"Error accessing remote module registry" when trying to use public module from gitlab.com
I'm trying to use the public module gcp-oidc/google
from https://gitlab.com/gitlab-com/gl-security/security-operations/infrastructure-security-public/oidc-modules/-/infrastructure_registry like this
module "wif" {
source = "gitlab.com/gitlab-com/gcp-oidc/google"
version = "3.1.1"
google_project_id = "a"
gitlab_project_id = "1234"
allowed_audiences = ["https://gitlab.com"]
oidc_service_account = {
"owner" = {
sa_email = "a@a.de"
attribute = "attribute.project_id/1234"
}
}
}
Unfortunately, my pipeline throws this error when trying to load the public module while running the step validate
Failed to retrieve available versions for module "wif" (main.tf:1) from
gitlab.com: error looking up module versions: 403 Forbidden.
When running terraform init
on my local machine, the module gets pulled without a problem.
I set up a minimal POC here: https://gitlab.com/muffl0n/oidc-showcase
As you can see, there's also a step curl
which does two things:
- Access https://gitlab.com/api/v4/packages/terraform/modules/v1/gitlab-com/gcp-oidc/google/versions with header "Authorization: Bearer $CI_JOB_TOKEN"
- Access https://gitlab.com/api/v4/packages/terraform/modules/v1/gitlab-com/gcp-oidc/google/versions without header
The first call fails with {"message":"403 Forbidden"}
, while the second one succeeds: https://gitlab.com/muffl0n/oidc-showcase/-/jobs/5509540993
The script gitlab-terraform
from this repository automatically adds the environment variable TF_TOKEN_gitlab_com
(https://gitlab.com/gitlab-org/terraform-images/-/blob/master/src/bin/gitlab-terraform.sh?ref_type=heads#L113) so I'm pretty sure that error I'm getting with terraform is the same I see with curl
above.
Summed up:
- With header
Authorization: Bearer $CI_JOB_TOKEN
or environment variableTF_TOKEN_gitlab_com
set, pulling the module fails. - Without the header and environment variable it succeeds.
In my showcase, I also pushed a branch (see MR) where I replaced the step
validate:
extends: .terraform:validate
with one that uses Terraform without the wrapper gitlab-terraform
:
validate:
stage: validate
script:
- terraform init
- terraform validate
Effectively not setting the environment variable TF_TOKEN_gitlab_com
. The pipeline succeeds: https://gitlab.com/muffl0n/oidc-showcase/-/jobs/5510847221
Is there any workaround to fix this problem?