fix: terraform runner container dependencies

henryde · henryde · commit 7c8639183c5d · 2023-12-11T06:54:20.000Z
Also improves logging of cron process.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,154 +1,188 @@
 # Changelog
 
-## vNEXT
+## v1.8.0
 
 ### OSB
 
 Breaking Changes:
 
-- unipipe service broker now uses `main` as the default branch instead of `master` to better align with defaults set up 
-  by most git hosting platforms. Please make sure you explicitly configure `GIT_REMOTE_BRANCH` 
+- unipipe service broker now uses `main` as the default branch instead of `master` to better align with defaults set up
+  by most git hosting platforms. Please make sure you explicitly configure `GIT_REMOTE_BRANCH`
   (see [configuration reference](https://github.com/meshcloud/unipipe-service-broker/wiki/Reference#configuration-reference))
   to avoid any unexpected change in branch.
 
+### Terraform Runner
+
+- make cron logs visible
+- add missing dependencies to container
+- require `GIT_REMOTE_BRANCH`
 
 ## v1.7.8
 
 ### CLI
+
 - no changes
 
 ### OSB
+
 - no changes
 
 ### Terraform Runner
+
 - fix issue with cron invocation
 
 ## v1.7.7
 
 ### CLI
+
 - no changes
 
 ### OSB
+
 - update base docker image
 
 ### Terraform Runner
+
 - update base docker image
 - update terraform to v1.3.10
 
 ## v1.7.6
 
 ### CLI
+
 - no changes
 
 ### OSB
+
 - fix getServiceInstanceBinding endpoint to return a 404, if binding does not exist
 
 ### Terraform Runner
+
 - update terraform to v1.3.7
 - env variable KNWON_HOSTS now supports empty values
 
 ## v1.7.5
 
 ### CLI
+
 - no changes
 
 ### OSB
+
 - Fixed a bug that prevented a ServiceInstance update request to get executed if planId was null
 
 ### Terraform Runner
+
 - Configure known hosts via environment variable
 
 ## v1.7.4
 
 ### Terraform Runner
+
 - Configure known hosts via environment variable
 
 ## v1.7.3
 
 ### CLI
+
 - New command `unipipe git` runs Git pull/push commands resiliently. It takes care of retrying and rebasing if needed to make sure a push will be successful.
 
 ### OSB
+
 - no changes
 
 ### Terraform Runner
+
 - Improve terraform-runner to use the new `unipipe git` command for Git operations.
 
 ## v1.7.2
 
 ### CLI
+
 - new command unipipe generate terraform-runner-hello-world will generate a sample catalog + terraform files for use with unipipe terraform command
 
 ### Terraform Runner
+
 - Improve runner script robustness
 - Abort cron job if Git repo setup fails
 
 ### OSB
+
 - no changes
 
 ## v1.7.1
 
 ### Terraform Runner
+
 - terraform-runner fix for Azure Container Instances
 
 ### CLI
+
 - no changes
 
 ### OSB
+
 - no changes
 
 ## v1.7.0
+
 ### CLI
 
 - Fixed zsh completions
 - `unipipe terraform` updates status.yml to succeeded for service instances without any binding
 - A `UniPipe Terraform Runner` docker container is now available. You can find the versioned containers
-[here](https://github.com/meshcloud/unipipe-service-broker/pkgs/container/unipipe-terraform-runner).
-It can be configured via a few environment variables and executes `unipipe terraform` every minute
-for the configured git repository. It also pulls changes from and pushes updated status.yml files,
-etc to the configured git repository. Using this `UniPipe Terraform Runner` together with the
-`UniPipe Service Broker` results in a fully functional service broker.
+  [here](https://github.com/meshcloud/unipipe-service-broker/pkgs/container/unipipe-terraform-runner).
+  It can be configured via a few environment variables and executes `unipipe terraform` every minute
+  for the configured git repository. It also pulls changes from and pushes updated status.yml files,
+  etc to the configured git repository. Using this `UniPipe Terraform Runner` together with the
+  `UniPipe Service Broker` results in a fully functional service broker.
 - Fixed mixed up plan and service column in `unipipe list` command. Service names are now shown
-in the Service column and plans are shown in the Plan column.
+  in the Service column and plans are shown in the Plan column.
 - Added manual parameter input to `unipipe terraform` processing. This can be used if before executing
-Terraform for a Service Instance, an operator needs to take some manual action and provide additional
-input to the Terraform module. This can be used to e.g. provide an IP range for a service instance of a
-networking service, if no IPAM solution is in place. The operator just needs to put a `params.yml` in
-the according instance folder. Once this file is available the `unipipe terraform` command will apply Terraform.
-Whether a service requires this manual input can be defined in the metadata of a Service Plan in the service catalog.
+  Terraform for a Service Instance, an operator needs to take some manual action and provide additional
+  input to the Terraform module. This can be used to e.g. provide an IP range for a service instance of a
+  networking service, if no IPAM solution is in place. The operator just needs to put a `params.yml` in
+  the according instance folder. Once this file is available the `unipipe terraform` command will apply Terraform.
+  Whether a service requires this manual input can be defined in the metadata of a Service Plan in the service catalog.
 - Support usage of Terraform Backend for `unipipe terraform` command. If a backend.tf file exists in the service's
-terraform folder it is copied to the binding directory where Terraform is executed. No configuration of
-the backend.tf can be done. The file will be used as is. In order to separate the different tfstates in the backend,
-the `unipipe terraform` command uses Terraform Workspaces. A workspace will be created for every service binding.
-Credentials for accessing the backend have to be set via environment variables. If e.g. an azure backend is used,
-ARM_CLIENT_ID and ARM_CLIENT_SECRET have to be set.
+  terraform folder it is copied to the binding directory where Terraform is executed. No configuration of
+  the backend.tf can be done. The file will be used as is. In order to separate the different tfstates in the backend,
+  the `unipipe terraform` command uses Terraform Workspaces. A workspace will be created for every service binding.
+  Credentials for accessing the backend have to be set via environment variables. If e.g. an azure backend is used,
+  ARM_CLIENT_ID and ARM_CLIENT_SECRET have to be set.
 - `unipipe terraform` now supports the full lifecycle of a service instance. If a service instance or its binding is
-deleted, the `unipipe terraform` command applies a `terraform destroy` to remove the instance again.
+  deleted, the `unipipe terraform` command applies a `terraform destroy` to remove the instance again.
 - It is now possible to add a `--plan` option to `unipipe terraform`, which executes the command basically as a dry-run.
-Instead of doing `terraform apply`, a `terraform plan` is executed and the console output shows the result of `terraform plan`.
-No status.yml is updated in this case.
+  Instead of doing `terraform apply`, a `terraform plan` is executed and the console output shows the result of `terraform plan`.
+  No status.yml is updated in this case.
 - `unipipe terraform` provides the plan_id and plan_name as variables to the Terraform module.
 
 ### OSB
+
 - no changes
 
 ## v1.6.0
+
 ### CLI
 
 - Added a new `unipipe terraform` command to execute Terraform modules easily. For several service brokers execution
-of a Terraform Module is the central task they have to execute. The Terraform module must exist in the git repository
-that also contains the instances in a terraform/<serviceId> folder. It must be compatible with a specific set of variables
-that will be provided to it via the unipipe terraform command. These variables are determined dynamically via the parameters
-and bindResource information provided by the UniPipe Service Broker.
+  of a Terraform Module is the central task they have to execute. The Terraform module must exist in the git repository
+  that also contains the instances in a terraform/<serviceId> folder. It must be compatible with a specific set of variables
+  that will be provided to it via the unipipe terraform command. These variables are determined dynamically via the parameters
+  and bindResource information provided by the UniPipe Service Broker.
 
 ### OSB
+
 - no changes
 
 ## v1.5.2
+
 ### CLI
+
 - no changes
 
 ### OSB
+
 - fix: handling x-forward-headers
 
 ## v1.5.0
diff --git a/terraform-runner/Dockerfile b/terraform-runner/Dockerfile
@@ -1,9 +1,7 @@
 FROM ubuntu:jammy
 
-# RUN apt-get
-# RUN apk add curl bash sudo jq git openssh
 RUN apt-get update && \
-  apt-get install -y --no-install-recommends curl jq cron ca-certificates && \
+  apt-get install -y --no-install-recommends curl jq cron ca-certificates git ssh && \
   rm -rf /var/lib/apt/lists/*
 
 # terraform
@@ -12,11 +10,6 @@ COPY --from=hashicorp/terraform:1.3.10 /bin/terraform /usr/local/bin/terraform
 # unipipe cli
 RUN curl https://raw.githubusercontent.com/meshcloud/unipipe-service-broker/main/cli/install.sh | bash
 
-# unipipe terraform cron
-COPY unipipe-terraform-cron /etc/cron.d/unipipe-terraform-cron
-RUN chmod 0644 /etc/cron.d/unipipe-terraform-cron
-RUN crontab /etc/cron.d/unipipe-terraform-cron
-
 RUN mkdir ~/unipipe
 COPY run-unipipe-terraform.sh /root/unipipe/run-unipipe-terraform.sh
 RUN chmod 0755 ~/unipipe/run-unipipe-terraform.sh
diff --git a/terraform-runner/entry.sh b/terraform-runner/entry.sh
@@ -1,10 +1,20 @@
 #!/usr/bin/env bash
 
-if [[ -z "$GIT_SSH_KEY" ]] || [[ -z "$GIT_USER_EMAIL" ]] || [[ -z "$GIT_USER_NAME" ]] || [[ -z "$GIT_REMOTE" ]] || [[ -z "$TF_VAR_platform_secret" ]]; then
-  echo "Container failed to start, please provide all of the following environment variables: GIT_SSH_KEY, GIT_USER_EMAIL, GIT_USER_NAME, GIT_REMOTE, TF_VAR_platform_secret"
+if [[ -z "$GIT_SSH_KEY" ]] || [[ -z "$GIT_USER_EMAIL" ]] || [[ -z "$GIT_USER_NAME" ]] || [[ -z "$GIT_REMOTE" ]] || [[ -z "$GIT_REMOTE_BRANCH" ]] || [[ -z "$TF_VAR_platform_secret" ]]; then
+  echo "Container failed to start, please provide all of the following environment variables: GIT_SSH_KEY, GIT_USER_EMAIL, GIT_USER_NAME, GIT_REMOTE, GIT_REMOTE_BRANCH, TF_VAR_platform_secret"
   exit 1
 else
   echo "All required environment variables set!"
+  {
+    printf 'export GIT_SSH_KEY="%s"\n' "$GIT_SSH_KEY"
+    printf 'export GIT_USER_EMAIL="%s"\n' "$GIT_USER_EMAIL"
+    printf 'export GIT_USER_NAME="%s"\n' "$GIT_USER_NAME"
+    printf 'export GIT_REMOTE="%s"\n' "$GIT_REMOTE"
+    printf 'export GIT_REMOTE_BRANCH="%s"\n' "$GIT_REMOTE_BRANCH"
+    printf 'export TF_VAR_platform_secret="%s"\n' "$TF_VAR_platform_secret"
+  } > ~/unipipe/terraform-runner-env.sh
+
+  echo '* * * * * ~/unipipe/run-unipipe-terraform.sh > /proc/1/fd/1 2>/proc/1/fd/2' | crontab -
 fi
 
 "$@"
diff --git a/terraform-runner/run-unipipe-terraform.sh b/terraform-runner/run-unipipe-terraform.sh
@@ -3,6 +3,8 @@ set -o errexit
 set -o errtrace
 set -o pipefail
 
+source ~/unipipe/terraform-runner-env.sh
+
 if [[ -n $KNOWN_HOSTS ]]; then
    echo "$KNOWN_HOSTS" > ~/.ssh/known_hosts
 fi
@@ -16,7 +18,7 @@ if [[ ! -d "$REPO_DIR" ]]; then
     cd ~/unipipe
     git config --global user.email "$GIT_USER_EMAIL"
     git config --global user.name "$GIT_USER_NAME"
-    git clone "$GIT_REMOTE" "$REPO_NAME"
+    git clone "$GIT_REMOTE" "$REPO_NAME" -b "$GIT_REMOTE_BRANCH"
 fi
 
 cd $REPO_DIR
diff --git a/terraform-runner/unipipe-terraform-cron b/terraform-runner/unipipe-terraform-cron
