terraform-provider-flux icon indicating copy to clipboard operation
terraform-provider-flux copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

flux provider not inheriting correctly ssh section when flux provider is passed via module

Open igenius-code opened this issue 11 months ago • 0 comments

Hi, I just experienced the following problem: We created a Terraform module that is launched by another Terraform project, we're passing the "flux" provider to the module that is responsible of creating the flux_bootstrap_git resource. Before using a module and having in all one single place (not in a separate module) it was all ok, now we're receiving the following error message:

│ Error: Git Client
│ 
│   with module.fluxcd.flux_bootstrap_git.fluxcd,
│   on .terraform/modules/fluxcd/infrastructure/terraform/google/fluxcd/main.tf line 15, in resource "flux_bootstrap_git" "fluxcd":
│   15: resource "flux_bootstrap_git" "fluxcd" {
│ 
│ ssh scheme cannot be used without private key

Here's the code snippet to help you understand our configuration

module "fluxcd" {
  source     = "..."
  depends_on = [module.gke, module.iam, tls_private_key.fluxcd, gitlab_deploy_key.fluxcd]

  cluster_name = module.gke.gke_0.name
  gcp_location = module.gke.gke_0.location
  gcp_project  = module.gke.gke_0.project
  environment  = local.environment

  fluxcd_git_repo_installation_path = "dev/infrastructure/fluxcd/flux-files"
  flux_git_repo_branch              = local.fluxcd_git_repo_branch

  gitlab_deploy_key_private_key_pem = tls_private_key.fluxcd.private_key_pem
  gitlab_fluxcd_project_id          = data.gitlab_project.fluxcd.id

  providers = {
    kubernetes = kubernetes.fluxcd
    flux       = flux.fluxcd
  }
}

provider "kubernetes" {
  alias = "fluxcd"
  host  = "https://${module.gke.gke_0.endpoint}"
  cluster_ca_certificate = base64decode(
    module.gke.gke_0.master_auth[0].cluster_ca_certificate,
  )
  token = data.google_client_config.provider.access_token
}

provider "flux" {
  alias = "fluxcd"
  kubernetes = {
    host = "https://${module.gke.gke_0.endpoint}"
    cluster_ca_certificate = base64decode(
      module.gke.gke_0.master_auth[0].cluster_ca_certificate,
    )
    token = data.google_client_config.provider.access_token
  }
  git = {
    url    = "ssh://git@${local.gitlab_host}/${data.gitlab_project.fluxcd.path_with_namespace}.git"
    branch = local.fluxcd_git_repo_branch
    ssh = {
      username    = "git"
      private_key = tls_private_key.fluxcd.private_key_pem
    }
  }
}

provider "gitlab" {
  # Token downloaded from Vault belonging to [email protected] user
  token    = data.vault_generic_secret.gitlab.data["[email protected]"]
  base_url = "https://${local.gitlab_host}/api/v4/"
}

# fluxcd
resource "tls_private_key" "fluxcd" {
  algorithm = "ED25519"
}

resource "gitlab_deploy_key" "fluxcd" {
  project  = data.gitlab_project.fluxcd.id
  title    = "fluxcd-${local.environment}"
  key      = tls_private_key.fluxcd.public_key_openssh
  can_push = true
}
## END - fluxcd

Switching to http by populating the http block in flux provider works.

Provider version: "1.0.1"

igenius-code avatar Aug 01 '23 12:08 igenius-code