Pull terraform module sourced through git with credential in infrastructure provisioner

Harness Experts
,
1

Hello Everybody.

Harness_Logo
Harness_Logo977×350 46.7 KB

Introduction

In this article we will discuss how to pull terraform module sourced through git with credential in infrastructure provisioner for Terraform code that includes terraform modules. These modules are sourced through a Git project which requires credentials.

For Example :

`module "cdb" {
source = "git::https://${var.git_user}:${var.git_password)@github.com/org/privatemodules//modules/foo"
...
}`

The git project at https://git.labs.org_name.com/terraform/modules/tf-nginx.git expects a set of credential, or a token, when pulled.

In environments outside of harness, the terraform module pull is made possible with git configs, such as the one below:

`git config --global url."https://git:${GIT_TOKEN}@git.labs.<org_name>.com".insteadOf https://git.labs.<orgname>.com`

However, this is not a supported feature in Terraform Provision step in a workflow. Technically we can run the command in a bash script step to make it work, but it effectively allows all the git commands from other users’ scripts to use this token which is a big security hole.

We need to adjust it for git SSH
https://github.com/pipe-cd/examples/blob/master/kubernetes/kustomize-remote-base/kustomization.yaml

 bases:
   - git@github.com:pipe-cd/manifests.git/kustomization/helloworld?ref=v0.1.2-15`

Steps terraform provider make it work

  1. we need an SSH key that can access the referencing git repo. Take that and base64 encode it

    cat private_key.pem|base64

  2. Store encoded value into a Harness encrypted text

  3. Create this delegate profile. Feel free to make adjustment where needed between the EOF if the host is not github

`echo "Installing git..."
apt-get -y install git

mkdir -p ~/.ssh
cd ~/.ssh

echo ${secrets.getValue("ken_kustomize_github_ssh")} | base64 -d > ~/.ssh/id_harness
chmod 400 ~/.ssh/id_harness

cat <<EOF > ~/.ssh/config
Host github.com
User git
Hostname github.com
IdentityFile ~/.ssh/id_harness
EOF

(host=github.com; ssh-keyscan -H $host; for ip in $(dig @8.8.8.8 github.com +short); do ssh-keyscan -H $host,$ip; ssh-keyscan -H $ip; done) 2> /dev/null > ~/.ssh/known_hosts`

Also, this would not affect other operations as we use JGIT to make connections for other Git Connectors in Harness (to support multiple git repos and multiple keys). What we’re doing is local SSH key (or token) for the GIT client, hence why we install it as part of the script. without it installed Harness stilll works as we use the JGIT library

1 Like