Azure Question posted in
The official documentation to get you started can be found here.

Configuring Azure Pipeline to Pull from Github Hosted Repository using GitHub App

We are currently using an Azure DevOps pipeline to trigger a terraform plan against an existing infrastructure.

Within this pipeline during the terraform init stage, terraform will analyze the scripts and download modules from an external repository. During the initial stage of running this pipeline we encountered the following error.

fatal: could not read Username for 'https://github.com': terminal prompts disabled

which we resolved by using GitHub PAT inline as following

git config --global url."https://$(GITHUB-USER-ACCT):$(GITHUB-PERSONAL-ACCESS-TOKEN)@github.com".insteadOf https://github.com

However as this adds the additional load of maintaining a PAT, wondering whether we can move from this method to a method of using the GitHub Service connection using GitHub Apps as an authentication mechanism. This Service connection was created using the OAuth application. The Service connection that we used has read permissions on the centralized repository which contains the Terraform modules.

Is there are way to reuse the GitHub Service Connection that has been created using GitHub Apps to clone GitHub repositories from script tasks?

We have tried providing Read Permissions to the GitHub Service Connection to the centralized repository where we have all the Terraform modules. However, that doesn’t seem to work as Terraform started to fail when trying to clone the specific GitHub repository from Azure Pipeline.

Tags:

2

Answers


  1. 0

    Yes, You can directly create OAuth service connection in Azure Devops project with your github authorization to access Azure pipelines by logging into your Github account, then create a pipeline which fetches the Terraform module directly from your github repository like below:-

    My Azure Devops Github Service connection:-

    enter image description here

    My Github repository

    main.tf root

    module "rg_module" {
  source              = "./resource-group"  # Local path to your module directory
  resource_group_name = var.resource_group_name  # Pass required variables to the module
  location            = var.location
}

    Pipeline:-

    enter image description here

    enter image description here

    enter image description here

    Azure Devops yaml pipeline code:-

    trigger:
  branches:
    include:
      - main  

pool:
  vmImage: 'ubuntu-latest'

steps:
- checkout: self
  persistCredentials: true  # Ensure credentials are persisted for fetching code from GitHub

- script: |
    wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
    echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
    sudo apt update
    sudo apt install terraform
  displayName: 'Install Terraform'

- script: |
    terraform init
    terraform plan -var "resource_group_name=my-resrsilicongroup" -var "location=East US" -out=tfplan
  displayName: 'Terraform Init and Plan'

- script: |
    terraform apply tfplan
  displayName: 'Terraform Apply'
  condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))

    Output:-

    enter image description here

    Login or Signup to reply.
  2. 0

    If you create the Pipeline from DevOps repo, but the module is from external github repo, I’m afraid it’s not supported to use GitHub Service connection using GitHub Apps as an authentication mechanism to download the module.

    As per the terraform module doc:

    Terraform installs modules from Git repositories by running git clone, and so it will respect any local Git configuration set on your system, including credentials. To access a non-public Git repository, configure Git with suitable credentials for that repository.

    It requires credentials from local git configuration, On devops pipeline, we can use persistCredentials: true to keep the credential on the agent(endpioint below is the github service connection):

    pool:
  vmImage: ubuntu-latest

resources:
  repositories:
  - repository: common
    type: github
    name: username/repo1
    endpoint: TerraformTest

steps:
- checkout: self

- checkout: common
  persistCredentials: true         # it's used to keep credential 

- bash: |
    mkdir testfolder
    cd testfolder
    git clone https://github.com/username/repo1.git
    ls

    It does store the info:
    enter image description here

    however, the latter git clone still failed:

    enter image description here

    Aslo tried for terraform init with same logic, it’s failed for same.

    enter image description here

    Hence, it could be not supported yet.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search