This content originally appeared on DEV Community and was authored by Marcel.L
Terraform module sources?
Terraform supports many different Module Sources. In todays tutorial we look at how we can configure an Azure DevOps repo with SSH and use this repo as a module source in terraform. We will also take a look at how we can use the install SSH key DevOps task in a pipeline that runs terraform so that the DevOps agent running the terraform deployment can connect to the DevOps repo as a source over SSH.
Step 1: Prepare SSH Key
First we have to create a SSH key pair:
- Install Git for windows.
- In a powershell console run:
ssh-keygen. This will create a private key:id_rsaand a public key:id_rsa.pubunder the following path:%UserProfile%/.ssh. - If a passphrase was used in the creation of the key pair, make a note of the passphrase as we will need it later on.
- Next run:
ssh-keyscan -H -t rsa ssh.dev.azure.com > $env:userprofile/.ssh/known_hosts. The content of the file will be used later on in the setup of the Install SSH Key devops task in our DevOps pipeline.
Step 2: Prepare Azure Devops
- Copy the private key file created in the previous step
id_rsainto azure pipelines -> Library -> Secure files. The file can be renamed to make it more friendly to use later on in the Install SSH Key devops task. In my case I have renamed my private key toterraform_rsa.
- Under the user settings in Azure Devops go to SSH public keys and select Add. Give a name and add the contents of the file created
id_rsa.pub. In my case I have renamed my public key toterraform_rsa.pub.
Step 3: How to use Install SSH Key devops task
When using an Azure DevOps pipeline to execute terraform code from a DevOps agent referencing an Azure Devops git Repo as a module source, we can make use of the Install SSH Key devops task to install the SSH key pair we just created onto the DevOps agent that will be executing the terraform code.
We will create a few variables next. These variables can either be created inside of a variable group or a key vault and accessed using the Azure key vault task in our devops pipeline.
- Create a ssh public key variable that will be used in our pipeline:
git_ssh_puband add the content of fileid_rsa.pub. This can also be stored as a secret in Azure key vault instead and can be accessed as variables in our pipeline using the azure key vault devops task. - Create a known hosts variable that will be used in our pipeline:
git_ssh_known_hostsand add the content of fileknown_hostscreated earlier withssh-keyscan. This can also be stored as a secret in Azure key vault instead and can be accessed as variables in our pipeline using the azure key vault devops task. - (Optional) If a passphrase was used in the generation of the ssh key pair in step one, you can create a variable that will be used in our pipeline:
git_ssh_passand add the secret value. This can also be stored as a secret in Azure key vault instead and can be accessed as variables in our pipeline using the azure key vault devops task. - Create the Install SSH Key devops task and use the following parameters:
- Display Name: Install an SSH key
- Known Hosts Entry: $(git_ssh_known_hosts)
- SSH Public Key: $(git_ssh_pub)
- Passphrase: $(git_ssh_pass) (Note: if no passphrase was used when the ssh key pair was generated, this can be left as [none])
- SSH Key: terraform_rsa (This was the private key we uploaded into secure files library in step2, which we renamed from
id_rsa)
Thats it, the Install SSH Key Devops task will now install the SSH key on the Azure DevOps agent, allowing our terraform deployment to connect securely to our Azure DevOps git repo hosting our modules over ssh.
Devops Yaml pipeline example
Here is a yaml pipeline example of the tasks/steps to read in secrets as variables from the key vault task and including the install SSH keys task.
steps:
### Link to key vault.
- task: AzureKeyVault@1
displayName: Keyvault
inputs:
azureSubscription: TerraformSP #ADO service connection (Service principal)
KeyVaultName: 'mykeyvault'
secretsFilter: '*'
runAsPreJob: true
### Install SSH key on ADO agent to access terraform modules git repo.
- task: InstallSSHKey@0
displayName: 'Install an SSH key'
inputs:
knownHostsEntry: '$(git_ssh_known_hosts)' #Variable pulled in from key vault via key vault task above.
sshPublicKey: '$(terraform-git-ssh-pub)' #Variable pulled in from key vault via key vault task above.
sshPassphrase: '$(git_ssh_pass)' #Variable pulled in from key vault via key vault task above.
sshKeySecureFile: 'terraform_rsa' #This was originally renamed from id_rsa
Terraform source module example
module "mymodule" {
source = "git::git@ssh.dev.azure.com:v3/Org/Project/repo"
}
I hope you have enjoyed this post and have learned something new. You can also find the code samples used in this blog post on my Github. ❤️
Author
Marcel.L - pwd9000@hotmail.co.uk
This content originally appeared on DEV Community and was authored by Marcel.L
Marcel.L | Sciencx (2021-07-22T10:52:57+00:00) Connect Terraform to Azure Devops Git Repos over SSH. Retrieved from https://www.scien.cx/2021/07/22/connect-terraform-to-azure-devops-git-repos-over-ssh/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.