Home > Enterprise >  How to inject a bash script with a dollar sign ($) in terraform?
How to inject a bash script with a dollar sign ($) in terraform?

Time:06-14

I have a simple bash script that does something like the following:

#!/bin/bash
a=$(curl -s http://metadata/endpoint/internal)
echo "$a - bar"

(this is just a simplification). Note the use of the two $ signs to execute a command and resolve a variable.

Using Terraform, I want to write this file to a GCP instance during startup. Per Terraform's instructions, I'm attempting to avoid using the File Provisioner. Using the metadata_startup_script field in google_compute_instance2, I am including the script so that I can write it to a particular location.

E.g.

  metadata_startup_script = <<-EOF
#!/bin/bash -xe
sudo tee /etc/myservice/serv.conf > /dev/null <<EOI
${file("${path.module}/scripts/simple_bash.sh")}
EOI
EOF

Terraform is interpolating the $ in the subscript somewhere (either in the loading into the metadata_startup_script, or in the writing out into the script to disk.

So, depending on what I use to try to escape the interpolation, it still fails to write. For example, I have tried (in the subscript):

echo "\$a - bar"
echo "${“$”}a - bar"
echo "$$a - bar"

According to the terraform docs, I'm supposed to use $$, but when I do it in the above, I get:

echo "1397a - bar"

All which fail to replicate the original script.

I’m just looking for the exact bash script, as written, to be written to disk.

My goal would be to do the above without extra escape sequences (as detailed here - Escaping dollar sign in Terraform) so that i can continue to run the original script (for debugging purposes).

I would also prefer not to build a packer image with the original script in it.

Thanks!

CodePudding user response:

I don't think it's Terraform eating your variable interpolations here, because Terraform only understands ${ (a dollar sign followed by a brace) as starting an interpolation, whereas your example contains only $a.

However, you do seem to be embedded one bash script inside another, so it seems plausible to me that the outer bash is resolving your $a before the inner bash gets a chance to look at it. If so, you can use the literal variant of bash heredoc syntax, as described in answers to How to cat <> a file containing code?, so that the outer bash will take the content as literal and leave it to the inner bash to evaluate.

  metadata_startup_script = <<-EOF
#!/bin/bash -xe
sudo tee /etc/myservice/serv.conf > /dev/null <<'EOI'
${file("${path.module}/scripts/simple_bash.sh")}
EOI
EOF

Notice that I wrote <<'EOI' instead of <<EOI, following the guidance from that other question in combination with the main Bash documentation on "here documents" (bold emphasis mine):

This type of redirection instructs the shell to read input from the current source until a line containing only word (with no trailing blanks) is seen. All of the lines read up to that point are then used as the standard input (or file descriptor n if n is specified) for a command.

The format of here-documents is:

[n]<<[-]word
        here-document
delimiter

No parameter and variable expansion, command substitution, arithmetic expansion, or filename expansion is performed on word. If any part of word is quoted, the delimiter is the result of quote removal on word, and the lines in the here-document are not expanded. If word is unquoted, all lines of the here-document are subjected to parameter expansion, command substitution, and arithmetic expansion, the character sequence \newline is ignored, and \ must be used to quote the characters \, $, and `.

If the redirection operator is <<-, then all leading tab characters are stripped from input lines and the line containing delimiter. This allows here-documents within shell scripts to be indented in a natural fashion.

If your machine image is configured to run cloud-init at startup -- this is often but not always what is responsible for executing metadata_startup_script -- you may be able to achieve a similar effect without so much Bash scripting indirection by using Cloud Config YAML instead of a shell script directly.

For example, if your intent is only to write the content of that file into the designated location in the filesystem, you could potentially follow the Writing out arbitrary files example:

  metadata_startup_script = <<-EOF
    #cloud-config
    ${yamlencode({
      write_files = [
        {
          encoding    = "b64"
          content     = filebase64("${path.module}/scripts/simple_bash.sh")
          path        = "/etc/myservice/serv.conf"
          owner       = "root:root"
          permissions = "0644"
        },
      ]
    }}
  EOF

Cloud-init evaluates its modules at various points in the startup lifecycle. The Write Files module used here is specified to run once on the first boot of an instance, which matches how Cloud-init would typically treat a naked shell script too.

CodePudding user response:

I do not think your issue is related to TF interpolation. I think you have problems because of normal bash interpolation, as its bash which is going to try to resolve $ in your /etc/myservice/serv.conf while writing its content.

The regular solution is to use 'EOI', not EOI:

  metadata_startup_script = <<-EOF
#!/bin/bash -xe
sudo tee /etc/myservice/serv.conf > /dev/null <<'EOI'
${file("${path.module}/scripts/simple_bash.sh")}
EOI
EOF

Page link:https//www.codepudding.com/Enterprise/441201.html

Prev:bash script - escape characters in eval vs running command directly
Next:Finding files that are *not* hard links or under hard links directory via a shell script
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding