Separate credentials from other environment variables (#583)

0x2b3bfa0 · restyled-commits · web-flow · commit 5f3f581a6e42 · 2022-05-18T03:44:26.000+02:00
* Separate task credentials from task script

* Simplify environment variable escaping code

* Restyled by gofmt

* Use raw variables for credentials

* Restyled by gofmt

* Move /var/cache to /opt

Co-authored-by: Restyled.io &lt;commits@restyled.io&gt;
diff --git a/task/aws/resources/resource_launch_template.go b/task/aws/resources/resource_launch_template.go
@@ -45,12 +45,8 @@ func (l *LaunchTemplate) Create(ctx context.Context) error {
 	if l.Attributes.Environment.Variables == nil {
 		l.Attributes.Environment.Variables = make(map[string]*string)
 	}
-	for name, value := range *l.Dependencies.Credentials.Resource {
-		valueCopy := value
-		l.Attributes.Environment.Variables[name] = &valueCopy
-	}
 
-	script := machine.Script(l.Attributes.Environment.Script, l.Attributes.Environment.Variables, l.Attributes.Environment.Timeout)
+	script := machine.Script(l.Attributes.Environment.Script, l.Dependencies.Credentials.Resource, l.Attributes.Environment.Variables, l.Attributes.Environment.Timeout)
 	userData := base64.StdEncoding.EncodeToString([]byte(script))
 
 	size := l.Attributes.Size.Machine
diff --git a/task/az/resources/resource_virtual_machine_scale_set.go b/task/az/resources/resource_virtual_machine_scale_set.go
@@ -75,12 +75,8 @@ func (v *VirtualMachineScaleSet) Create(ctx context.Context) error {
 	if v.Attributes.Environment.Variables == nil {
 		v.Attributes.Environment.Variables = make(map[string]*string)
 	}
-	for name, value := range *v.Dependencies.Credentials.Resource {
-		valueCopy := value
-		v.Attributes.Environment.Variables[name] = &valueCopy
-	}
 
-	script := machine.Script(v.Attributes.Environment.Script, v.Attributes.Environment.Variables, v.Attributes.Environment.Timeout)
+	script := machine.Script(v.Attributes.Environment.Script, v.Dependencies.Credentials.Resource, v.Attributes.Environment.Variables, v.Attributes.Environment.Timeout)
 
 	image := v.Attributes.Environment.Image
 	images := map[string]string{
diff --git a/task/common/machine/script.go b/task/common/machine/script.go
@@ -7,25 +7,32 @@ import (
 	"strings"
 	"time"
 
+	"github.com/alessio/shellescape"
+
 	"terraform-provider-iterative/task/common"
 )
 
-func Script(script string, variables common.Variables, timeout time.Duration) string {
-	var environment string
+func Script(script string, credentials *map[string]string, variables common.Variables, timeout time.Duration) string {
+	timeoutString := strconv.Itoa(int(timeout / time.Second))
+	if timeout <= 0 {
+		timeoutString = "infinity"
+	}
+
+	environment := ""
 	for name, value := range variables.Enrich() {
 		escaped := strings.ReplaceAll(value, `"`, `\"`) // FIXME: \" edge cases.
 		environment += fmt.Sprintf("%s=\"%s\"\n", name, escaped)
 	}
 
-	timeoutString := strconv.Itoa(int(timeout / time.Second))
-	if timeout <= 0 {
-		timeoutString = "infinity"
+	exportCredentials := ""
+	for name, value := range *credentials {
+		exportCredentials += "export " + shellescape.Quote(name+"="+value) + "\n"
 	}
 
 	return fmt.Sprintf(
 		`#!/bin/bash
-sudo mkdir --parents /tmp/tpi-task
-chmod u=rwx,g=rwx,o=rwx /tmp/tpi-task
+sudo mkdir --parents /opt/task/directory
+chmod u=rwx,g=rwx,o=rwx /opt/task/directory
 
 base64 --decode << END | sudo tee /usr/bin/tpi-task > /dev/null
 %s
@@ -35,37 +42,44 @@ chmod u=rwx,g=rx,a=rx /usr/bin/tpi-task
 sudo tee /usr/bin/tpi-task-shutdown << 'END'
 #!/bin/bash
 sleep 20; while pgrep rclone > /dev/null; do sleep 1; done
+source /opt/task/credentials
 if ! test -z "$CI"; then
   cml rerun-workflow
 fi
 (systemctl is-system-running | grep stopping) || tpi --stop;
 END
 chmod u=rwx,g=rx,o=rx /usr/bin/tpi-task-shutdown
 
-base64 --decode << END | sudo tee /tmp/tpi-environment > /dev/null
+base64 --decode << END | sudo tee /opt/task/variables > /dev/null
 %s
 END
-chmod u=rw,g=,o= /tmp/tpi-environment
+base64 --decode << END | sudo tee /opt/task/credentials > /dev/null
+%s
+END
+chmod u=rw,g=,o= /opt/task/variables
+chmod u=rw,g=,o= /opt/task/credentials
 
 while IFS= read -rd $'\0' variable; do
   export "$(perl -0777p -e 's/\\"/"/g;' -e 's/(.+?)="(.+)"/$1=$2/sg' <<< "$variable")"
-done < <(perl -0777pe 's/\n*(.+?=".*?((?<!\\)"|\\\\"))\n*/$1\x00/sg' /tmp/tpi-environment)
+done < <(perl -0777pe 's/\n*(.+?=".*?((?<!\\)"|\\\\"))\n*/$1\x00/sg' /opt/task/variables)
 
 TPI_MACHINE_IDENTITY="$(uuidgen)"
 TPI_LOG_DIRECTORY="$(mktemp --directory)"
-TPI_DATA_DIRECTORY="/tmp/tpi-task"
+TPI_DATA_DIRECTORY="/opt/task/directory"
+
+source /opt/task/credentials
 
 sudo tee /etc/systemd/system/tpi-task.service > /dev/null <<END
 [Unit]
   After=default.target
 [Service]
   Type=simple
   ExecStart=-/bin/bash -lc 'exec /usr/bin/tpi-task'
-  ExecStop=/bin/bash -c 'systemctl is-system-running | grep stopping || echo "{\\\\"result\\\\": \\\\"\$SERVICE_RESULT\\\\", \\\\"code\\\\": \\\\"\$EXIT_STATUS\\\\", \\\\"status\\\\": \\\\"\$EXIT_CODE\\\\"}" > "$TPI_LOG_DIRECTORY/status-$TPI_MACHINE_IDENTITY" && RCLONE_CONFIG= rclone copy "$TPI_LOG_DIRECTORY" "\$RCLONE_REMOTE/reports"'
+  ExecStop=/bin/bash -c 'source /opt/task/credentials; systemctl is-system-running | grep stopping || echo "{\\\\"result\\\\": \\\\"\$SERVICE_RESULT\\\\", \\\\"code\\\\": \\\\"\$EXIT_STATUS\\\\", \\\\"status\\\\": \\\\"\$EXIT_CODE\\\\"}" > "$TPI_LOG_DIRECTORY/status-$TPI_MACHINE_IDENTITY" && RCLONE_CONFIG= rclone copy "$TPI_LOG_DIRECTORY" "\$RCLONE_REMOTE/reports"'
   ExecStopPost=/usr/bin/tpi-task-shutdown
   Environment=HOME=/root
-  EnvironmentFile=/tmp/tpi-environment
-  WorkingDirectory=/tmp/tpi-task
+  EnvironmentFile=/opt/task/variables
+  WorkingDirectory=/opt/task/directory
   TimeoutStartSec=%s
   TimeoutStopSec=infinity
 [Install]
@@ -100,7 +114,7 @@ if ! command -v rclone 2>&1 > /dev/null; then
   rm --recursive rclone-*-linux-amd64*
 fi
 
-rclone copy "$RCLONE_REMOTE/data" /tmp/tpi-task
+rclone copy "$RCLONE_REMOTE/data" /opt/task/directory
 
 yes | /etc/profile.d/install-driver-prompt.sh # for GCP GPU machines
 
@@ -139,5 +153,6 @@ done &
 `,
 		base64.StdEncoding.EncodeToString([]byte(script)),
 		base64.StdEncoding.EncodeToString([]byte(environment)),
+		base64.StdEncoding.EncodeToString([]byte(exportCredentials)),
 		timeoutString)
 }
diff --git a/task/gcp/resources/resource_instance_template.go b/task/gcp/resources/resource_instance_template.go
@@ -58,12 +58,8 @@ func (i *InstanceTemplate) Create(ctx context.Context) error {
 	if i.Attributes.Environment.Variables == nil {
 		i.Attributes.Environment.Variables = make(map[string]*string)
 	}
-	for name, value := range *i.Dependencies.Credentials.Resource {
-		valueCopy := value
-		i.Attributes.Environment.Variables[name] = &valueCopy
-	}
 
-	script := machine.Script(i.Attributes.Environment.Script, i.Attributes.Environment.Variables, i.Attributes.Environment.Timeout)
+	script := machine.Script(i.Attributes.Environment.Script, i.Dependencies.Credentials.Resource, i.Attributes.Environment.Variables, i.Attributes.Environment.Timeout)
 
 	size := i.Attributes.Size.Machine
 	sizes := map[string]string{
