resource-config failure
geret1 opened this issue · comments
TL;DR
I'm trying to export existing resources in my GCP project to terraform files by using GHA. It's failing due to stdin issues with parameters.
Expected behavior
To obtain the output terraform file with all GCP resources.
Observed behavior
It seems that the gcloud command is not detecting input parameters.
Action YAML
resources:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Authenticate via Workload Identity Federation
id: wif
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: ${{ env.WIF_PROVIDER }}
service_account: ${{ env.WIF_SA }}
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v1'
- name: 'Export terraform'
id: export_terraform
run: |
gcloud --quiet beta resource-config bulk-export --resource-format=terraform
Log output
error in 'config-connector' version '1.93.0': cannot supply input on stdin with the 'project' parameter
ERROR: (gcloud.beta.resource-config.bulk-export) The bulk-export command could not finish correctly.
### Additional information
_No response_
Hi @geret1
Can you please provide the debug logs? The error says that it's prompting for the "--project" flag, but that fails since it's not an interactive environment.
The project should be set by the auth
action, and the debug logs will help determine why that's not happening.
Thanks! What step do you need, auth or resource-config?
The entire debug logs for the workflow.
Hi @geret1 - It looks like the gcloud command requires a --project
flag and it is explicitly not inherited from core/project. Therefore, you'll need to pass in a project ID as a flag:
- name: 'Export terraform'
id: export_terraform
run: |
gcloud --quiet beta resource-config bulk-export --project ${{ env.PROJECT_ID // TODO }} --resource-format=terraform
It's more strange because the output is the same even with the --project
parameter. It looks like the bulk-export
command doesn't accept parameters.
Hmm - that's weird. What happens if you run locally?
Yep, totally weird. In local with gcloud auth login
and owner role works without problems but with WIF something strange is happening.
Putting verbosity to debug in gcloud I see the following command:
DEBUG: Executing command: ['/opt/hostedtoolcache/gcloud/410.0.0/x64/bin/config-connector', '--oauth2-token', '***................................................................................................................................................................................................................................................................................................................................................................................................................................', 'bulk-export', '--on-error', 'ignore', '--project', 'my-project, '--resource-format', 'hcl', '--iam-format', 'none']
In local differs the oauth2-token
(the dots I mean)
DEBUG: Executing command: ['./google-cloud-sdk/bin/config-connector', '--oauth2-token', '***', 'bulk-export', '--on-error', 'ignore', '--project', 'my-project', '--resource-format', 'hcl', '--iam-format', 'none']
@geret1 revoke your tokens please :). Those are valid auth credentials.
Hi @geret1 that definitely feels like a gcloud bug. I would recommend filing an issue with the gcloud team: https://cloud.google.com/sdk/docs/getting-support
ooooook thanks anyway for the support!
No problem - sorry, we don't control the gcloud CLI itself, just the installation and setup.
Oh, you could have google-github-actions/auth generate you an access_token that you pass in to the CLI manually as a workaround.
- uses: 'google-github-actions/auth@v1'
id: 'auth'
with:
format: 'access_token'
- name: 'Export terraform'
id: export_terraform
run: |
gcloud --quiet beta resource-config bulk-export --oauth2-token=${{ steps.auth.outputs.access_token }} --resource-format=terraform
@geret1 I am having the same issue. Did you ever found a working solution?
@sethvargo Unfortunately, the --oauth2-token
option does not exist; I tried the --access-token-file
option, but that also throws the same error
Using the script
command worked for me 🎉
Here is roughly how it looks like:
export:
name: Find drifts
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
- id: auth
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v1"
with:
workload_identity_provider: "xxx"
service_account: "xxx"
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v1"
- name: Install components
run: |
gcloud components install beta --quiet
gcloud components install config-connector --quiet
- id: export
name: Export GCP resources
working-directory: compare
run: script --return --quiet -c "gcloud beta resource-config bulk-export --resource-format=terraform --project=xxx" /dev/null