material from %s: %s", | ||
keyMaterial, err) | ||
} else { | ||
block, _ := pem.Decode(keyBytes) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, this is working now.
"Failed to read key material '%s': no key found", keyMaterial) | ||
} | ||
|
||
if block.Headers["Proc-Type"] == "4,ENCRYPTED" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great - we should roll it out into the Triton provider as well.
Example test run:
|
Hi @watters! I've run the tests and reviewed this and it seems fine. I've rebased to master and squashed some of the commits (leaving the vendoring separate). Finally, I've fixed up the documentation sidebar for remote state to include the Manta option. This has landed in 72a341b and b4eb63d, though GitHub sadly doesn't reflect that here! Thanks for your work! |
Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I tried to match what the other backends offered in terms of documentation and testing, but any/all feedback is welcome.
I've marked this [WIP] for now while I continue to exercise it, but I wanted to invite any feedback early on.