AzureDevOps - Pulling Private Modules

[jpreese]

During our rollout of Atlantis, using of Azure DevOps, I couldn't figure out a way to pull private modules without the help of a helper script similar to (https://github.com/runatlantis/atlantis/issues/281).

.gitconfig

[credential "https://dev.azure.com"]
    helper = "/bin/sh /home/atlantis/azure-devops-helper.sh"

azure-devops-helper.sh

#!/bin/sh
echo username=$ATLANTIS_AZUREDEVOPS_WEBHOOK_USER
echo password=$ATLANTIS_AZUREDEVOPS_TOKEN

Without the above, I'm getting an error about a missing Password both with and without --write-git-creds:

fatal: could not read Password for 'https://myorg@dev.azure.com': No such
device or address

Even though all of the ATLANTIS_ user/webhook/password etc variables are passed in.

The modules are trying to be pulled using https in the form:

source = git::https://myorg@dev.azure.com/myorg/myproject/_git/terraform-modules//module?ref=v0.1.0

git credentials form: https://docs.microsoft.com/en-us/azure/devops/repos/git/go-get?view=azure-devops

[amasover]

We do something similar for ssh sources in our customized Atlantis docker image:

CMD ["bash", "-c", "echo \"$ATLANTIS_SSH_KEY\" > /home/atlantis/.ssh/id_rsa && chmod 600 /home/atlantis/.ssh/id_rsa && az login --identity && docker-entrypoint.sh server"]

[jpreese]

The root of it looks to be that the --write-git-creds flag always assumes ssh, even when trying to auth via HTTPS.

Alternatively, instead of a credential.helper, it could be added in the git config itself with something like: https://medium.com/@seb.nyberg/accessing-git-repositories-on-azure-devops-using-personal-access-tokens-on-linux-7fa7495bf1e