Modules Repository
Terrateam Configuration
Terrateam behavior can be configured via a config.yml. This file is located in
a directory named .terrateam at the root of your Terraform repository:
.terrateam/config.yml.
See Configuration documentation for details.
It's possible to use a separate repository that your Terraform code references as a Terraform Module Source.
The Terrateam GitHub Action will detect all GitHub Action secrets
starting with TERRATEAM_SSH_KEY and automatically create the
required Terrateam Action runtime SSH client changes in order for
the Terraform CLI to work with module source repositories. This is
only compatible for modules using a Git SSH URL.
Terrateam expects TERRATEAM_SSH_KEY secret values to have an
SSH private key format.
It's possible to configure more than one private SSH key in your
repository as long as the GitHub Secret starts with TERRATEAM_SSH_KEY.
For example, a GitHub repository could contain the following secrets:
TERRATEAM_SSH_KEYTERRATEAM_SSH_KEY_FOOTERRATEAM_SSH_KEY_BARTERRATEAM_SSH_KEY_BAZTERRATEAM_SSH_KEY_QUX
The Terrateam GitHub Action will detect all of the secrets starting
with TERRATEAM_SSH_KEY and properly configure the runtime
environment for all private SSH keys.
Secret values must be in SSH private key format or the Terrateam GitHub Action workflow will fail.
Prerequisites
These instructions require you to run commands from a terminal.
GitHub Repository using a Git SSH URL
When specifying a private GitHub repository as a Terraform module source, SSH keys must be properly configured against your repositories. The following instructions explain how to use a GitHub repository with Git SSH URL as a Terraform Module Source.
Example configuration:
module "example_module" {
source = "git::ssh://git@github.com/OWNER/TERRAFORM-MODULES-REPO.git"
}- Export your
organization/repositorycombination that contains your Terraform code for resources:
export TERRAFORM_REPO="OWNER/TERRAFORM-REPO"- Export your
organization/repositorycombination that contains your Terraform modules code:
export MODULES_REPO="OWNER/TERRAFORM-MODULES-REPO"- Generate a passwordless SSH key
ssh-keygen -t ed25519 -C "my description" -N "" -f ~/.ssh/terrateam-ssh-key- Add the SSH public key to your Terraform Modules repository as a GitHub deploy key
gh repo deploy-key --repo "$MODULES_REPO" add ~/.ssh/terrateam-ssh-key.pub- Add the SSH private key to your Terraform repository as a GitHub Actions Secret
gh secret --repo "$TERRAFORM_REPO" set TERRATEAM_SSH_KEY < ~/.ssh/terrateam-ssh-key- Clean up your SSH key from your local workstation
rm -f ~/.ssh/terrateam-ssh-key ~/.ssh/terrateam-ssh-key.pubNon-GitHub Repository using a Git SSH URL
It's possible to use a non-GitHub repository as your Terraform modules source.
Example configuration:
module "example_module" {
source = "git::ssh://username@example.com/TERRAFORM-MDOULES-REPO.git"
}- Export your
organization/repositorycombination that contains your Terraform code for resources:
export TERRAFORM_REPO="OWNER/TERRAFORM-REPO"- Generate a passwordless SSH key
ssh-keygen -t ed25519 -C "my description" -N "" -f ~/.ssh/terrateam-ssh-key- Add the SSH public key to the Git host of your Terraform Modules repository as an authorized key. See your Git hosting provider instructions for details.
cat ~/.ssh/terrateam-ssh-key.pub- Add the SSH private key to your Terraform repository as a GitHub Actions Secret
gh secret --repo "$TERRAFORM_REPO" set TERRATEAM_SSH_KEY < ~/.ssh/terrateam-ssh-key- Clean up your SSH key from your local workstation
rm -f ~/.ssh/terrateam-ssh-key ~/.ssh/terrateam-ssh-key.pub- Create or modify your
.terrateam/config.ymlto SSH keyscan your Git repository domain before a Plan or Apply operation
hooks:
plan:
pre:
- type: run
cmd: ['ssh-keyscan-pre-hook', 'example1.com', 'example2.com']
apply:
pre:
- type: run
cmd: ['ssh-keyscan-pre-hook', 'example1.com', 'example2.com']The ssh-keyscan-pre-hook script is a simple wrapper for the ssh-keyscan command.
Source code found here (opens in a new tab).