Terraform CI/CD template fails to authenticate to Terraform module registry
Release notes
Terraform users can use the module registry to store their infrastructure modules and streamline the developer experiences. GitLab ships with a set of Terraform CI/CD templates to support all the GitLab features out of the box and help even inexperienced Terraform users to get started quickly. Until now, users of the Terraform module registry needed to authenticate to the registry as part of a custom CI job even if they used the Terraform CI/CD templates. Thanks to community contributions from @willianpaixao and @terorie, the built-in Terraform template automatically logs in the CI job to retrieve authorised Terraform modules from the registry.
Summary
The Terraform CI/CD template and the Terraform module registry are two separate GitLab features.
When using the CI template with a Terraform project that includes Terraform modules hosted on GitLab's registry, the CI pipeline fails because it can't pull modules from the module registry.
Steps to reproduce
- Upload a Terraform module to the GitLab Infrastructure Registry
- Create a project with a Terraform config that includes the Terraform module
- Create a CI/CD config that executes said Terraform config using the CI/CD template
- Run the pipeline
Example Project
Sorry, I wasn't able to create an example project yet.
What is the current bug behavior?
The Terraform module registry requires the following file ~/.terraformrc
on the client side to authenticate: https://docs.gitlab.com/ee/user/packages/terraform_module_registry/index.html#reference-a-terraform-module
Note that a CI job token is specifically mentioned as a permitted auth token.
credentials "gitlab.com" {
token = "${CI_JOB_TOKEN}"
}
Contrary to (my) expected behavior, the Terraform CI/CD template does not create this file.
So any attempts to include a module like the following code fail.
module "cloudflare_rpc_monitor" {
source = "gitlab.com/Blockdaemon/rpc-monitor/cloudflare"
version = "0.0.6"
...
}
What is the expected correct behavior?
It would be nice if the CI/CD config automatically authenticates to the infrastructure registry of the GitLab instance the CI job is running on.
Relevant logs and/or screenshots
30 $ gitlab-terraform init
31 Initializing modules...
32 ╷
33 │ Error: Module has no versions
34 │
35 │ Module "gitlab.com/Blockdaemon/gandalf-auth/cloudflare" (main.tf:11) has no
36 │ versions available on gitlab.com.
37 ╵
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Not applicable since I'm using GitLab.com
Results of GitLab application Check
Not applicable since I'm using GitLab.com
Possible fixes
This CI config fixes the issue. Can be used as a workaround.
include:
- template: Terraform.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml
before_script:
# Authenticate to GitLab Infrastructure Registry.
- |-
cat <<EOF > ~/.terraformrc
credentials "gitlab.com" {
token = "${CI_JOB_TOKEN}"
}
EOF