Use Case
This article describes the process of using the tfci CI/CD pipeline integration tool templates with a Terraform Enterprise instance which is configured to serve a certificate signed by an internal certificate authority.
tfci runs in a Docker container in both the GitHub and Gitlab CI/CD templates and, as such, will validate Terraform Enterprise's certificate against its own trusted certificate store when making API requests. When running the tfci tool against a Terraform Enterprise instance using an untrusted private CA, the pipeline will fail with the following error.
Get "https://<TFE_HOSTNAME>/api/v2/ping": x509: certificate signed by unknown authority
Procedure
Configuring these templates to validate Terraform Enterprise will require building a custom image using hashicorp/tfci as base with all necessary CA certificates added to the trusted certificates and overriding the default image in the CI/CD templates.
- Create a Dockerfile which uses the
hashicorp/tfciimage as a base and copies the custom certificate to the trusted certificates on the system.
FROM hashicorp/tfci:latest
RUN apk --no-cache add ca-certificates
COPY privateCa.crt /usr/local/share/ca-certificates/privateCa.crt
RUN update-ca-certificates-
Build and tag the custom image
docker build -t <MY_ORG>/tfci:latest .
- Push the image to your organization's repository.
docker push <MY_ORG>/tfci:latest
This custom image will need to be referenced in the CI workflows; see the VCS-specific instructions below.
GitHub Actions
- Copy the actions to a new location and overwrite the
runs.imageproperty with the custom image tag. The example below copies theupload-configurationaction to a local action under.github/actionsas an example, however the actions could also be forked and made available to other repositories in your organization.
# .github/actions/upload-configuration/action.yml
...
runs:
using: docker
image: 'docker://<MY_ORG>/tfci:latest'
args:
- tfci
## global flags
- -hostname=${{ inputs.hostname }}
- -token=${{ inputs.token }}
...- Reference the action in your workflow:
# .github/workflows/my-workflow.yaml
...
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/upload-configuration
id: upload
with:
workspace: ${{ env.TF_WORKSPACE }}
directory: ${{ env.CONFIG_DIRECTORY }}
...Gitlab CI/CD Pipelines
Override the default.image property in your project's .gitlab-ci.yaml with the custom image tag.
# This file is a template, and might need editing before it works on your project.
# You can copy and paste this template into a new `.gitlab-ci.yml` file in your project.
# The link to the remote base template. Note that the base template URL is versioned. Please check the base template for additional variables that need to be defined in GitLab.
# Please subscribe to https://github.com/hashicorp/tfc-workflows-gitlab for updates.
include:
remote: https://raw.githubusercontent.com/hashicorp/tfc-workflows-gitlab/v1.0.3/Base.gitlab-ci.yml
default:
image:<MY_ORG>/tfci:latest
The tfci source code, including the Dockerfile for base image, is open source and can be viewed at the following link.