.env.example

## Prerequisites:

# 1)  Create a Docker IPv4 bridge network
# 2)  Pick an IPv4 Address for Traefik, use the end of the network range
# 3)  Pick a domain, recommend real DNS but faking is possible by editing the /etc/hosts file to point to Traefik's IPv4 address.
# 4)  Replace the ${DOMAIN} place holder in the config-ldap.yaml, and env-config.js and files with the domain.
# 5)  Get a valid certificate via Let's Encrypt or another method, recommend a wildcard cert
# 6)  Copy cert/private key as /etc/letsencrypt/live/${DOMAIN}/{privkey.pem, fullchain.pem}, Uncomment lines 233-234 in the docker.compose.yml file
#     Also uncomment the lines in traefik_dynamic.yaml after cert and key are in place
# 7)  Copy this file as '.env', fill out with the appropriate values

### Domain Names
## https://tk.${DOMAIN}             # Main website, terrakube-ui
## https://tk-api.${DOMAIN}         # API, terrakube-api
## https://tk-registry.${DOMAIN}    # Registry, terrakube-registry
## https://tk-executor.${DOMAIN}    # Executor, terrakube-executor
## https://tk-dex.${DOMAIN}         # Dex, terrakube-dex

# Required Variables

DOMAIN=                             # Set domain
EXTERNAL_NETWORK_NAME=              # External network is required
HOST_GATEWAY=host-gateway           # Should be okay leaving as is, may have to change to Traefik's IPv4 address
TK_OUTPUT_ACCESS_KEY=minioadmin
TK_OUTPUT_ENDPOINT=http://terrakube-minio:9000
TK_OUTPUT_SECRET_KEY=minioadmin
TK_OUTPUT_STORAGE_REGION=us-east-1
TK_OUTPUT_BUCKET_NAME=sample
TK_VERSION=2.19.2
TRAEFIK_IPV4_ADDRESS=               # Give Traefik a reserved IPv4 Address in your external network, pick something towards the end of the network to avoid conflicts
TRAEFIK_HTTP_PORT=80
TRAEFIK_HTTPS_PORT=443

# Optional Variables
DNS_IP_PUBLIC=

.gitignore

.env
.test

config-ldap.ldif

dn: dc=example,dc=org
dc: example
objectClass: dcObject
objectClass: organization
o: Example, Inc

dn: ou=users,dc=example,dc=org
ou: users
objectClass: organizationalunit

dn: cn=lester,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
sn: Parkinson
cn: Lester
mail: admin@example.com
userpassword: admin

dn: cn=grady,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
sn: Chambers
cn: Grady
mail: aws@example.com
userpassword: azure

dn: cn=saarah,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
sn: Lott
cn: Saarah
mail: azure@example.com
userpassword: aws

dn: cn=eugene,ou=users,dc=example,dc=org
objectClass: inetOrgPerson
sn: Monaghan
cn: Eugene
mail: gcp@example.com
userpassword: gcp

# Group definitions.

dn: ou=Groups,dc=example,dc=org
objectClass: organizationalUnit
ou: Groups

dn: cn=TERRAKUBE_ADMIN,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: TERRAKUBE_ADMIN
member: cn=lester,ou=users,dc=example,dc=org

dn: cn=TERRAKUBE_DEVELOPERS,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: TERRAKUBE_DEVELOPERS
member: cn=lester,ou=users,dc=example,dc=org

dn: cn=AZURE_DEVELOPERS,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: AZURE_DEVELOPERS
member: cn=saarah,ou=users,dc=example,dc=org

dn: cn=AWS_DEVELOPERS,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: AWS_DEVELOPERS
member: cn=grady,ou=users,dc=example,dc=org

dn: cn=GCP_DEVELOPERS,ou=Groups,dc=example,dc=org
objectClass: groupOfNames
cn: GCP_DEVELOPERS
member: cn=eugene,ou=users,dc=example,dc=org

config-ldap.yaml

# REPLACE ${DOMAIN} with the base domain!

issuer: https://tk-dex.${DOMAIN}/dex

storage:
  type: memory
web:
  http: 0.0.0.0:5556
  allowedOrigins: ["*"]

oauth2:
  responseTypes: ["code", "token", "id_token"]

connectors:
  - type: ldap
    name: OpenLDAP
    id: ldap
    config:
      # The following configurations seem to work with OpenLDAP:
      #
      # 1) Plain LDAP, without TLS:
      host: terrakube-ldap-service:1389
      insecureNoSSL: true
      insecureSkipVerify: true
      #
      # 2) LDAPS without certificate validation:
      #host: localhost:636
      #insecureNoSSL: false
      #insecureSkipVerify: true
      #
      # 3) LDAPS with certificate validation:
      #host: YOUR-HOSTNAME:636
      #insecureNoSSL: false
      #insecureSkipVerify: false
      #rootCAData: 'CERT'
      # ...where CERT="$( base64 -w 0 your-cert.crt )"

      # This would normally be a read-only user.
      bindDN: cn=admin,dc=example,dc=org
      bindPW: admin

      usernamePrompt: Email Address

      userSearch:
        baseDN: ou=users,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        # "DN" (case sensitive) is a special attribute name. It indicates that
        # this value should be taken from the entity's DN not an attribute on
        # the entity.
        idAttr: DN
        emailAttr: mail
        nameAttr: cn

      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"

        userMatchers:
          # A user is a member of a group when their DN matches
          # the value of a "member" attribute on the group entity.
          - userAttr: DN
            groupAttr: member

        # The group name should be the "cn" value.
        nameAttr: cn

staticClients:
  - id: example-app
    redirectURIs:
      - "https://tk.${DOMAIN}"
      - "https://tk-api.${DOMAIN}"
      - "https://tk-dex.${DOMAIN}"
      - "/device/callback"
      - "http://localhost:3000/login"
      - "http://localhost:10001/login"
    name: "Example App"
    #secret: ZXhhbXBsZS1hcHAtc2VjcmV0
    public: true

docker-compose.yml

version: "3.8"

### DNS ####

x-terrakube_dns: &terrakube_dns
  - ${DNS_IP_PUBLIC:-1.1.1.1}

#### Extra Hosts #####

x-terrakube_hosts: &terrakube_hosts
  - "tk-api.${DOMAIN}:${HOST_GATEWAY}"
  - "tk-dex.${DOMAIN}:${HOST_GATEWAY}"
  - "tk-executor.${DOMAIN}:${HOST_GATEWAY}"
  - "tk.${DOMAIN}:${HOST_GATEWAY}"
  - "tk-registry.${DOMAIN}:${HOST_GATEWAY}"

#### Container Environment Variables #####

x-api: &api_env
  ApiDataSourceType: POSTGRESQL
  DatasourceHostname: postgresql-service
  DatasourceDatabase: terrakubedb
  DatasourceUser: terrakube
  DatasourcePassword: terrakubepassword
  GroupValidationType: DEX
  UserValidationType: DEX
  AuthenticationValidationType: DEX
  TerrakubeHostname: https://tk-api.${DOMAIN}
  AzBuilderExecutorUrl: https://tk-executor.${DOMAIN}/api/v1/terraform-rs
  PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g=
  InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM=
  DexIssuerUri: https://tk-dex.${DOMAIN}/dex
  StorageType: AWS
  AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY
  AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY
  AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME
  AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION
  AwsEndpoint: $TK_OUTPUT_ENDPOINT
  TerrakubeUiURL: https://tk.${DOMAIN}
  spring_profiles_active: demo
  DexClientId: example-app
  CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json"
  TerrakubeRedisHostname: terrakube-redis
  TerrakubeRedisPort: 6379
  TerrakubeRedisPassword: password123456
  JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true

x-executor: &executor_env
  TerrakubeEnableSecurity: true
  InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM=
  TerraformStateType: AwsTerraformStateImpl
  AwsTerraformStateAccessKey: $TK_OUTPUT_ACCESS_KEY
  AwsTerraformStateSecretKey: $TK_OUTPUT_SECRET_KEY
  AwsTerraformStateBucketName: $TK_OUTPUT_BUCKET_NAME
  AwsTerraformStateRegion: us-east-1
  AwsEndpoint: $TK_OUTPUT_ENDPOINT
  TerraformOutputType: AwsTerraformOutputImpl
  AwsTerraformOutputAccessKey: $TK_OUTPUT_ACCESS_KEY
  AwsTerraformOutputSecretKey: $TK_OUTPUT_SECRET_KEY
  AwsTerraformOutputBucketName: $TK_OUTPUT_BUCKET_NAME
  AwsTerraformOutputRegion: us-east-1
  AzBuilderApiUrl: https://tk-api.${DOMAIN}
  ExecutorFlagBatch: false
  ExecutorFlagDisableAcknowledge: false
  TerrakubeToolsRepository: https://github.com/AzBuilder/terrakube-extensions.git
  TerrakubeToolsBranch: main
  TerrakubeRegistryDomain: tk-registry.${DOMAIN}
  TerrakubeApiUrl: https://tk-api.${DOMAIN}
  CustomTerraformReleasesUrl: "https://releases.hashicorp.com/terraform/index.json"
  TerrakubeRedisHostname: terrakube-redis
  TerrakubeRedisPort: 6379
  TerrakubeRedisPassword: password123456
  JAVA_TOOL_OPTIONS: >
    -Xmx512m -Xms256m -Dcom.sun.security.enableAIAcaIssuers=true

x-registry: &registry_env
  AzBuilderRegistry: https://tk-registry.${DOMAIN}
  AzBuilderApiUrl: https://tk-api.${DOMAIN}
  AuthenticationValidationTypeRegistry: DEX
  TerrakubeEnableSecurity: true
  DexIssuerUri: https://tk-dex.${DOMAIN}/dex
  TerrakubeUiURL: https://tk.${DOMAIN}
  PatSecret: ejZRSFgheUBOZXAyUURUITUzdmdINDNeUGpSWHlDM1g=
  InternalSecret: S2JeOGNNZXJQTlpWNmhTITkha2NEKkt1VVBVQmFeQjM=
  RegistryStorageType: AwsStorageImpl
  AwsStorageAccessKey: $TK_OUTPUT_ACCESS_KEY
  AwsStorageSecretKey: $TK_OUTPUT_SECRET_KEY
  AwsStorageBucketName: $TK_OUTPUT_BUCKET_NAME
  AwsStorageRegion: $TK_OUTPUT_STORAGE_REGION
  AwsEndpoint: $TK_OUTPUT_ENDPOINT
  AppClientId: example-app
  AppIssuerUri: https://tk-dex.${DOMAIN}/dex
  JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true

x-ldap: &ldap_env
  LDAP_TLS_VERIFY_CLIENT: try
  LDAP_ADMIN_USERNAME: "admin"
  LDAP_ADMIN_PASSWORD: "admin"
  LDAP_ROOT: "dc=example,dc=org"
  LDAP_CUSTOM_LDIF_DIR: "/ldifs"

x-minio: &minio_env
  MINIO_ROOT_USER: minioadmin
  MINIO_ROOT_PASSWORD: minioadmin
  MINIO_DEFAULT_BUCKETS: 'sample'

x-ui: &ui_env
  REACT_APP_TERRAKUBE_API_URL: https://tk-api.${DOMAIN}/api/v1/
  REACT_APP_CLIENT_ID: example-app
  REACT_APP_AUTHORITY: https://tk-dex.${DOMAIN}/dex
  REACT_APP_REDIRECT_URI: https://tk.${DOMAIN}
  REACT_APP_REGISTRY_URI: https://tk-registry.${DOMAIN}
  REACT_APP_SCOPE: email openid profile offline_access groups
  JAVA_TOOL_OPTIONS: -Dcom.sun.security.enableAIAcaIssuers=true

x-traefik_env: &traefik_env
  TRAEFIK_API_DASHBOARD: false
  TRAEFIK_ENTRYPOINTS_WEB: true
  TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":${TRAEFIK_HTTP_PORT}"
  TRAEFIK_ENTRYPOINTS_WEB_HTTP_ENCODEQUERYSEMICOLONS: true
  TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEQUERYSEMICOLONS: true
  TRAEFIK_ENTRYPOINTS_WEBSECURE: true
  TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":${TRAEFIK_HTTPS_PORT}"
  TRAEFIK_PROVIDERS_DOCKER: true
  TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
  TRAEFIK_PROVIDERS_FILE_FILENAME: /etc/traefik_dynamic.yml

## Terrakube API
x-traefik_api_labels: &traefik_api_labels
  traefik.enable: true
  ## Terrakube API HTTPS
  traefik.http.routers.terrakube-api-https.rule: Host(`tk-api.${DOMAIN}`)
  traefik.http.routers.terrakube-api-https.entrypoints: websecure
  traefik.http.routers.terrakube-api-https.tls: true
  traefik.http.routers.terrakube-api-https.middlewares: terrakube-dex-allow-origin
  traefik.http.services.terrakube-api-https.loadbalancer.server.port: 8080
  ## Redirect to HTTPS
  traefik.http.routers.terrakube-api-http.rule: Host(`tk-api.${DOMAIN}`)
  traefik.http.routers.terrakube-api-http.entrypoints: web
  traefik.http.routers.terrakube-api-http.middlewares: terrakube-api-redirect-https
  traefik.http.middlewares.terrakube-api-redirect-https.redirectscheme.scheme: https

## Traefik labels
## Terrakube Executor
x-traefik_executor_labels: &traefik_executor_labels
  traefik.enable: true
  ## Terrakube executor HTTPS
  traefik.http.routers.terrakube-executor-https.rule: Host(`tk-executor.${DOMAIN}`)
  traefik.http.routers.terrakube-executor-https.entrypoints: websecure
  traefik.http.routers.terrakube-executor-https.tls: true
  traefik.http.routers.terrakube-executor-https.middlewares: terrakube-dex-allow-origin
  traefik.http.services.terrakube-executor-https.loadbalancer.server.port: 8090
  ## Redirect to HTTPS
  traefik.http.routers.terrakube-executor-http.rule: Host(`tk-executor.${DOMAIN}`)
  traefik.http.routers.terrakube-executor-http.entrypoints: web
  traefik.http.routers.terrakube-executor-http.middlewares: terrakube-executor-redirect-https
  traefik.http.middlewares.terrakube-executor-redirect-https.redirectscheme.scheme: https

## Terrakube UI
x-traefik_ui_labels: &traefik_ui_labels
  traefik.enable: true
  ## Terrakube UI HTTPS
  traefik.http.routers.terrakube-ui-https.rule: Host(`tk.${DOMAIN}`)
  traefik.http.routers.terrakube-ui-https.entrypoints: websecure
  traefik.http.routers.terrakube-ui-https.middlewares: terrakube-dex-allow-origin
  traefik.http.routers.terrakube-ui-https.tls: true
  traefik.http.services.terrakube-ui-https.loadbalancer.server.port: 8080
  ## Redirect to HTTPS
  traefik.http.routers.terrakube-ui-http.rule: Host(`tk.${DOMAIN}`)
  traefik.http.routers.terrakube-ui-http.entrypoints: web
  traefik.http.routers.terrakube-ui-http.middlewares: terrakube-ui-redirect-https
  traefik.http.middlewares.terrakube-ui-redirect-https.redirectscheme.scheme: https

x-traefik_dex_labels: &traefik_dex_labels
  traefik.enable: true
  ## Terrakube DEX HTTPS
  traefik.http.routers.terrakube-dex-https.rule: Host(`tk-dex.${DOMAIN}`)
  traefik.http.routers.terrakube-dex-https.entrypoints: websecure
  traefik.http.routers.terrakube-dex-https.middlewares: terrakube-dex-allow-origin
  traefik.http.routers.terrakube-dex-https.tls: true
  traefik.http.services.terrakube-dex-https.loadbalancer.server.port: 5556
  ## Redirect to HTTPS
  traefik.http.routers.terrakube-dex-http.rule: Host(`tk-dex.${DOMAIN}`)
  traefik.http.routers.terrakube-dex-http.entrypoints: web
  traefik.http.routers.terrakube-dex-http.middlewares: terrakube-dex-redirect-https
  traefik.http.middlewares.terrakube-dex-redirect-https.redirectscheme.scheme: https
  ## Allow CORs from Terrakube UI
  traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowmethods: GET, PATCH, PUT, POST, DELETE, HEAD, OPTIONS
  traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowheaders: >
    Content-Type, Accept, Authorization, X-Requested-With, Origin, *
  traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolalloworiginlist: https://tk.${DOMAIN}
  traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolallowcredentials: true
  traefik.http.middlewares.terrakube-dex-allow-origin.headers.accessControlExposeHeaders: >
    Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified,
    Pragma, x-amz-server-side-encryption, x-amz-request-id, x-amz-id-2, ETag
  traefik.http.middlewares.terrakube-dex-allow-origin.headers.accesscontrolmaxage: 86400
  traefik.http.middlewares.terrakube-dex-allow-origin.headers.addvaryheader: true


  ## Terrakube registry
x-traefik_registry_labels: &traefik_registry_labels
  traefik.enable: true
  ## Terrakube registry HTTPS
  traefik.http.routers.terrakube-registry-https.rule: Host(`tk-registry.${DOMAIN}`)
  traefik.http.routers.terrakube-registry-https.entrypoints: websecure
  traefik.http.routers.terrakube-registry-https.tls: true
  traefik.http.routers.terrakube-registry-https.middlewares: terrakube-dex-allow-origin
  traefik.http.services.terrakube-registry-https.loadbalancer.server.port: 8075
  ## Redirect to HTTPS
  traefik.http.routers.terrakube-registry-http.rule: Host(`tk-registry.${DOMAIN}`)
  traefik.http.routers.terrakube-registry-http.entrypoints: web
  traefik.http.routers.terrakube-registry-http.middlewares: terrakube-registry-redirect-https
  traefik.http.middlewares.terrakube-registry-redirect-https.redirectscheme.scheme: https


### Containers

services:
  traefik:
    image: traefik:latest
    container_name: terrakube-traefik
    # Give Traefik a reserved IP address in your external network, pick something towards the end of the network to avoid conflicts
    networks:
      default:
        ipv4_address: $TRAEFIK_IPV4_ADDRESS
    environment: *traefik_env
    dns: *terrakube_dns
    ports:
      - $TRAEFIK_HTTP_PORT:80
      - $TRAEFIK_HTTPS_PORT:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik_dynamic.yml:/etc/traefik_dynamic.yml
      ## Uncomment for let's encrypt cert based off Domain
      # - /etc/letsencrypt/live/${DOMAIN}/privkey.pem:/letsencrypt/privkey.pem:ro
      # - /etc/letsencrypt/live/${DOMAIN}/fullchain.pem:/letsencrypt/fullchain.pem:ro
    restart: unless-stopped
  terrakube-api:
    image: azbuilder/api-server:${TK_VERSION}
    container_name: terrakube-api
    environment:
      <<: [*api_env]
    labels: *traefik_api_labels
    extra_hosts: *terrakube_hosts
    depends_on:
      - postgresql-service
  terrakube-ui:
    image: azbuilder/terrakube-ui:${TK_VERSION}
    container_name: terrakube-ui
    extra_hosts: *terrakube_hosts
    labels: *traefik_ui_labels
    volumes:
      - ./env-config.js:/app/env-config.js
    environment:
      <<: [*ui_env]
  terrakube-executor:
    dns: *terrakube_dns
    image: azbuilder/executor:${TK_VERSION}
    labels: *traefik_executor_labels
    extra_hosts: *terrakube_hosts
    container_name: terrakube-executor
    environment:
      <<: [*executor_env]
  terrakube-registry:
    dns: *terrakube_dns
    image: azbuilder/open-registry:${TK_VERSION}
    labels: *traefik_registry_labels
    extra_hosts: *terrakube_hosts
    container_name: terrakube-registry
    environment:
      <<: [*registry_env]
  terrakube-dex:
    image: ghcr.io/dexidp/dex:v2.37.0
    extra_hosts: *terrakube_hosts
    labels: *traefik_dex_labels
    container_name: terrakube-dex
    volumes:
      - ./config-ldap.yaml:/etc/dex/config.docker.yaml
  ldap-service:
    image: bitnami/openldap:2.6.4-debian-11-r4
    container_name: terrakube-ldap-service
    environment: *ldap_env
    volumes:
      - ./config-ldap.ldif:/ldifs/config-ldap.ldif
  minio:
    container_name: terrakube-minio
    image: docker.io/bitnami/minio:2022
    environment: *minio_env
    volumes:
      - 'minio_data:/data'
  redis-service:
    image: bitnami/redis:7.0.10
    container_name: terrakube-redis
    environment:
      - REDIS_REPLICATION_MODE=master
      - REDIS_PASSWORD=password123456
      - REDIS_MASTER_PASSWORD=password123456
      - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL
    volumes:
      - 'redis_data:/bitnami/redis/data'
  postgresql-service:
    image: docker.io/bitnami/postgresql:15
    container_name: postgresql-service
    environment:
      - POSTGRESQL_USERNAME=terrakube
      - POSTGRESQL_PASSWORD=terrakubepassword
      - POSTGRESQL_DATABASE=terrakubedb
    volumes:
      - postgresql_data:/bitnami/postgresql
volumes:
  minio_data:
  redis_data:
  postgresql_data:
    driver: local
# External network is required, import its name below
networks:
  default:
    name: $EXTERNAL_NETWORK_NAME
    external: true

env-config.js

window._env_ = {
  REACT_APP_TERRAKUBE_API_URL: "https://tk-api.${DOMAIN}/api/v1/",
  REACT_APP_CLIENT_ID: "example-app",
  REACT_APP_AUTHORITY: "https://tk-dex.${DOMAIN}/dex",
  REACT_APP_REDIRECT_URI: "https://tk.${DOMAIN}",
  REACT_APP_REGISTRY_URI: "https://tk-registry.${DOMAIN}",
  REACT_APP_SCOPE: "email openid profile offline_access groups",
}

traefik_dynamic.yml

# tls:
#   stores:
#     default:
#       defaultCertificate:
#         certFile: /letsencrypt/fullchain.pem
#         keyFile: /letsencrypt/privkey.pem

So, the API is failing to download a file from the Registry, or is it the UI?

I am running this test on some really weak hardware that had difficulties downloading in other situations.

I'm going to take what we have and attempt to deploy it on my institution's hardware, see if we get the same errors.

So, the API is failing to download a file from the Registry, or is it the UI?

I am running this test on some really weak hardware that had difficulties downloading in other situations.

I'm going to take what we have and attempt to deploy it on my institution's hardware, see if we get the same errors.

The UI is doing a request to the registry, to this particular URL https://tk-registry.terrakubepoc.com/terraform/modules/v1/aws/iam/aws/v5.37.2/download.

That endpoint should include one custom response header called "x-terraform-get" that include the URL to download the module that is require for the UI.

I added some custom logs to the UI using version 2.19.2 but the responder header does not include the header "x-terraform-get", that is the reason for your issue.

Hello @SolomonHD

I got it working.

I fixed just adding "x-terraform-get"

  traefik.http.middlewares.terrakube-dex-allow-origin.headers.accessControlExposeHeaders: >
    Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified,
    Pragma, x-amz-server-side-encryption, x-terraform-get, x-amz-request-id, x-amz-id-2, ETag

YES! 🥳🥳 I have it working too. Great effort on this, so happy we got this working 😂😂

ETA: What's annoying is I tried * for headers in the beginning, but that's not allowed when using the Bearer token, you have to specify them,

I'm going clean up the config, remove anything unnecessary. Have a good weekend!

Hey @alfespa17, I re-deployed terrakube inside my company's network and I am still seeing a few issues.

1. I can't pull modules from the registry. Thesource = "tk.example.com/module/name/provider" is not working.
   To confirm, I do not need API keys when running from within TK, correct? Only running Terraform CLI with TK as backend needs API keys.
   I checked Minio and the module.zip uploads correctly. A 500 error occurs in the terminal and this error message in the registry container:

2024-04-16 02:16:04.891  INFO 1 --- [nio-8075-exec-9] o.t.r.p.s.aws.AwsStorageServiceImpl      : Checking Aws S3 Object exist registry/aws/api-gate/aws/3.0.0/module.zip
2024-04-16 02:16:04.996  INFO 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl  : Cloning https://github.service.example.com/LITS/terraform-aws-api-gateway-proxy-cognito.git using 3.0.0
2024-04-16 02:16:05.115 ERROR 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl  : Remote branch 'refs/tags/3.0.0' not found in upstream origin
2024-04-16 02:16:05.118 ERROR 1 --- [nio-8075-exec-9] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.zeroturnaround.zip.ZipException: Given directory '/home/cnb/.terraform-spring-boot/git/2d87dbc5-07f6-41a0-8929-c3477f8b0f52' doesn't contain any files!] with root cause

2. After creating a workspace and applying a Terraform template, TK creates the resources and uploads the state file to Minio correctly, but the UI displays nothing in the Resources/Outputs tabs in the Overview. Also, the State tab is empty; the run is marked with a red failed box even when it completes successfully.

It appears to not be able to fully parse Minio. Can you try running a few templates in your setup to see if you can replicate? Do you think I'm missing additional headers?

Hello @SolomonHD to download modules from the registry you have two options:

• Run terraform login "TERRAKUBE-REGISTRY-HOSTNAME" and terraform login "TERRAKUBE-API-HOSTNAME" that will generate the credentials.tfrc.json file like the following:
  

• The second option is to generate a Personal Access Token and you configure credentials in .terraformrc or terraform.rc

credentials "tk-registry.terrakubepoc.com" { 
  # valid user API token:
  token = "xxxxxx.yyyyyy.zzzzzzzzzzzzz"
}

credentials "tk-api.terrakubepoc.com" { 
  # valid user API token:
  token = "xxxxxx.yyyyyy.zzzzzzzzzzzzz"
}

By the way you will need to one credential for the registry and one for the api

For your second question I run a simple example and I can see the state and resources.

Regarding the registry error:

2024-04-16 02:16:04.996  INFO 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl  : Cloning https://github.service.example.com/LITS/terraform-aws-api-gateway-proxy-cognito.git using 3.0.0
2024-04-16 02:16:05.115 ERROR 1 --- [nio-8075-exec-9] o.t.registry.service.git.GitServiceImpl  : Remote branch 'refs/tags/3.0.0' not found in upstream origin

Make sure that inside your git repository there is a tag or release with name "3.0.0"

https://github.service.example.com/LITS/terraform-aws-api-gateway-proxy-cognito.git

I hope this can help you

Hey @SolomonHD curious question were you able to fix the issue?

I've been busy on other projects last couple of weeks, getting back on this now. IIRC last I tried to replicate the issue on my local and I believe it worked normally like your example. I will test it again on my university infrastructure.

On a side note: Is it possible to get rid of env-config.js? The UI environment variables have the same values. It would clean up the configuration considerably.

I've been busy on other projects last couple of weeks, getting back on this now. IIRC last I tried to replicate the issue on my local and I believe it worked normally like your example. I will test it again on my university infrastructure.

On a side note: Is it possible to get rid of env-config.js? The UI environment variables have the same values. It would clean up the configuration considerably.

Hello @SolomonHD you can't remove the env-config.js because it is used as an static file for the react UI, I think you could remove the environment variables for the UI those are no longer need it.