diggerhq/tfrun@v0.1.6 SIGSEGV errors when testing with GCP

[fleroux514]

Currently testing the workflow proposed in https://github.com/diggerhq/digger-gcp-lock-demo.

One difference is that I have configured Workload identity federation to authenticate with Google using OIDC.

Also have made a change in the Use gcloud CLI by listing the content of the bucket to prove that service account has storage.buckets.get permission on it.

Workflow:

name: CI

on:
  push:
    branches: [ "master" ]
  pull_request:
    branches: [ "master" ]
    types: [ closed, opened, synchronize, reopened ]
  issue_comment:
    types: [created]
    if: contains(github.event.comment.body, 'digger')
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      id-token: write
      pull-requests: write

    env:
      SERVICE_ACCOUNT: sa-ar-digger-gha-any@prj-c-artifacts-62d0.iam.gserviceaccount.com
      GOOGLE_STORAGE_BUCKET: terraform-digger-gha-pr-locks-814b

    steps:
      - uses: actions/checkout@v3

      - name: Checkout Pull Request
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          PR_URL="${{ github.event.issue.pull_request.url }}"
          PR_NUM=${PR_URL##*/}
          echo "Checking out from PR #$PR_NUM based on URL: $PR_URL"
          hub pr checkout $PR_NUM
        if: github.event_name == 'issue_comment'
        
      - id: auth
        uses: google-github-actions/auth@v1
        with:
          token_format: access_token
          workload_identity_provider: ${{ secrets.GCP__GHA__WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ env.SERVICE_ACCOUNT }}

      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v1

      - name: Use gcloud CLI
        run: |
          gcloud info
          gsutil ls gs://${{ env.GOOGLE_STORAGE_BUCKET }}

      - name: digger tfrun
        uses: diggerhq/tfrun@v0.1.6
        env:
          LOCK_PROVIDER: gcp
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Output:

...
Run gcloud info
Installation Properties: [/opt/hostedtoolcache/gcloud/424.0.0/x64/properties]
User Config Directory: [/home/runner/.config/gcloud]
Active Configuration Name: [default]
Active Configuration Path: [/home/runner/.config/gcloud/configurations/config_default]

Account: [sa-ar-digger-gha-any@prj-c-artifacts-62d0.iam.gserviceaccount.com]
Project: [prj-c-artifacts-62d0]

Current Properties:
  [auth]
    credential_file_override: [/home/runner/work/digger-test/digger-test/gha-creds-43e0236a61a1ec40.json] (environment)
  [core]
    account: [sa-ar-digger-gha-any@prj-c-artifacts-62d0.iam.gserviceaccount.com] (property file)
    disable_usage_reporting: [True] (property file)
    project: [prj-c-artifacts-62d0] (environment)
  [metrics]
    environment: [github-actions-setup-gcloud] (environment)
    environment_version: [1.1.0] (environment)

Logs Directory: [/home/runner/.config/gcloud/logs]
Last Log File: [/home/runner/.config/gcloud/logs/2023.04.04/14.49.[55](https://github.com/nuecho/digger-test/actions/runs/4609142469/jobs/8145864767#step:6:56).0233[65](https://github.com/nuecho/digger-test/actions/runs/4609142469/jobs/8145864767#step:6:66).log]

git: [git version 2.40.0]
ssh: [OpenSSH_8.9p1 Ubuntu-3ubuntu0.1, OpenSSL 3.0.2 15 Mar 2022]


gs://terraform-digger-gha-pr-locks-814b/test.txt

...

Run diggerhq/tfrun@v0.1.6
Run curl -sL [https://github.com/diggerhq/digger/releases/download/${actionref}/digger-Linux-X64](https://github.com/diggerhq/digger/releases/download/$%7Bactionref%7D/digger-Linux-X64) -o digger
Digger config read successfully
Lock has been created successfully
GitHub context parsed successfully
GitHub event processed successfully
GitHub event converted to commands successfully
Lock nuecho/digger-test#default
failed to get bucket attributes: googleapi: Error 403: sa-ar-digger-gha-any@prj-c-artifacts-62d0.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xcfef04]

goroutine 1 [running]:
digger/pkg/gcp.(*GoogleStorageLock).Lock(0xc00007f4e0, 0xc0007841a0?, {0xc0007841a0, 0x1a})
	/home/runner/work/digger/digger/pkg/gcp/gcp_lock.go:41 +0x384
digger/pkg/utils.(*ProjectLockImpl).Lock(0xc00070bcc0, {0xc0007841a0, 0x1a}, 0x1)
	/home/runner/work/digger/digger/pkg/utils/locking.go:60 +0x369
digger/pkg/digger.DiggerExecutor.Plan({{0x0, 0x0}, {0x100b75a, 0x7}, {0xc0000387f8, 0x6}, {0x100b75a, 0x7}, {0x1007b20, 0x1}, ...}, ...)
	/home/runner/work/digger/digger/pkg/digger/digger.go:233 +0x253
digger/pkg/digger.RunCommandsPerProject({0xc00070bc70?, 0x1, 0xc0001181e0?}, {0xc0000387f8, 0x6}, {0xc0000387ff, 0xb}, {0xc0001182a0, 0xc}, 0x1, ...)
	/home/runner/work/digger/digger/pkg/digger/digger.go:76 +0x605
main.main()
	/home/runner/work/digger/digger/cmd/digger/main.go:67 +0x709
Error: Process completed with exit code 2.  

[motatoes]

Hello! Thank you for filing the issue, I'm looking into it now

[motatoes]

I'm not so familiar with GCP identity federation so I need to dig deeper into how it works

[fleroux514]

No worries, thanks @motatoes!

[fleroux514]

@motatoes if that could help I could share with you a quick terraform config to setup Identity Federation. Or the generated configuration in https://console.cloud.google.com/iam-admin/workload-identity-pools/

[motatoes]

hey @fleroux514 that would be really helpful, I'm setting up a demo repo to test it out with OICD

[fleroux514]

Terraform config:

1. creates a service account
2. creates an identity pool, along with an assigned pool provider for Github
3. The current service account IAM binding is configured so that the Token will be granted access only when the service account is used from this repo's Github Action workflow: https://github.com/fleroux514/test-oidc

resource "google_service_account" "fleroux" {
  project      = module.personal_fleroux.project_id
  account_id   = "sa-fleroux"
  display_name = "fleroux Development Service Account"
}

resource "google_iam_workload_identity_pool" "fleroux_pool" {
  project                   = module.personal_fleroux.project_id
  provider                  = google-beta
  workload_identity_pool_id = "github-pool"
}

resource "google_iam_workload_identity_pool_provider" "fleroux_github_pool_provider" {
  project                            = module.personal_fleroux.project_id
  provider                           = google-beta
  workload_identity_pool_id          = google_iam_workload_identity_pool.fleroux_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "github-pool-provider"
  description                        = "OIDC identity pool provider for Github CI/CD"
  disabled                           = false
  attribute_mapping = {
    "google.subject"             = "'github::' + assertion.sub"
    "attribute.repository_owner" = "assertion.repository_owner"
    "attribute.repository"       = "assertion.repository"
    "attribute.repository_ref"   = "assertion.ref.contains('refs/tags/') ? assertion.repository + ':refs/tags' : assertion.repository + ':' + assertion.ref"
  }
  attribute_condition = "attribute.repository_owner==\"fleroux514\""
  oidc {
    issuer_uri = "https://token.actions.githubusercontent.com"
  }
}

resource "google_service_account_iam_binding" "fleroux_iam_binding" {
  service_account_id = google_service_account.fleroux.name
  role               = "roles/iam.workloadIdentityUser"

  members = [
    "principalSet://iam.googleapis.com/projects/${module.personal_fleroux.project_number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.fleroux_pool.workload_identity_pool_id}/attribute.repository/fleroux514/test-oidc"
  ]
}

[motatoes]

Hey @fleroux514 I managed to get it working after assigning custom role to the service account with these permissions for access to the bucket:

Perhaps your missing the storage.objects.* permissions? Here is a sample repository inspired by your action format: https://github.com/diggerhq/digger-gcp-ocid-demo

I had to increase the permissions specified in the actions.yml since it was lacking commenting permisisons. This is really helpful for us to document how OICD will work with digger so thank you for this filing! Let me know if this fixes it for you!

[fleroux514]

Hey @motatoes ,

Yes that fixed it for me. I think the GCP demo should explicit the fact that storage.buckets.* and storage.objects.* permissions are required, and also document the GOOGLE_STORAGE_BUCKET variable.

Makes sense that Identity Federation should not have been related since its just another way of identifying.

Closing this one. Thanks :)

[fleroux514]

@MPotatoes

When I merged the workflow (above), Github actions first ran on the master branch and the digger GHA failed with

Digger config read successfully
Lock has been created successfully
failed to parse GitHub context. error parsing GitHub context JSON: unknown GitHub event: push
Error: Process completed with exit code 5.

Than it ran on my feature branch and I see it deleted the lock successfully:

Unlock nuecho/digger-test#default
Project unlocked
Commands executed successfully

So I guess we don't really want to run the action on push event to the main branch and this snippet suggested in gcp-demo workflow is not really required (and supported) by the github Action currently, since the lock is released as soon as the pull request is closed anyways?

on:
  push:
    branches: [ "master" ]

[motatoes]

hey @fleroux514 yes indeed! Digger supports other workflows such as merging and then performing apply that's why this event was there but if you only wish to support merging in this way then you can safely remove it from your pipeline

[fleroux514]

@motatoes,

I'm testing digger for my company but currently stumbling on a few issues and it might be easier to discuss on Slack instead of PR comments if possible.

I saw https://diggertalk.slack.com/signup#/domain-signup but not sure how to "Contact the workspace administrator at Digger for an invitation.".

Can you help?

[motatoes]

hey @fleroux514 please try https://join.slack.com/t/diggertalk/shared_invite/zt-yx6rua03-6z~g~_RF3y5LTAK2Bu_yOA

sorry maybe the other link expired!!