search

MatthewJohn / terrareg

Open source Terraform module registry with UI, optional Git integration and deep analysis
https://gitlab.dockstudios.co.uk/pub/terrareg
GNU General Public License v3.0
269 stars 21 forks source link

Failed to download module #64

Open sebastiencaty opened 3 days ago

sebastiencaty commented 3 days ago

I've configured terrareg (v3.12) to force auth on all users and download. I have configured to following var :

PUBLIC_URL=https://internal.domain
DOMAIN_NAME=internal.domain
ADMIN_AUTHENTICATION_TOKEN=secret
ALLOW_UNAUTHENTICATED_ACCESS=False
TERRAFORM_PRESIGNED_URL_SECRET=secret
TERRAFORM_OIDC_IDP_SUBJECT_ID_HASH_SALT=secret
TERRAFORM_OIDC_IDP_SIGNING_KEY_PATH=/path/to/key.pem
DISABLE_ANALYTICS=True
ALLOW_MODULE_HOSTING=Enforce
DEFAULT_TERRAFORM_VERSION=1.9.5

Got a few modules uploaded (using S3 for storage).

I can run the following command successfully : terraform login internal.domain. Browser pops up, I can login using the value from ADMIN_AUTHENTICATION_TOKEN and terraform sets the auth token properly in ~/.terraform.d/credentials.tfrc.json

However when running terraform init I get the following error message :

Error: Failed to download module
Could not download module "module" from https://internal.domain/v1/terrareg/modules/namespace/module/provider/version/source.zip//modules/module?presign=xxxxxxxxxxxxxxxxxxxx: bad response code: 403.

Without auth terraform init works fine but I wanted to required some auth quickly before going for OIDC.

Should this work? Am I missing some conf?

MatthewJohn commented 2 days ago

Hey Sebastien,

Sorry that you’re experiencing these issues. I would recommend enabling debug and then going to the url in the browser to see the error that you get from the 403 (I believe terraform should show you the body - are you using an old version of terraform (pre-1?) as I believe this didn’t Show the response body)

Matt

Sent from my iPhone

On 1 Oct 2024, at 19:12, sebastiencaty @.***> wrote:

 I've configured terrareg (v3.12) to force auth on all users and download. I have configured to following var :

PUBLIC_URL=https://internal.domain DOMAIN_NAME=internal.domain ADMIN_AUTHENTICATION_TOKEN=secret ALLOW_UNAUTHENTICATED_ACCESS=False TERRAFORM_PRESIGNED_URL_SECRET=secret TERRAFORM_OIDC_IDP_SUBJECT_ID_HASH_SALT=secret TERRAFORM_OIDC_IDP_SIGNING_KEY_PATH=/path/to/key.pem DISABLE_ANALYTICS=True ALLOW_MODULE_HOSTING=Enforce DEFAULT_TERRAFORM_VERSION=1.9.5 Got a few modules uploaded (using S3 for storage).

I can run the following command successfully : terraform login internal.domain. Browser pops up, I can login using the value from ADMIN_AUTHENTICATION_TOKEN and terraform sets the auth token properly in ~/.terraform.d/credentials.tfrc.json

However when running terraform init I get the following error message :

Error: Failed to download module Could not download module "module" from https://internal.domain/v1/terrareg/modules/namespace/module/provider/version/source.zip//modules/module?presign=xxxxxxxxxxxxxxxxxxxx: bad response code: 403. Without auth terraform init works fine but I wanted to required some auth quickly before going for OIDC.

Should this work? Am I missing some conf?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

sebastiencaty commented 2 days ago

This DEFAULT_TERRAFORM_VERSION=1.9.5 should set terraform to version 1.9.5?

Interresting, following the URL, I get a 404.

https://internal.domain/v1/terrareg/modules/namespace/module/provider/version/source.zip//modules/module?presign=xxxxxxxxxxxxxxxxxxxx

But this works (get a presign key error)

https://internal.domain/v1/terrareg/modules/namespace/module/provider/version/source.zip?presign=xxxxxxxxxxxxxxxxxxxx

If I set ALLOW_UNAUTHENTICATED_ACCESS=False, then terraform init downloads the module and terraform plan works as expected.

URL not generated correctly?

I have used the terraform provider to create all the namespaces and modules. git_path is defined as : /modules/{module} git_tag_format : {version}

From the web interface everything looks good. I can see all namespaces/modules/version releases. Source code URL goes right to the module source, usage example looks good and works for unauthenticated access.

MatthewJohn commented 2 days ago

I’m afraid I’m travelling atm. But yes, that url is wrong. I think it was broken in a recent release so for now I think downgrading to URL not generated correctly For now I think downgrading to v3.7.1 should fix your issue, im afraid I’ll take a look at fixing tomorrow - apologies! Matt

Sent from my iPhone

On 2 Oct 2024, at 17:42, sebastiencaty @.***> wrote:

 This DEFAULT_TERRAFORM_VERSION=1.9.5 should set terraform to version 1.9.5?

Interresting, following the URL, I get a 404.

https://internal.domain/v1/terrareg/modules/namespace/module/provider/version/source.zip//modules/module?presign=xxxxxxxxxxxxxxxxxxxx

But this works (get a presign key error)

https://internal.domain/v1/terrareg/modules/namespace/module/provider/version/source.zip?presign=xxxxxxxxxxxxxxxxxxxx

If I set ALLOW_UNAUTHENTICATED_ACCESS=False, then terraform init downloads the module and terraform plan works as expected.

URL not generated correctly?

I have used the terraform provider to create all the namespaces and modules. git_path is defined as : /modules/{module} git_tag_format : {version}

From the web interface everything looks good. I can see all namespaces/modules/version releases. Source code URL goes right to the module source, usage example looks good and works for unauthenticated access.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

MatthewJohn commented 2 days ago

For info, the generated url, I suspect, should be

…./download?signingkey=abcsnne//path/to/module As a result of the signing key being on the end, terraform is not treating the module path as such and is just passing it to the request to terrareg

Sent from my iPhone

On 2 Oct 2024, at 17:42, sebastiencaty @.***> wrote:

 This DEFAULT_TERRAFORM_VERSION=1.9.5 should set terraform to version 1.9.5?

Interresting, following the URL, I get a 404.

https://internal.domain/v1/terrareg/modules/namespace/module/provider/version/source.zip//modules/module?presign=xxxxxxxxxxxxxxxxxxxx

But this works (get a presign key error)

https://internal.domain/v1/terrareg/modules/namespace/module/provider/version/source.zip?presign=xxxxxxxxxxxxxxxxxxxx

If I set ALLOW_UNAUTHENTICATED_ACCESS=False, then terraform init downloads the module and terraform plan works as expected.

URL not generated correctly?

I have used the terraform provider to create all the namespaces and modules. git_path is defined as : /modules/{module} git_tag_format : {version}

From the web interface everything looks good. I can see all namespaces/modules/version releases. Source code URL goes right to the module source, usage example looks good and works for unauthenticated access.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

sebastiencaty commented 2 days ago

Rolling back is a bit of a pain since the current database isn't backwards compatible to 3.7.1

I'll wait for when you get a chance to fix this. Happy to help debug and test.