From abf27e7e45f07bd135be3e920b67cd897d2ddf77 Mon Sep 17 00:00:00 2001
From: Brandon Croft <brandon.croft@gmail.com>
Date: Tue, 8 Nov 2022 14:33:20 -0700
Subject: [PATCH] Use $RUNNER_TEMP when TF_CLI_CONFIG_FILE not in use

If you don't specify the TF_CLI_CONFIG_FILE environment variable, the
default config is written to $HOME directory, which could theoretically
be shared by multiple runners when using self-hosted runners.

When TF_CLI_CONFIG_FILE is _not_ in use, I replaced the usage of
$HOME with the directory $RUNNER_TEMP, whose setup/cleanup is
managed by the runner framework and exported a TF_CLI_CONFIG_FILE.
---
 .github/workflows/setup-terraform.yml | 36 ++++++---------------------
 dist/index.js                         | 16 ++++++------
 lib/setup-terraform.js                | 16 ++++++------
 3 files changed, 24 insertions(+), 44 deletions(-)

diff --git a/.github/workflows/setup-terraform.yml b/.github/workflows/setup-terraform.yml
index 2b6d9af8..7176fa82 100644
--- a/.github/workflows/setup-terraform.yml
+++ b/.github/workflows/setup-terraform.yml
@@ -116,17 +116,10 @@ jobs:
       with:
         cli_config_credentials_token: ${{ env.TF_CLOUD_API_TOKEN }}
 
-    - name: Validate Terraform Credentials (Windows)
-      if: runner.os == 'Windows'
+    - name: Validate Terraform Credentials
       run: |
-        cat ${APPDATA}/terraform.rc | grep 'credentials "app.terraform.io"'
-        cat ${APPDATA}/terraform.rc | grep 'token = "${{ env.TF_CLOUD_API_TOKEN }}"'
-
-    - name: Validate Teraform Credentials (Linux & macOS)
-      if: runner.os != 'Windows'
-      run: |
-        cat ${HOME}/.terraformrc | grep 'credentials "app.terraform.io"'
-        cat ${HOME}/.terraformrc | grep 'token = "${{ env.TF_CLOUD_API_TOKEN }}"'
+        cat ${RUNNER_TEMP}/setup-terraform.tfrc | grep 'credentials "app.terraform.io"'
+        cat ${RUNNER_TEMP}/setup-terraform.tfrc | grep 'token = "${{ env.TF_CLOUD_API_TOKEN }
 
   terraform-credentials-enterprise:
     name: 'Terraform Enterprise Credentials'
@@ -146,17 +139,10 @@ jobs:
         cli_config_credentials_hostname: 'terraform.example.com'
         cli_config_credentials_token: ${{ env.TF_CLOUD_API_TOKEN }}
 
-    - name: Validate Terraform Credentials (Windows)
-      if: runner.os == 'Windows'
-      run: |
-        cat ${APPDATA}/terraform.rc | grep 'credentials "terraform.example.com"'
-        cat ${APPDATA}/terraform.rc | grep 'token = "${{ env.TF_CLOUD_API_TOKEN }}"'
-
-    - name: Validate Teraform Credentials (Linux & macOS)
-      if: runner.os != 'Windows'
+    - name: Validate Terraform Credentials
       run: |
-        cat ${HOME}/.terraformrc | grep 'credentials "terraform.example.com"'
-        cat ${HOME}/.terraformrc | grep 'token = "${{ env.TF_CLOUD_API_TOKEN }}"'
+        cat ${RUNNER_TEMP}/setup-terraform.tfrc | grep 'credentials "terraform.example.com"'
+        cat ${RUNNER_TEMP}/setup-terraform.tfrc | grep 'token = "${{ env.TF_CLOUD_API_TOKEN }}"'
 
   terraform-credentials-none:
     name: 'Terraform No Credentials'
@@ -171,15 +157,9 @@ jobs:
     - name: Setup Terraform
       uses: ./
 
-    - name: Validate Terraform Credentials (Windows)
-      if: runner.os == 'Windows'
-      run: |
-        [[ -f ${APPDATA}/terraform.rc ]] || exit 0
-
-    - name: Validate Teraform Credentials (Linux & macOS)
-      if: runner.os != 'Windows'
+    - name: Validate Teraform Credentials
       run: |
-        [[ -f ${HOME}/.terraformrc ]] || exit 0
+        [[ -f ${RUNNER_TEMP}/.terraformrc ]] || exit 0
 
   terraform-arguments:
     name: 'Terraform Arguments'
diff --git a/dist/index.js b/dist/index.js
index 5965aac1..8a5542a0 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -103,15 +103,15 @@ credentials "${credentialsHostname}" {
 }`.trim();
   // eslint-enable
 
-  // default to OS-specific path
-  let credsFile = osPlat === 'win32'
-    ? `${process.env.APPDATA}/terraform.rc`
-    : `${process.env.HOME}/.terraformrc`;
-
-  // override with TF_CLI_CONFIG_FILE environment variable
-  credsFile = process.env.TF_CLI_CONFIG_FILE ? process.env.TF_CLI_CONFIG_FILE : credsFile;
+  // set or use the TF_CLI_CONFIG_FILE environment variable
+  let credsFile = process.env.TF_CLI_CONFIG_FILE;
+  if (!credsFile) {
+    credsFile = path.join(process.env.RUNNER_TEMP, 'setup-terraform.tfrc');
+    core.debug(`Default CLI config created as ${credsFile}`);
+    core.exportVariable('TF_CLI_CONFIG_FILE', credsFile);
+  }
 
-  // get containing folder
+  // create containing folder in case it doesn't exist
   const credsFolder = path.dirname(credsFile);
 
   core.debug(`Creating ${credsFolder}`);
diff --git a/lib/setup-terraform.js b/lib/setup-terraform.js
index 1e61d2c5..6c190a89 100644
--- a/lib/setup-terraform.js
+++ b/lib/setup-terraform.js
@@ -97,15 +97,15 @@ credentials "${credentialsHostname}" {
 }`.trim();
   // eslint-enable
 
-  // default to OS-specific path
-  let credsFile = osPlat === 'win32'
-    ? `${process.env.APPDATA}/terraform.rc`
-    : `${process.env.HOME}/.terraformrc`;
-
-  // override with TF_CLI_CONFIG_FILE environment variable
-  credsFile = process.env.TF_CLI_CONFIG_FILE ? process.env.TF_CLI_CONFIG_FILE : credsFile;
+  // set or use the TF_CLI_CONFIG_FILE environment variable
+  let credsFile = process.env.TF_CLI_CONFIG_FILE;
+  if (!credsFile) {
+    credsFile = path.join(process.env.RUNNER_TEMP, 'setup-terraform.tfrc');
+    core.debug(`Default CLI config created as ${credsFile}`);
+    core.exportVariable('TF_CLI_CONFIG_FILE', credsFile);
+  }
 
-  // get containing folder
+  // create containing folder in case it doesn't exist
   const credsFolder = path.dirname(credsFile);
 
   core.debug(`Creating ${credsFolder}`);