Skip to content

Inconsistent behavior with regards to unauthenticated access to Terraform Modules in Infrastructure Registry

Summary

We have a customer that has a problem with unauthenticated access of Terraform module when using Infrastructure Registry on public projects.

When running terraform init, without any credentials, they saw the following error:

│ Could not download module "my_module_name" (config.tf:5) source code from
│ "https://example.gitlab.com/api/v4/packages/terraform/modules/v1/example-namespace/mymodule/system/0.0.1/file?token=INSERT_TOKEN_HERE&archive=tgz":
│ bad response code: 401.

However, they were able to download the module unauthenticated when accessing the URL to download the module directly on the browser.

I was also able to reproduce this on GitLab.com.

This is my test public project: https://gitlab.com/jdasmarinas/nfs-test

This is my example config.tf file:

module "my_module_name" {
  source = "gitlab.com/jdasmarinas/mymodule/system"
  version = "0.0.1"
}

Running terraform init returns the following error:

│ Error: Failed to download module

│ Could not download module "my_module_name" (config.tf:1) source code from
│ "https://gitlab.com/api/v4/packages/terraform/modules/v1/jdasmarinas/mymodule/system/0.0.1/file?token=INSERT_TOKEN_HERE&archive=tgz":
│ bad response code: 401.

However, if you type any of the URL below, directly in the browser, even if you are logged out of GitLab, you will be able to access the module unauthenticated.

  • https://gitlab.com/jdasmarinas/nfs-test/-/package_files/38844595/download - from the Web UI.
  • https://gitlab.com/api/v4/packages/terraform/modules/v1/jdasmarinas/mymodule/system/0.0.1/file?archive=tgz - API without the token field.

I think the reason it's failing when done via Terraform is because Terraform is manually adding a token when requesting the file via the API, tripping the authentication process in GitLab.

Steps to reproduce

  1. Create a public project.
  2. Upload a terraform module.
  3. Create a config.tf file to use the module.
  4. Run terraform init.

Example Project

https://gitlab.com/jdasmarinas/nfs-test

What is the current bug behavior?

401 when running terraform init without credentials for a public Terraform module.

What is the expected correct behavior?

terraform init runs successfully.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes