Giters

google-github-actions / setup-gcloud

A GitHub Action for installing and configuring the gcloud CLI.

Home Page:https://cloud.google.com/sdk/docs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

resource-config failure

geret1 opened this issue · comments

commented

TL;DR

I'm trying to export existing resources in my GCP project to terraform files by using GHA. It's failing due to stdin issues with parameters.

Expected behavior

To obtain the output terraform file with all GCP resources.

Observed behavior

It seems that the gcloud command is not detecting input parameters.

Action YAML

resources:
    runs-on: ubuntu-latest
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
      - name: Authenticate via Workload Identity Federation
        id: wif
        uses: 'google-github-actions/auth@v0'
        with:
          workload_identity_provider: ${{ env.WIF_PROVIDER }}
          service_account: ${{ env.WIF_SA }}
      
      - name: 'Set up Cloud SDK'
        uses: 'google-github-actions/setup-gcloud@v1'
      
      - name: 'Export terraform'
        id: export_terraform
        run: |
          gcloud --quiet beta resource-config bulk-export --resource-format=terraform

Log output

error in 'config-connector' version '1.93.0': cannot supply input on stdin with the 'project' parameter
ERROR: (gcloud.beta.resource-config.bulk-export) The bulk-export command could not finish correctly.



### Additional information

_No response_
commented

Hi @geret1

Can you please provide the debug logs? The error says that it's prompting for the "--project" flag, but that fails since it's not an interactive environment.

The project should be set by the auth action, and the debug logs will help determine why that's not happening.

commented

Thanks! What step do you need, auth or resource-config?

commented

The entire debug logs for the workflow.

commented

Hi @geret1 - It looks like the gcloud command requires a --project flag and it is explicitly not inherited from core/project. Therefore, you'll need to pass in a project ID as a flag:

- name: 'Export terraform'
  id: export_terraform
  run: |
    gcloud --quiet beta resource-config bulk-export --project ${{ env.PROJECT_ID // TODO }} --resource-format=terraform
commented

It's more strange because the output is the same even with the --project parameter. It looks like the bulk-export command doesn't accept parameters.

commented

Hmm - that's weird. What happens if you run locally?

commented

Yep, totally weird. In local with gcloud auth login and owner role works without problems but with WIF something strange is happening.

Putting verbosity to debug in gcloud I see the following command:

DEBUG: Executing command: ['/opt/hostedtoolcache/gcloud/410.0.0/x64/bin/config-connector', '--oauth2-token', '***................................................................................................................................................................................................................................................................................................................................................................................................................................', 'bulk-export', '--on-error', 'ignore', '--project', 'my-project, '--resource-format', 'hcl', '--iam-format', 'none']

In local differs the oauth2-token (the dots I mean)

DEBUG: Executing command: ['./google-cloud-sdk/bin/config-connector', '--oauth2-token', '***', 'bulk-export', '--on-error', 'ignore', '--project', 'my-project', '--resource-format', 'hcl', '--iam-format', 'none']
commented

@geret1 revoke your tokens please :). Those are valid auth credentials.

commented

Hi @geret1 that definitely feels like a gcloud bug. I would recommend filing an issue with the gcloud team: https://cloud.google.com/sdk/docs/getting-support

commented

ooooook thanks anyway for the support!

commented

No problem - sorry, we don't control the gcloud CLI itself, just the installation and setup.

commented

Oh, you could have google-github-actions/auth generate you an access_token that you pass in to the CLI manually as a workaround.

- uses: 'google-github-actions/auth@v1'
  id: 'auth'
  with: 
    format: 'access_token'

- name: 'Export terraform'
  id: export_terraform
  run: |
    gcloud --quiet beta resource-config bulk-export --oauth2-token=${{ steps.auth.outputs.access_token }} --resource-format=terraform
commented

@geret1 I am having the same issue. Did you ever found a working solution?
@sethvargo Unfortunately, the --oauth2-token option does not exist; I tried the --access-token-file option, but that also throws the same error

commented

Using the script command worked for me 🎉

Here is roughly how it looks like:

export:
  name: Find drifts
  runs-on: ubuntu-latest
  permissions:
    contents: read
    id-token: write
  steps:
    - name: Checkout
      uses: actions/checkout@v4
    - id: auth
      name: "Authenticate to Google Cloud"
      uses: "google-github-actions/auth@v1"
      with:
        workload_identity_provider: "xxx"
        service_account: "xxx"
    - name: "Set up Cloud SDK"
      uses: "google-github-actions/setup-gcloud@v1"
    - name: Install components
      run: |
        gcloud components install beta --quiet
        gcloud components install config-connector --quiet
    - id: export
      name: Export GCP resources
      working-directory: compare
      run: script --return --quiet -c "gcloud beta resource-config bulk-export --resource-format=terraform --project=xxx" /dev/null