Terraform module in private git repo

0
votes

I've created a terraform module in a private gitlab repo. A terraform resource in another repo needs to use this module.

module "my_module" {
  source = "git::https://gitlab.example.com/my-repo.git"
}

This works locally, but doesn't in our CI pipeline because it needs username and password. So I've generated a pair and tried this :

module "email_sns" {
  source = "git::https://${var.username}:${var.password}@gitlab.example.com/my-repo.git"
}

This doesn't work because terraform doesn't allow variables in source.

The only option left, afaik is to use git credential helper and add the username and password to it. But the store helper stores them as plain text. I don't want this. I can see that there's an option to use cache as the helper, but how do I store username and password into it in the CI ? Or is there an alternative approach to this problem ?

1
gitterraformgitlab-ci
You indeed do need to be handling this in the pipeline and not within the TF config.As for the plain text concern, there are multiple secrets management solutions available to avoid that problem. - Matt Schuchard

1 Answers

0
votes

You have to use ssh keys for that. Create new key in the repo with terraform module, and then add this key to the runner that executes the module.You can find more details how to create ssh key on Gitlab documentation page

It would also mean, that you should switch source string from https to ssh in order to get it working.