terragrunt icon indicating copy to clipboard operation
terragrunt copied to clipboard

Published 20 hours ago verified publisher icon gruntwork-io

gitconfig is being ignored for pulling sources

Open den-is opened this issue 2 years ago • 12 comments

Describe the bug I have custom SSH and Gitconfigs configurations for various projects hosted on github.com Different projects use different SSH keys and/or git-related configs.

Global gitconfig

[includeIf "gitdir:~/project1/"]
    path = ~/project1/.gitconfig

Project specific gitconfig

[url "[email protected]"]
    insteadOf = [email protected]

And finally SSH Config

Host github-project1.com
    HostName github.com
    ForwardAgent no
    IdentitiesOnly yes
    IdentityFile ~/.ssh/project1

So you can see that while I'm in a specific project's directory [email protected] by a custom host which is listed in my SSH config. This has worked like a charm for me for a multitude of different projects for many years. Feel free to use this workflow. :)

Worked until I have encountered issue in a terragrunt project that is sourcing TF module from another git repository, which is not public and belongs to an organization.

terraform {
  source = "[email protected]:org-project1/tf-modules.git//vpc-adv"
}

The error:

$ terragrunt plan
ERRO[0009] 1 error occurred:
        * error downloading 'ssh://[email protected]/org-project1/tf-modules.git': /usr/local/bin/git exited with 128: Cloning into '/Users/myuser/project1/git/global-terraform/aws/us-east-1/vpc/.terragrunt-cache/UZAqWfF4KuAezQ5uNaiqPJay2yI/EXsr1Y5G9o1CyhPdXwrIjlG_T2I'...
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Expected behavior Respect global gitconfig to properly fetch/connect to repositories

Versions

  • Terragrunt version: 0.53.1
  • Terraform version: v1.6.3
  • Environment details (Ubuntu 20.04, Windows 10, etc.): macos Monterey

Maybe this issue is similar https://github.com/hashicorp/terraform/issues/28968

den-is avatar Nov 03 '23 09:11 den-is

Hello, I have the same issue , in my ~/.ssh/config:

Host github.com-work
    HostName github.com
    User git
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_rsa_passculture

But when I try to terragrunt plan:

 terragrunt plan
ERRO[0009] 1 error occurred:
	* error downloading 'ssh://[email protected]/pass-culture/terraform-iam-module.git?ref=v0.3.0': /usr/bin/git exited with 128: Cloning into '/home/dka/workspace/github.com/pass-culture/infrastructure/terragrunt/gcp/passculture.app/projects/passculture-metier-ehp/iam/bindings/database-operations@passculture-metier-ehp.iam.gserviceaccount.com/.terragrunt-cache/x6MEuSbHq6F0DkT4ouqWwcnb5Pc/5WJFw-YYiKazfoQ7ur-215Tf4XU'...
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

 
ERRO[0009] Unable to determine underlying exit code, so Terragrunt will exit with error code 1

Any clue how to fix this terragrunt side ?

kopax-polyconseil avatar Nov 09 '23 10:11 kopax-polyconseil

Hello, I suspect that may be invalid repo path since error is

ERROR: Repository not found.
fatal: Could not read from remote repository.

Usually, when credentials are invalid error is like:

fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

Simplified example which worked fine:

#  ~/.ssh/config 
Host github.com-work
    HostName github.com
    User git
    AddKeysToAgent yes
    IdentityFile ~/key

# terragrunt.hcl 
terraform {
  source = "git::[email protected]:denis256/terraform-test-module-private.git//modules/test-file?ref=v0.0.4"
}

$ terragrunt plan --terragrunt-log-level debug

DEBU[0000] Terragrunt Version: 0.53.2                   
DEBU[0000] Did not find any locals block: skipping evaluation. 
DEBU[0000] Running command: terraform --version          prefix=[/home/runner/work/proj] 
DEBU[0000] terraform version: 1.6.3                     
DEBU[0000] Reading Terragrunt config file at /home/runner/work/proj/terragrunt.hcl 
DEBU[0000] Did not find any locals block: skipping evaluation. 
DEBU[0000] Did not find any locals block: skipping evaluation. 
DEBU[0000] Downloading Terraform configurations from git::ssh://[email protected]/denis256/terraform-test-module-private.git?ref=v0.0.4 into /home/runner/work/proj/.terragrunt-cache/-XbQmm0QHEkIaLvL9Bh59nptzcM/XhWZ6BzxNeQB2PsK8ZcG47BfuPA 
DEBU[0001] Copying files from /home/runner/work/proj into /home/runner/work/proj/.terragrunt-cache/-XbQmm0QHEkIaLvL9Bh59nptzcM/XhWZ6BzxNeQB2PsK8ZcG47BfuPA/modules/test-file 
DEBU[0001] Setting working directory to /home/runner/work/proj/.terragrunt-cache/-XbQmm0QHEkIaLvL9Bh59nptzcM/XhWZ6BzxNeQB2PsK8ZcG47BfuPA/modules/test-file 
DEBU[0001] Running command: terraform init               prefix=[/home/runner/work/proj] 

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/local from the dependency lock file
- Installing hashicorp/local v2.4.0...
- Installed hashicorp/local v2.4.0 (signed by HashiCorp)

Terraform has been successfully initialized!

denis256 avatar Nov 10 '23 20:11 denis256 

I suspect that may be invalid repo path since error is

ERROR: Repository not found.
fatal: Could not read from remote repository.

I managed to clone by hand, using ssh-add and git clone, then I tried again with terragrunt and hit the same error. Also my other mates does not have the issue because they do not have a git config .

kopax-polyconseil avatar Nov 13 '23 08:11 kopax-polyconseil

The repository is there and is working. Standard, usual organizational private repo ssh_ed git url that is hardcoded across hundreds of modules across the organization. Maybe there is a difference between user's and organization's private repos ""visibility"".

If your simplified step works, that means that issue is with the missing gitconfig step.

Curious if it is possible to do debug outputs for terragrunt trying to pull src.

den-is avatar Nov 13 '23 08:11 den-is

I just realised that in your answer https://github.com/gruntwork-io/terragrunt/issues/2777#issuecomment-1806413059, you edit the git url to append -work, which is not something I want or can commit, as this config works only for me. Of course if I ssh-add and do that, it will work, but that is very inconvenient.

kopax-polyconseil avatar Nov 13 '23 13:11 kopax-polyconseil

good catch The idea of gitconfig is to seamlessly substitute source URL, and then use connection settings from sshconfig

den-is avatar Nov 13 '23 13:11 den-is

Hello, my example with ~/.ssh/config shows that Terragrunt uses configuration for github.com-work for other cases, will be helpful to have example repos to see how the issue occurs

https://github.com/gruntwork-io/terragrunt/issues/2777#issuecomment-1803595293

denis256 avatar Nov 13 '23 18:11 denis256

Nobody here was questioning if terragrunt can pull over SSH. Your "test" only shows that terragrunt (library that it uses) is respecting sshconfig

In opposite, Terragrunts logic (git library used by terragrunt) is not respecting ~/.gitconfig

for other cases, will be helpful to have example repos to see how the issue occurs

Well nobody is going to share their private/corporate repos with you.

Let me show how you can test it here (if the original configuration snippets were not enough):

  1. mkdir ~/path/to/test/ ; cd ~/path/to/test/
  2. generate temporary SSH key for this test ssh-keygen -t ed25519 -f "~/path/to/test/tempkey" -q -N "" -C "test-tg-ssh"
  3. Create a private repository in Github account that has no your primary SSH keys. (Ask friend, or colleague, or contact me)
  4. In the newly created repository go to settings and add a new Deploy key from cat testtgsshkey.pub
  5. In the end of your root ~/.gitconfig add: 
    [includeIf "gitdir:~/path/to/test/"]
   path = ~/path/to/test/.gitconfig
  6. Create ~/path/to/test/.gitconfig with content: 
    [url "[email protected]"]
    insteadOf = [email protected]
  7. Add configuration to your ~/.ssh/config: 
    Host github.com-work
    HostName github.com
    IdentitiesOnly yes
    IdentityFile ~/path/to/test/tempkey
  8. Test using direct git command git pull [email protected]:accountid/private-repo-name.git
  9. It should work. Git will substitute the Hostname with a fake one, and then SSH will find config for the substituted host in its config.
  10. Now try to do the same within terragrunt.hcl source [email protected]:accountid/private-repo-name. Without changing URL to [email protected]...! :)

den-is avatar Nov 14 '23 12:11 den-is

An alternative use case- I just ran into this making a github action job and trying to use the job's own GITHUB_TOKEN oauth2 flow for checking out organization repos. The normal base config would involve something like:

git config --global url."https://github.com/your-organization".insteadOf "git::[email protected]/your-organization": git config --global http.https://github.com/.extraheader "AUTHORIZATION: bearer ${GITHUB_TOKEN}"

As of now I'm forced to create an ssh key as a secret and use that instead.

brianatgather avatar Mar 20 '24 22:03 brianatgather

@den-is, Terragrunt, like Terraform, uses the go-getter library to clone repositories. The only difference may be the version, Terragrunt uses an older version. Try experimenting with Terraform configurations without Terragrunt. If it works, then it makes sense to update go-getter, otherwise there is no point in doing it if Terraform itself does not work with your ssh config the way you want.

lev-ok avatar Apr 09 '24 17:04 lev-ok

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for raising this issue.

github-actions[bot] avatar Sep 23 '24 02:09 github-actions[bot]

/unstale

den-is avatar Sep 23 '24 04:09 den-is