Inconsistent behavior with regards to unauthenticated access to Terraform Modules in Infrastructure Registry
Summary
We have a customer that has a problem with unauthenticated access of Terraform module when using Infrastructure Registry on public projects.
When running terraform init
, without any credentials, they saw the following error:
│ Could not download module "my_module_name" (config.tf:5) source code from
│ "https://example.gitlab.com/api/v4/packages/terraform/modules/v1/example-namespace/mymodule/system/0.0.1/file?token=INSERT_TOKEN_HERE&archive=tgz":
│ bad response code: 401.
However, they were able to download the module unauthenticated when accessing the URL to download the module directly on the browser.
I was also able to reproduce this on GitLab.com.
This is my test public project: https://gitlab.com/jdasmarinas/nfs-test
This is my example config.tf
file:
module "my_module_name" {
source = "gitlab.com/jdasmarinas/mymodule/system"
version = "0.0.1"
}
Running terraform init
returns the following error:
│ Error: Failed to download module
│
│ Could not download module "my_module_name" (config.tf:1) source code from
│ "https://gitlab.com/api/v4/packages/terraform/modules/v1/jdasmarinas/mymodule/system/0.0.1/file?token=INSERT_TOKEN_HERE&archive=tgz":
│ bad response code: 401.
╵
However, if you type any of the URL below, directly in the browser, even if you are logged out of GitLab, you will be able to access the module unauthenticated.
-
https://gitlab.com/jdasmarinas/nfs-test/-/package_files/38844595/download
- from the Web UI. -
https://gitlab.com/api/v4/packages/terraform/modules/v1/jdasmarinas/mymodule/system/0.0.1/file?archive=tgz
- API without thetoken
field.
I think the reason it's failing when done via Terraform is because Terraform is manually adding a token when requesting the file via the API, tripping the authentication process in GitLab.
Steps to reproduce
- Create a public project.
- Upload a terraform module.
- Create a
config.tf
file to use the module. - Run
terraform init
.
Example Project
https://gitlab.com/jdasmarinas/nfs-test
What is the current bug behavior?
401 when running terraform init
without credentials for a public Terraform module.
What is the expected correct behavior?
terraform init
runs successfully.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)