Terraform module in github private repo

4
votes

I am trying to use my private git repo as source for the terraform modules.

ssh public key has been copied over to github.

Tried following options as source but nothing worked:

Any help is greatly appreciated.

Referring to Private Github repos section on the following link didn't help either. https://github.com/alibaba/terraform-provider/blob/master/vendor/github.com/hashicorp/terraform/website/docs/modules/sources.html.markdown

Private GitHub Repos If you need Terraform to fetch modules from private GitHub repos, you must provide Terraform with credentials to authenticate as a user with read access to those repos.

If you run Terraform only on your local machine, you can specify the module source as an SSH URI (like [email protected]:hashicorp/example.git) and Terraform will use your default SSH key to authenticate.

If you use Terraform Enterprise, you can use SSH URIs. You'll need to add an SSH private key to your organization and assign it to any workspace that fetches modules from private repos. See the Terraform Enterprise docs about SSH keys for cloning modules.

If you need to run Terraform on a remote machine like a CI worker, you either need to write an SSH key to disk and set the GIT_SSH_COMMAND environment variable appropriately during the worker's provisioning process, or create a GitHub machine user with read access to the repos in question and embed its credentials into the modules' source parameters: module "private-infra" { source = "git::https://MACHINE-USER:[email protected]/org/privatemodules//modules/foo" } Note that Terraform does not support interpolations in the source parameter of a module, so you must hardcode the machine username and password if using this method.

4
gitgithubterraform

4 Answers

2
votes

This worked for me

module "name_of_module" {
  source = "git::https://<user>:<pat>@github.com/folder/terraform-azure-core-resource-group.git"
  ...
}
1
votes

Tested on bitbucket. It should be the same on github:

source = "git::https://@bitbucket.com/mycompany/my-project.git"
1
votes

Things needed:

  • A GitHub machine account (Note: This is not much different from a regular GitHub account functionally; it is referred to as "machine" based on the intended usage). See machine users.
  • An ssh key. Note: I used RSA. Example on how to generate one:
$ ssh-keygen -t rsa -b 4096 -C "[email protected]"

Note: If you configure the organizational secret to be available to specific repos, be sure to specify the repo that has the Terraform code that you are attempting to import.

  • Then, in your GitHub Action yaml file, add the code that adds the private ssh key to the runner's ssh agent, to be able to clone the Terraform module that is in a private GitHub repo. Example:
      - name: Terraform Init
        id: init
        run: terraform init
        env:
          GIT_SSH_COMMAND: "echo '${{ secrets.ORG_PRIVATE_SSH_KEY }}' > id_rsa
          && ssh-keyscan github.com > known_hosts
          && chmod 600 id_rsa known_hosts
          && ssh -i ./id_rsa -o UserKnownHostsFile=./known_hosts"

      - name: Terraform Plan
        id: plan
        if: github.event_name == 'pull_request'
        run: terraform plan -no-color
        continue-on-error: true
        env:
          GIT_SSH_COMMAND: "echo '${{ secrets.ORG_PRIVATE_SSH_KEY }}' > id_rsa
          && ssh-keyscan github.com > known_hosts
          && chmod 600 id_rsa known_hosts
          && ssh -i ./id_rsa -o UserKnownHostsFile=./known_hosts"

Reference/Credit: https://github.com/hashicorp/setup-terraform/issues/33

Note: There appears to be many ways to do such things when googling but I labored over this for weeks trying the various options and ultimately was able to do it with this AND I understood how it worked. :) I encourage feedback.

0
votes

This worked for me:

  1. Set up your ssh keys; make sure that your ~/.ssh/config file has a block like this:
Host USERNAME.github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_rsa
  1. Add this to your .tf file:
module "name_of_module" {
  source = "[email protected]:USERNAME/REPONAME.git//SUBDIR"
  ...
}