search

gruntwork-io / terragrunt

Terragrunt is a flexible orchestration tool that allows Infrastructure as Code written in OpenTofu/Terraform to scale.
https://terragrunt.gruntwork.io/
MIT License
8.04k stars 975 forks source link

gitconfig is being ignored for pulling sources #2777

Open den-is opened 11 months ago

den-is commented 11 months ago

Describe the bug I have custom SSH and Gitconfigs configurations for various projects hosted on github.com Different projects use different SSH keys and/or git-related configs.

Global gitconfig

[includeIf "gitdir:~/project1/"]
    path = ~/project1/.gitconfig

Project specific gitconfig

[url "git@github-project1.com"]
    insteadOf = git@github.com

And finally SSH Config

Host github-project1.com
    HostName github.com
    ForwardAgent no
    IdentitiesOnly yes
    IdentityFile ~/.ssh/project1

So you can see that while I'm in a specific project's directory git@github.com by a custom host which is listed in my SSH config. This has worked like a charm for me for a multitude of different projects for many years. Feel free to use this workflow. :)

Worked until I have encountered issue in a terragrunt project that is sourcing TF module from another git repository, which is not public and belongs to an organization.

terraform {
  source = "git@github.com:org-project1/tf-modules.git//vpc-adv"
}

The error:

$ terragrunt plan
ERRO[0009] 1 error occurred:
        * error downloading 'ssh://git@github.com/org-project1/tf-modules.git': /usr/local/bin/git exited with 128: Cloning into '/Users/myuser/project1/git/global-terraform/aws/us-east-1/vpc/.terragrunt-cache/UZAqWfF4KuAezQ5uNaiqPJay2yI/EXsr1Y5G9o1CyhPdXwrIjlG_T2I'...
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Expected behavior Respect global gitconfig to properly fetch/connect to repositories

Versions

Maybe this issue is similar https://github.com/hashicorp/terraform/issues/28968

kopax-polyconseil commented 11 months ago

Hello, I have the same issue , in my ~/.ssh/config:

Host github.com-work
    HostName github.com
    User git
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_rsa_passculture

But when I try to terragrunt plan: 

 terragrunt plan
ERRO[0009] 1 error occurred:
    * error downloading 'ssh://git@github.com/pass-culture/terraform-iam-module.git?ref=v0.3.0': /usr/bin/git exited with 128: Cloning into '/home/dka/workspace/github.com/pass-culture/infrastructure/terragrunt/gcp/passculture.app/projects/passculture-metier-ehp/iam/bindings/database-operations@passculture-metier-ehp.iam.gserviceaccount.com/.terragrunt-cache/x6MEuSbHq6F0DkT4ouqWwcnb5Pc/5WJFw-YYiKazfoQ7ur-215Tf4XU'...
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

ERRO[0009] Unable to determine underlying exit code, so Terragrunt will exit with error code 1

Any clue how to fix this terragrunt side ?

denis256 commented 11 months ago

Hello, I suspect that may be invalid repo path since error is

ERROR: Repository not found.
fatal: Could not read from remote repository.

Usually, when credentials are invalid error is like:

fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

Simplified example which worked fine:

#  ~/.ssh/config 
Host github.com-work
    HostName github.com
    User git
    AddKeysToAgent yes
    IdentityFile ~/key

# terragrunt.hcl 
terraform {
  source = "git::git@github.com-work:denis256/terraform-test-module-private.git//modules/test-file?ref=v0.0.4"
}

$ terragrunt plan --terragrunt-log-level debug

DEBU[0000] Terragrunt Version: 0.53.2                   
DEBU[0000] Did not find any locals block: skipping evaluation. 
DEBU[0000] Running command: terraform --version          prefix=[/home/runner/work/proj] 
DEBU[0000] terraform version: 1.6.3                     
DEBU[0000] Reading Terragrunt config file at /home/runner/work/proj/terragrunt.hcl 
DEBU[0000] Did not find any locals block: skipping evaluation. 
DEBU[0000] Did not find any locals block: skipping evaluation. 
DEBU[0000] Downloading Terraform configurations from git::ssh://git@github.com-work/denis256/terraform-test-module-private.git?ref=v0.0.4 into /home/runner/work/proj/.terragrunt-cache/-XbQmm0QHEkIaLvL9Bh59nptzcM/XhWZ6BzxNeQB2PsK8ZcG47BfuPA 
DEBU[0001] Copying files from /home/runner/work/proj into /home/runner/work/proj/.terragrunt-cache/-XbQmm0QHEkIaLvL9Bh59nptzcM/XhWZ6BzxNeQB2PsK8ZcG47BfuPA/modules/test-file 
DEBU[0001] Setting working directory to /home/runner/work/proj/.terragrunt-cache/-XbQmm0QHEkIaLvL9Bh59nptzcM/XhWZ6BzxNeQB2PsK8ZcG47BfuPA/modules/test-file 
DEBU[0001] Running command: terraform init               prefix=[/home/runner/work/proj] 

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/local from the dependency lock file
- Installing hashicorp/local v2.4.0...
- Installed hashicorp/local v2.4.0 (signed by HashiCorp)

Terraform has been successfully initialized!
kopax-polyconseil commented 11 months ago 
I suspect that may be invalid repo path since error is

ERROR: Repository not found.
fatal: Could not read from remote repository.

I managed to clone by hand, using ssh-add and git clone, then I tried again with terragrunt and hit the same error. Also my other mates does not have the issue because they do not have a git config .

den-is commented 11 months ago

The repository is there and is working. Standard, usual organizational private repo ssh_ed git url that is hardcoded across hundreds of modules across the organization. Maybe there is a difference between user's and organization's private repos ""visibility"".

If your simplified step works, that means that issue is with the missing gitconfig step.

Curious if it is possible to do debug outputs for terragrunt trying to pull src.

kopax-polyconseil commented 11 months ago

I just realised that in your answer https://github.com/gruntwork-io/terragrunt/issues/2777#issuecomment-1806413059, you edit the git url to append -work, which is not something I want or can commit, as this config works only for me. Of course if I ssh-add and do that, it will work, but that is very inconvenient.

den-is commented 11 months ago

good catch The idea of gitconfig is to seamlessly substitute source URL, and then use connection settings from sshconfig

denis256 commented 11 months ago

Hello, my example with ~/.ssh/config shows that Terragrunt uses configuration for github.com-work for other cases, will be helpful to have example repos to see how the issue occurs

https://github.com/gruntwork-io/terragrunt/issues/2777#issuecomment-1803595293

den-is commented 11 months ago

Nobody here was questioning if terragrunt can pull over SSH. Your "test" only shows that terragrunt (library that it uses) is respecting sshconfig

In opposite, Terragrunts logic (git library used by terragrunt) is not respecting ~/.gitconfig

for other cases, will be helpful to have example repos to see how the issue occurs

Well nobody is going to share their private/corporate repos with you.

Let me show how you can test it here (if the original configuration snippets were not enough):

  1. mkdir ~/path/to/test/ ; cd ~/path/to/test/
  2. generate temporary SSH key for this test ssh-keygen -t ed25519 -f "~/path/to/test/tempkey" -q -N "" -C "test-tg-ssh"
  3. Create a private repository in Github account that has no your primary SSH keys. (Ask friend, or colleague, or contact me)
  4. In the newly created repository go to settings and add a new Deploy key from cat testtgsshkey.pub
  5. In the end of your root ~/.gitconfig add: 
    [includeIf "gitdir:~/path/to/test/"]
  path = ~/path/to/test/.gitconfig
  6. Create ~/path/to/test/.gitconfig with content: 
    
[url "git@github.com-work"]
   insteadOf = git@github.com
  7. Add configuration to your ~/.ssh/config: 
    Host github.com-work
   HostName github.com
   IdentitiesOnly yes
   IdentityFile ~/path/to/test/tempkey
  8. Test using direct git command git pull git@github.com:accountid/private-repo-name.git
  9. It should work. Git will substitute the Hostname with a fake one, and then SSH will find config for the substituted host in its config.
  10. Now try to do the same within terragrunt.hcl source git@github.com:accountid/private-repo-name. Without changing URL to git@github.com-work...! :)
brianatgather commented 7 months ago

An alternative use case- I just ran into this making a github action job and trying to use the job's own GITHUB_TOKEN oauth2 flow for checking out organization repos. The normal base config would involve something like:

git config --global url."https://github.com/your-organization".insteadOf "git::git@github.com/your-organization": git config --global http.https://github.com/.extraheader "AUTHORIZATION: bearer ${GITHUB_TOKEN}"

As of now I'm forced to create an ssh key as a secret and use that instead.

levkohimins commented 6 months ago

@den-is, Terragrunt, like Terraform, uses the go-getter library to clone repositories. The only difference may be the version, Terragrunt uses an older version. Try experimenting with Terraform configurations without Terragrunt. If it works, then it makes sense to update go-getter, otherwise there is no point in doing it if Terraform itself does not work with your ssh config the way you want.

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for raising this issue.

den-is commented 1 month ago

/unstale