Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Atlantis changing all git sources from ssh to https with Github App, preventing using SSH deploy key for private module repository #4417

Open
matt-matt-tmatt opened this issue Apr 11, 2024 · 1 comment
Open

Atlantis changing all git sources from ssh to https with Github App, preventing using SSH deploy key for private module repository #4417

matt-matt-tmatt opened this issue Apr 11, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@matt-matt-tmatt
Copy link

matt-matt-tmatt commented Apr 11, 2024
edited

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

BACKGROUND: It was agreed with my GitHub org admin that the Atlantis Github app only is only installed on our team's repositories, but provided a read-only Github deploy SSH key for a shared private terraform modules repository.

I have Atlantis set up with a Github App. On top I'm trying to use a Github deploy SSH key to pull private modules, but Atlantis adds an entry to .gitconfig changing all git sources from ssh to https.

The private repository set up with the Github deploy key only has an SSH endpoint. So the connection fails when git changes it to https:

running "/atlantis-data/bin/terraform1.8.0 init -input=false" in "/atlantis-data/repos/myOrg/myRepo/62/default/terraform/atlantis-test": exit status 1

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
Downloading git::ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0 for s3_bucket...
╷
│ Error: Failed to download module
│ 
│   on main.tf line 5:
│    5: module "s3_bucket" {
│ 
│ Could not download module "s3_bucket" (main.tf:5) source code from
│ "git::ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0":
│ error downloading
│ 'ssh://git@github.com/myOrg/myPrivateRepo.git?ref=aws_s3_bucket%2Fv2.2.0':
│ /usr/bin/git exited with 128: Cloning into
│ '.terraform/modules/s3_bucket'...
│ remote: Repository not found.
│ fatal: repository 'https://github.com/myOrg/myPrivateRepo.git/' not
│ found
│ 
╵

Atlantis is adding the following entry to .gitconfig (code):

[url "https://x-access-token/@github.com"]
        insteadOf = ssh://git@github.com

It works OK if I manually change the entry so it's less greedy:

[url "https://x-access-token/@github.com"]
        insteadOf = ssh://git@github.com:myOrg/myRepo.git

I also tried using GIT_CONFIG_GLOBAL to override the file completely… but the git config --global command Atlantis runs just writes to this new file.

And XDG_CONFIG_HOME… but the config files seem to work additively, so nothing I add seem to override the rule Atlantis is adding.

I also tried to set GIT_CONFIG_GLOBAL=/dev/null like the documentations says. so it skips the file and uses the system configuration… but the git config --global command Atlantis runs then throws an error so Atlantis doesn’t start.

I ran out of ideaas, is there any .gitconfig entry or variable that can be used to override this behavior? Or is it necessary to change a application logic?

Environment details

  • Atlantis version: v0.27.2
  • Chart version: atlantis-4.25.0
  • Deployment method: helm to eks

Atlantis server-side config file:

repoConfig: |
  repos:
  - id: /.*/
    plan_requirements: [undiverged]
    apply_requirements: [approved, mergeable, undiverged]
    import_requirements: [approved, mergeable, undiverged]

config:

config: |
  repo-allowlist: github.com/myOrg/myRepo
  checkout-strategy: merge
  enable-diff-markdown-format: true
  hide-prev-plan-comments: true
  autoplan-file-list: '**/*.tf,**/.terraform.lock.hcl'
  autoplan-modules: true
  parallel-apply: true
  parallel-plan: true
  var-file-allowlist: ""
@matt-matt-tmatt matt-matt-tmatt added the bug Something isn't working label Apr 11, 2024
@matt-matt-tmatt matt-matt-tmatt changed the title Atlantis changing all git sources from ssh to https with Github App preventing using SSH deploy key for private module repository Atlantis changing all git sources from ssh to https with Github App, preventing using SSH deploy key for private module repository Apr 11, 2024
@nitrocode
Copy link
Member

nitrocode commented Apr 15, 2024
edited

I wonder if the command can be modified to work for your use case... or perhaps we need a new flag to skip writing to the git config? What do you folks think?

cc @jamengual @GenPage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nitrocode @matt-matt-tmatt