search

crossplane-contrib / provider-terraform

A @crossplane provider for Terraform
Apache License 2.0
94 stars 28 forks source link

Private module repos not working #29

Closed wilhelmi closed 2 years ago

wilhelmi commented 2 years ago

Our current TF setup uses a number of modules hosted in private GitLab repos and unable to get the modules to download.

Created a private access token and stored it in a secret, inspecting the secret and the rendered .git-credentials file in the controller looks good.

However we can't get the module downloaded.

Provide:

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: terraform-provider
spec:
  package: crossplane/provider-terraform:v0.1.0-11.gd66466f

Note: I tried it with v0.1.2, is shows an event of CreatedExternalResource, however the expected resources never show up

Provider config:

apiVersion: tf.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default-terraform-gcp
spec:
  credentials:
  - filename: gcp-credentials.json
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: gcp-credentials
      key: credentials
  - filename: .git-credentials # use exactly this filename
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: git-credentials
      key: credentials
  configuration: |
      provider "google" {
        credentials = "gcp-credentials.json"

Workspace is configured like this:

apiVersion: tf.crossplane.io/v1alpha1
kind: Workspace
metadata:
  name: example-remote
  annotations:
    crossplane.io/external-name: example-remote
spec:
  providerConfigRef:
    name: default-terraform-gcp
  forProvider:
    source: Remote
        source = https://gitlab.com/full/path/repo.git?ref=main
        .....
      }

Status message: connect failed: cannot get remote Terraform module: error downloading 'https://gitlab.com/full/path/repo.git?ref=main': bad response code: 503

Note: real gitlab paths removed

What are we missing here to get this working?

wilhelmi commented 2 years ago

OK really stumped here, can't seem to get remote modules to work at all, even public ones.

Installed go-getter locally to isolate the problem, this succeeds

$ go-getter 'git::https://github.com/wilhelmi/remote-module.git?ref=main' ./test-gh

Putting the same reference in the workspace such as:

apiVersion: tf.crossplane.io/v1alpha1
kind: Workspace
metadata:
  name: example-remote
  annotations:
    crossplane.io/external-name: example-remote
spec:
  forProvider:
    source: Remote
    module: git::https://github.com/wilhelmi/remote-module.git?ref=main

Returns this error message: 

connect failed: cannot get remote Terraform module: error downloading 'https://github.com/wilhelmi/remote-module.git?ref=main': /usr/bin/git exited with 128: fatal: not a git repository (or any of the parent directories): .git

Using the source format listed in the examples 

apiVersion: tf.crossplane.io/v1alpha1
kind: Workspace
metadata:
  name: example-remote
  annotations:
    crossplane.io/external-name: example-remote
spec:
  forProvider:
    source: Remote
    module: https://github.com/wilhelmi/remote-module

Yields

connect failed: cannot get remote Terraform module: error downloading 'https://github.com/wilhelmi/remote-module': no source URL was returned
wilhelmi commented 2 years ago

Made some headway, it appears to only work if a directory path is specified:

...
module: git::https://github.com/wilhelmi/remote-module.git//test?ref=main
...

Will succeed and run. However this doesn't play very with the standard Terraform directory structures for modules.

Seems to be related to: https://github.com/hashicorp/go-getter/issues/114

rajendragosavi commented 2 years ago

@wilhelmi -Thanks for the solution - kinda hard to understand this go-getter part, though we are still not able to clone the repo -
We are getting error related to username and password not found.

Cloning into '/tmp/getter2795396505/temp'...\nfatal: could not read Username for 'https://github.devtools.predix.io': No such device or address\n"

We are creating secret as per docs.

inside /tf/ nothing is there.

wilhelmi commented 2 years ago

@rajendragosavi are you running the latest version of the provider with the private repo credential code? Most of the examples reference a build without private repo support.

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: terraform-provider
  namespace: crossplane-system
spec:
  package: crossplane/provider-terraform:master

The master tag was the key for me.

rajendragosavi commented 2 years ago

@wilhelmi Yes I am running latest version. How did you configure your git credentials? Actually I have modified the code from base and using my own multi stage docker image for testing. I had to install git inside the my container.

this is my providerconfig 

apiVersion: tf.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: name
spec:
  credentials:
  - filename:  .git-credentials
    secretRef:
      key: .git-credentials
      name: git-credentials
      namespace: central-namespace
    source: Secret
  - filename: aws-credentials
    secretRef:
      key: creds
      name: cf2-aws-creds
      namespace: central-namespace
    source: Secret
status: {}
wilhelmi commented 2 years ago

@rajendragosavi config looks like mine, extra space in - filename: .git-credentials causing problems by chance?

rajendragosavi commented 2 years ago

@wilhelmi - Yeah - that solved our problem. Sorry for late reply. Thanks