search

diggerhq / digger

Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️
https://digger.dev
Apache License 2.0
4.29k stars 578 forks source link

Allow accessing private terraform modules (github) #296

Open frank-bee opened 1 year ago

frank-bee commented 1 year ago

Currently in any github pipeline where you run terraform and access private modules , this is very ugly. You have to do something like this in your pipeline 

      - name: Set git config
        run: |
          /usr/bin/git config --global --add url."https://${{ secrets.GH_PAT_TOKEN }}@github.com/MY_ORG".insteadOf https://github.com/MY_ORG

Would be great to handle this "natively" in digger.

Related also to #219 ( when running digger locally you also need access to all module repos)

motatoes commented 1 year ago

Ah indeed this is a good case to handle. Just dropping this here since it seems related to the issue: https://github.com/diggerhq/digger/issues/111#issuecomment-1514838828

frank-bee commented 1 year ago

@motatoes Atlantis implementation for that was done in this PR: https://github.com/runatlantis/atlantis/pull/711

frank-bee commented 1 year ago

I found a way to access private repos with digger ( or any other terraform github workflow ). Just want to share it here (replace with your github org)

name: Digger (Terraform)

on:
  pull_request:
    branches: [ "main" ]
    types: [ closed, opened, synchronize, reopened ]
  issue_comment:
    types: [created]
    if: contains(github.event.comment.body, 'digger')
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      #To allow checkout this project
      contents: read

      #To allow Digger to access PRs
      issues: write
      pull-requests: write
    steps:
      # create a temp. token from the github app installed in the org.
      # (The app needs to have read access to all private terraform repos  in the org )
      # this token is used in the next step to allow cloning terraform module repos
      - name: Get Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@v2
        with:
          application_id: ${{ secrets.DIGGER_APPLICATION_ID }}
          application_private_key: ${{ secrets.DIGGER_APPLICATION_PRIVATE_KEY }}
          organization: <my org>

      # allow terraform to download our private modules
      - name: Set git config
        run: |
          /usr/bin/git config --global --add url."https://github:$GITHUB_TOKEN_READ_REPOS@github.com/<my org>".insteadOf https://github.com/<my org>
        env:
          GITHUB_TOKEN_READ_REPOS: ${{ steps.get_workflow_token.outputs.token }}

      - name: digger run
        uses: diggerhq/digger@v0.1.21
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # here the workflow token is used implicitly
          GITHUB_OWNER: <my org>
motatoes commented 1 year ago

Thank you so much for sharing this @frank-bee , we will adopt something similar when we get to implementing support for digger for sure!

frank-bee commented 11 months ago

Any news here?

motatoes commented 11 months ago

hey @frank-bee haven't had a look at this but it looks like the atlantis-inspired implementation is the way to go, I'll take a look at this but got alot on my plate right now so it might be a bit of time

ebuildy commented 3 months ago

You can use env variables to configure git credentials, I think this is even more secure, see my blog post at https://dev.to/ebuildy/use-terraform-module-from-a-private-git-project-with-atlantis-18ak

GIT_CONFIG_COUNT=1
GIT_CONFIG_KEY_0="credential.https://gitlab.com/company/terraform.helper"
GIT_CONFIG_VALUE_0=!f() { echo "username=${ATLANTIS_GITLAB_USER}"; echo "password=${ATLANTIS_GITLAB_TOKEN}"; }; f