Search code examples
gitazureazure-devopsterraformazure-pipelines

Pulling terraform modules from source GIT from the same Devops project

I am using modules from the same Azure DevOps Project in my Terraform code.

So the repos structure looks like this:

org1/project1/keyvault
org1/project1/repo_that_uses_keyvault_module

The code itself looks like the following:

module "key_vault" {
  source = "git::https://org1@dev.azure.com/org1/proj1/_git/keyvault"

  # code here
}

My pipeline task is really simple:

- powershell: |
    terraform init
  displayName: 'Terraform Init'
  workingDirectory: src/terraform

But it fails:

Initializing Terraform without backend...
Initializing modules...
Downloading git::https://org1@dev.azure.com/org1/proj1/_git/keyvault
 for key_vault...
╷
│ Error: Failed to download module
│ 
│   on main.tf line 57:
│   57: module "key_vault" {
│ 
│ Could not download module "key_vault" (main.tf:57) source code from
│ "git::https://org1@dev.azure.com/org1/proj1/_git/keyvault":
│ error downloading
│ 'https://org1@dev.azure.com/org1/proj1/_git/keyvault':
│ C:\agents\3.238.0\externals\ff_git\cmd\git.exe exited with 128: Cloning
│ into '.terraform\modules\key_vault'...
│ fatal: Cannot prompt because user interactivity has been disabled.
│ fatal: Cannot prompt because user interactivity has been disabled.
│ fatal: could not read Password for
│ 'https://git_url':
│ terminal prompts disabled

How do I authorize Microsoft-hosted agents to pull GIT modules in the same ADO project?

Solution

  • I can reproduce the error on my side. To resolve the error, please follow the steps below:

    1. Add task below before terraform init, replace orgname to yours:
    - task: TerraformInstaller@1
  inputs:
    terraformVersion: 'latest'

- script: |
    git config --global url."https://$(System.AccessToken)@dev.azure.com".insteadOf "https://<<orgname>>@dev.azure.com"
  displayName: 'set extra header'


- powershell: |  
    terraform init -upgrade
    1. On Project setting, make option is turned off. enter image description here

    As it used system.accesstoken to access the target repo(module), by default it has the permission. You can confirm this by go to project setting, check the build service account on the module repo, it has read permission .

    enter image description here

    The pipeline works:

    enter image description here

    You can check the similar ticket for your reference.