Question 268146 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Ubuntu – Terraform modules from another repository using a git branch as a source in a Azure DevOps pipeline with System Access token

I have a Terraform main.tf file that calls modules from another git repository.

module "ModuleName" {
  source = "git::https://[email protected]/OrgName/SW/_git/AnotherRepoName?ref=BranchName"

My Azure DevOps Pipeline Yaml code looks like below to run on ubuntu-latest.

trigger:
  - None

pool:
  vmImage: 'ubuntu-latest'

And the Task looks like below:

- task: PowerShell@2
           displayName: powershell-job
           inputs:
             workingDirectory: '$(System.DefaultWorkingDirectory)/BranchPolicies/Terraform'
             targetType: 'inline'
             script: |
               write-host '$(SYSTEM_ACCESSTOKEN)'
               pwd
               $env:SYSTEM_ACCESSTOKEN = "$(System.AccessToken)"
               write-host '$(system.accesstoken)'
               git config --global http.https://dev.azure.com/OrgName/Infra.extraheader "AUTHORIZATION: bearer $env:SYSTEM_ACCESSTOKEN"
               terraform init
               terraform plan
               
           env:
             SYSTEM_ACCESSTOKEN: $(system.accesstoken)

The Terraform plan is failing and throws an error like below:

│ Could not download module "ModuleName" (main.tf:58) source code from
│ "git::https://[email protected]/OrgName/SW/_git/AnotherRepoName?ref=BranchName":
│ error downloading
│ 'https://[email protected]/OrgName/SW/_git/AnotherRepoName?ref=BranchName':
│ /usr/bin/git exited with 1: error: pathspec 'master' did not match any
│ file(s) known to git

Note: For security reasons I changed the OrgName and BranchNames in the logs as well.

Why is this looking for the Master branch instead of the BranchName which I mentioned in the script in the module source?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I fixed this issue by updating the script like below, the issue is with environment variable names, it is working only with AZDO_PERSONAL_ACCESS_TOKEN and AZDO_ORG_SERVICE_URL names.

      script: |
               $env:AZDO_PERSONAL_ACCESS_TOKEN
               $env:AZDO_ORG_SERVICE_URL="https://dev.azure.com/<Org_name>"
               git config --global http.https://<Org_name>@dev.azure.com.extraheader "AUTHORIZATION: bearer $env:AZDO_PERSONAL_ACCESS_TOKEN"

env:
    AZDO_PERSONAL_ACCESS_TOKEN: $(System.AccessToken)

  2. 0

    On Organization Settings (or Project Settings) > Pipelines > Settings page:

    • If the option "Limit job authorization scope to current project" is enabled, the token System.AccessToken can only access the resources within the current project where the pipeline is running.
    • If the option "Limit job authorization scope to current project" is disabled, the token System.AccessToken can access the resources across projects within current Azure DevOps organization where the pipeline is running.

    More details, see "Job authorization scope".

    enter image description here

    However, if the module source git repository you want to access is in a different Azure DevOps organization, the token System.AccessToken will be not possible to access it.

    Since the token cannot access the repository, the task will be not able to list the existing branches from the repository. Then it may try to search for ‘master‘ as the default branch of the repository.

    In this situation, you need to provide a PAT (Personal Access Token) which can access that git repository.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search