2

I have a pipeline where I want to run terragrunt. I so far run everything local and use ssh to authenticate against Gitlab. Therefore, in my Terraform modules, I also use a git::ssh URL like below.

module "data_org" {
  source = "git::ssh://[email protected]/bar/xdf/terraform_modules.git//modules/data_org?ref=develop"
}

Now, I do not know how to port this to a Gitlab pipeline. I would prefer using short-lived pipeline credentials like the Gitlab job token, but do not know how to make use of it. Did anybody know how to use this with Terraform?

What I come across already:

Update 2023-10-26 https: I tested git config --global url.https://gitlab-ci-token:${CI_JOB_TOKEN}@git.foobar.de.insteadOf ssh://[email protected] and got a bit further. Now I get the error "not found" for the repository, and I assume the problem is the .git suffix at the end. I do not know how to get rid of it yet but hope this is solvable.

Improve this question
3
  • Have you looked at using secrets? Commented Oct 25, 2023 at 20:13
  • I haven't tried with SSH but with HTTPS this seems to be a plausible solution.. You could add a stage before terraform init to update the ~/.gitconfig file.. Commented Oct 26, 2023 at 7:35
  • TO lxop secrets for git may be an option but rather complex. This would be my last resort. TO harashavmb if this works with job tokens, this would be wonderful. I try it out later in the day. Commented Oct 26, 2023 at 7:54

1 Answer 1

Reset to default
3

Credits to @harshavmb from the comment above for his recommendation of insteadOf which solved the problem.

The solution was twofold

  • a) Using git config --global url.https://gitlab-ci-token:${CI_JOB_TOKEN}@git.foobar.de.insteadOf ssh://[email protected] so my ssh URL was rewritten to an HTTP one using the Gitlab job token to authenticate.
  • b) Allow access needs to happen from the target repos side. Meaning I want to clone repo A but my pipeline and the job token is in repo B. To allow access I have to allow access in repo A so B can "access" it. The settings are under Settings->CI/CD->Token Access.
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hey Lony I think you could accept your own answer, it fits perfectly. Maybe also add a reference to @harshavamb links as it explains that .insteadOf is required and a reserved world for the command. I was a bit in doubt if insteadOf was a mistake, example or part of the command and had to go check his link to make sure.
Did so and hope it helps other readers as well. Thanks for your feedback!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.