Skip to content

"Error accessing remote module registry" when trying to use public module from gitlab.com

I'm trying to use the public module gcp-oidc/google from https://gitlab.com/gitlab-com/gl-security/security-operations/infrastructure-security-public/oidc-modules/-/infrastructure_registry like this

module "wif" {
  source            = "gitlab.com/gitlab-com/gcp-oidc/google"
  version           = "3.1.1"
  google_project_id = "a"
  gitlab_project_id = "1234"
  allowed_audiences = ["https://gitlab.com"]
  oidc_service_account = {
    "owner" = {
      sa_email  = "a@a.de"
      attribute = "attribute.project_id/1234"
    }
  }
}

Unfortunately, my pipeline throws this error when trying to load the public module while running the step validate

Failed to retrieve available versions for module "wif" (main.tf:1) from
gitlab.com: error looking up module versions: 403 Forbidden.

When running terraform init on my local machine, the module gets pulled without a problem.

I set up a minimal POC here: https://gitlab.com/muffl0n/oidc-showcase

As you can see, there's also a step curl which does two things:

  1. Access https://gitlab.com/api/v4/packages/terraform/modules/v1/gitlab-com/gcp-oidc/google/versions with header "Authorization: Bearer $CI_JOB_TOKEN"
  2. Access https://gitlab.com/api/v4/packages/terraform/modules/v1/gitlab-com/gcp-oidc/google/versions without header

The first call fails with {"message":"403 Forbidden"}, while the second one succeeds: https://gitlab.com/muffl0n/oidc-showcase/-/jobs/5509540993

The script gitlab-terraform from this repository automatically adds the environment variable TF_TOKEN_gitlab_com (https://gitlab.com/gitlab-org/terraform-images/-/blob/master/src/bin/gitlab-terraform.sh?ref_type=heads#L113) so I'm pretty sure that error I'm getting with terraform is the same I see with curl above.

Summed up:

  • With header Authorization: Bearer $CI_JOB_TOKEN or environment variable TF_TOKEN_gitlab_com set, pulling the module fails.
  • Without the header and environment variable it succeeds.

In my showcase, I also pushed a branch (see MR) where I replaced the step

validate:
  extends: .terraform:validate

with one that uses Terraform without the wrapper gitlab-terraform:

validate:
  stage: validate
  script:
    - terraform init
    - terraform validate

Effectively not setting the environment variable TF_TOKEN_gitlab_com. The pipeline succeeds: https://gitlab.com/muffl0n/oidc-showcase/-/jobs/5510847221

Is there any workaround to fix this problem?

Edited by Sven Schliesing