1

We're working with BitBucket and we decide to move our modules to a different repository. Now i would like to use PAT for cloning the repo.

Example:

module "vpc" {
  source            = "git::ssh://git@<URL>/<Project>/<Repo>.git//bla/bla2"
  module_enabled    = var.create_vpc
  region            = var.region
  deploy_name       = var.deploy_name
  vpc_cidr          = var.vpc_cidr
  subnet_prefixes   = var.subnet_prefixes
  ssh_source_ranges = var.ssh_source_ranges
  environment       = var.environment
  subnet_names      = var.subnet_names
  //  app_names              = "${var.app_names}"
  //  natgw_private_ip       = "${module.natgw.private_ip}"
  //  nat_subnets            = "${var.nat_subnets}"
}

I need to use a env variable to add the PAT to the git URL

I tried to do something like:

 "git::ssh://${blabla}@<URL>/<Project>/<Repo>.git//bla/bla2"

And got this error: "Interpolations are not allowed in module source"

Update #1 : Just to clarify - The URL without the PAT variable is working fine

More info: TF version : 0.12.20

Thanks, Amit

Amit Daniel
  • 297
  • 1
  • 5
  • 16

2 Answers2

3

You can't use anything other than refs (like tags, etc.) in a module source line. It does not allow variables, for example.

The reason for this is that the module source is looked at before the variables are. If you're trying to use a subdirectory from a git repository - which is what it looks like, you have two options:

  1. Use a local-exec provisioner to clone the repo - although I've never done this and would need to test to ensure the proper order

  2. Place your module in it's own repository (the right answer)

  • Not sure i understand. all our modules are located on a different repo with sub-directories . are you saying that i need to put every modules in a different repo? – Amit Daniel Oct 20 '20 at 16:41
  • If that's the case - I still need to use the PAT token . the issue is not with the subdirectory is that i'm running terraform on a Docker image and i need the PAT for the git authentication. – Amit Daniel Oct 20 '20 at 16:42
  • Well, TIL something new. All you need for ssh type is an ssh key installed. Can you generate one with `ssh-keygen` and then upload the public key to your allowed ssh keys list in your vcs host? –  Oct 20 '20 at 16:48
  • PAT is used for https based authentication, in my experience. You can pass your http username/password by many methods, https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage –  Oct 20 '20 at 16:49
  • Yes but is that possible to add a ENV VARIABLE in the terraform module block ? – Amit Daniel Oct 20 '20 at 17:07
  • To use in the URL of the module source? Not that I'm aware of. Generating a private/public ssh key and copying the private key to the image, and setting the public key on the server is a proper way. Another way is to set the credentials at runtime with the git credential storage. –  Oct 20 '20 at 17:10
  • https://www.terraform.io/docs/modules/sources.html#generic-git-repository –  Oct 20 '20 at 17:12
  • This might help you resolve your PAT issue by using the git credential store: https://stackoverflow.com/questions/54882862/git-credential-manager-and-manually-created-pat –  Oct 20 '20 at 17:13
0

When Terraform retrieves module source code from a Git repository, it runs the git command directly with the intent that it will then be able to pick up the credentials you have in your surrounding environment, which would normally allow you to run git directly without explicitly providing credentials. Terraform should generally not be handling your Git credentials directly.

If you are running Terraform in an automated system then you might need to configure a different credentials storage method to give Git access to the credentials.

Martin Atkins
  • 62,420
  • 8
  • 120
  • 138