search

MatthewJohn / terrareg

Open source Terraform module registry with UI, optional Git integration and deep analysis
https://gitlab.dockstudios.co.uk/pub/terrareg
GNU General Public License v3.0
268 stars 20 forks source link

Unable to use published module in terraform with token auth #56

Closed saterrrr closed 6 days ago

saterrrr commented 1 month ago

Hey, I'm trying to use a module that I uploaded and published on a local terrareg instance, and what is happening is very strange to me. The terraform init works with the source code below:

source = "terrareg.admin.url/__namespace/postgresql/gcp"

and this one below doesn't:

source = "terrareg.admin.url/xxxxxx.deploy1.xxxxxxxxxxxxx__namespace/postgresql/gcp"

What is also interesting to me is that I have this value ALLOW_UNAUTHENTICATED_ACCESS set to 'False", which to my understanding should prevent unauthenticated access such as the one in the first example that works.

Below I have attached the full code causing the described issue:

module "postgresql" {
  source  = "terrareg.admin.url/xxxxxx.deploy1.xxxxxxxxxxxxx__namespace/postgresql/gcp"
  version = "1.0.0"

  gcp = "asdf"
  k8s_master_ca_certificate = "asdf"
  k8s_master_endpoint = "asdf"
  network = "asdf"
  resource_prefix = "asdf"
}

Here is the error I'm getting:

terraform init

Initializing the backend...
Initializing modules...
╷
│ Error: Error accessing remote module registry
│ 
│   on main.tf line 1:
│    1: module "postgresql" {
│ 
│ Failed to retrieve available versions for module "postgresql" (main.tf:1) from terrareg.admin.url: error looking up
│ module versions: 401 UNAUTHORIZED

and env variables ANALYTICS_AUTH_KEYS: "xxxxxx.deploy1.xxxxxxxxxxxxx" ALLOW_UNAUTHENTICATED_ACCESS: "False" ALLOW_UNIDENTIFIED_DOWNLOADS: "False" EXAMPLE_ANALYTICS_TOKEN: "test_terrareg" INTERNAL_EXTRACTION_ANALYTICS_TOKEN: "" I hope I haven't misread the documentation and I'm indeed doing everything as intended.

MatthewJohn commented 1 month ago

Created gitlab issue: https://gitlab.dockstudios.co.uk/pub/terrareg/-/issues/534 gitlab-issue-id:534

MatthewJohn commented 1 month ago

Hey @saterrrr ,

Which version of Terraform are you using? The only reason I ask is that, since ~1.x.x, I think Terraform should print the body of the error (as opposed to just 403).

With regards to the tokens, there's a key difference between analytics tokens and authentication tokens.

The analytics tokens, which is enforced using ALLOW_UNIDENTIFIED_DOWNLOADS, is the token in the module source URL:

module "postgresql" {
  # E.g. exampletoken here
  source  = "terrareg.admin.url/exampletoken__namespace/postgresql/gcp"
  version = "1.0.0"

  gcp = "asdf"
  k8s_master_ca_certificate = "asdf"
  k8s_master_endpoint = "asdf"
  network = "asdf"
  resource_prefix = "asdf"
}

For authentication, which is enforced using ALLOW_UNAUTHENTICATED_ACCESS, is configured in the ~/.terraformrc file, e.g.:

credentials "terrareg.admin.url" {
  token = "authtokenhere"
}

This is also where the ANALYTICS_AUTH_KEYS can be used, as well as using terraform login terrareg.admin.url to authenticate via the Terraform IDP

I'll test out the use-cases you've suggested to see if I can reproduce them

Many thanks Matt

MatthewJohn commented 1 month ago

@saterrrr Any luck with this? :)

MatthewJohn commented 6 days ago

@saterrrr

I'm going to close for now - please re-open if you have further issues

Matt