runatlantis / atlantis

Terraform Pull Request Automation
https://www.runatlantis.io
Other
7.84k stars 1.06k forks source link

Atlantis changing all git sources from ssh to https with Github App, preventing using SSH deploy key for private module repository #4417

Open matt-matt-tmatt opened 7 months ago

matt-matt-tmatt commented 7 months ago

Community Note


Overview of the Issue

BACKGROUND: It was agreed with my GitHub org admin that the Atlantis Github app only is only installed on our team's repositories, but provided a read-only Github deploy SSH key for a shared private terraform modules repository.

I have Atlantis set up with a Github App. On top I'm trying to use a Github deploy SSH key to pull private modules, but Atlantis adds an entry to .gitconfig changing all git sources from ssh to https.

The private repository set up with the Github deploy key only has an SSH endpoint. So the connection fails when git changes it to https:

running "/atlantis-data/bin/terraform1.8.0 init -input=false" in "/atlantis-data/repos/myOrg/myRepo/62/default/terraform/atlantis-test": exit status 1

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
Downloading git::ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0 for s3_bucket...
â•·
│ Error: Failed to download module
│ 
│   on main.tf line 5:
│    5: module "s3_bucket" {
│ 
│ Could not download module "s3_bucket" (main.tf:5) source code from
│ "git::ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0":
│ error downloading
│ 'ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0':
│ /usr/bin/git exited with 128: Cloning into
│ '.terraform/modules/s3_bucket'...
│ remote: Repository not found.
│ fatal: repository 'https://github.com/myOrg/myPrivateRepo.git/' not
│ found
│ 
╵

Atlantis is adding the following entry to .gitconfig (code):

[url "https://x-access-token/@github.com"]
        insteadOf = ssh://git@github.com

It works OK if I manually change the entry so it's less greedy:

[url "https://x-access-token/@github.com"]
        insteadOf = ssh://git@github.com:myOrg/myRepo.git

I also tried using GIT_CONFIG_GLOBAL to override the file completely… but the git config --global command Atlantis runs just writes to this new file.

And XDG_CONFIG_HOME… but the config files seem to work additively, so nothing I add seem to override the rule Atlantis is adding.

I also tried to set GIT_CONFIG_GLOBAL=/dev/null like the documentations says. so it skips the file and uses the system configuration… but the git config --global command Atlantis runs then throws an error so Atlantis doesn’t start.

I ran out of ideaas, is there any .gitconfig entry or variable that can be used to override this behavior? Or is it necessary to change a application logic?

Environment details

Atlantis server-side config file:

repoConfig: |
  repos:
  - id: /.*/
    plan_requirements: [undiverged]
    apply_requirements: [approved, mergeable, undiverged]
    import_requirements: [approved, mergeable, undiverged]

config:

config: |
  repo-allowlist: github.com/myOrg/myRepo
  checkout-strategy: merge
  enable-diff-markdown-format: true
  hide-prev-plan-comments: true
  autoplan-file-list: '**/*.tf,**/.terraform.lock.hcl'
  autoplan-modules: true
  parallel-apply: true
  parallel-plan: true
  var-file-allowlist: ""
nitrocode commented 7 months ago

I wonder if the command can be modified to work for your use case... or perhaps we need a new flag to skip writing to the git config? What do you folks think?

cc @jamengual @GenPage