• Docs
  • Common Use Cases
  • Git
  • Modules Repository

Modules Repository

It's possible to use a separate repository that your Terraform code references as a Terraform Module Source.

The Terrateam GitHub Action will detect all GitHub Action secrets starting with TERRATEAM_SSH_KEY and automatically create the required Terrateam Action runtime SSH client changes in order for the Terraform CLI to work with module source repositories. This is only compatible for modules using a Git SSH URL.

Terrateam expects TERRATEAM_SSH_KEY secret values to have an SSH private key format.

It's possible to configure more than one private SSH key in your repository as long as the GitHub Secret starts with TERRATEAM_SSH_KEY.

For example, a GitHub repository could contain the following secrets:

  • TERRATEAM_SSH_KEY
  • TERRATEAM_SSH_KEY_FOO
  • TERRATEAM_SSH_KEY_BAR
  • TERRATEAM_SSH_KEY_BAZ
  • TERRATEAM_SSH_KEY_QUX

The Terrateam GitHub Action will detect all of the secrets starting with TERRATEAM_SSH_KEY and properly configure the runtime environment for all private SSH keys.

Secret values must be in SSH private key format or the Terrateam GitHub Action workflow will fail.

Setup Prerequisites

GitHub Repository using a Git SSH URL

When specifying a private GitHub repository as a Terraform module source, SSH keys must be properly configured against your repositories. The following instructions explain how to use a GitHub repository with Git SSH URL as a Terraform Module Source.

Example configuration:

module "example_module" {
  source = "git::ssh://git@github.com/OWNER/TERRAFORM-MODULES-REPO.git"
}
  1. Export your organization/repository combination that contains your Terraform code for resources:
export TERRAFORM_REPO="OWNER/TERRAFORM-REPO"
  1. Export your organization/repository combination that contains your Terraform modules code:
export MODULES_REPO="OWNER/TERRAFORM-MODULES-REPO"
  1. Generate a passwordless SSH key
ssh-keygen -t ed25519 -C "my description" -N "" -f ~/.ssh/terrateam-ssh-key
  1. Add the SSH public key to your Terraform Modules repository as a GitHub deploy key
gh repo deploy-key --repo "$MODULES_REPO" add ~/.ssh/terrateam-ssh-key.pub
  1. Add the SSH private key to your Terraform repository as a GitHub Actions Secret
gh secret --repo "$TERRAFORM_REPO" set TERRATEAM_SSH_KEY < ~/.ssh/terrateam-ssh-key
  1. Clean up your SSH key from your local workstation
rm -f ~/.ssh/terrateam-ssh-key ~/.ssh/terrateam-ssh-key.pub

Non-GitHub Repository using a Git SSH URL

It's possible to use a non-GitHub repository as your Terraform modules source.

Example configuration:

module "example_module" {
  source = "git::ssh://username@example.com/TERRAFORM-MDOULES-REPO.git"
}
  1. Export your organization/repository combination that contains your Terraform code for resources:
export TERRAFORM_REPO="OWNER/TERRAFORM-REPO"
  1. Generate a passwordless SSH key
ssh-keygen -t ed25519 -C "my description" -N "" -f ~/.ssh/terrateam-ssh-key
  1. Add the SSH public key to the Git host of your Terraform Modules repository as an authorized key. See your Git hosting provider instructions for details.
cat ~/.ssh/terrateam-ssh-key.pub
  1. Add the SSH private key to your Terraform repository as a GitHub Actions Secret
gh secret --repo "$TERRAFORM_REPO" set TERRATEAM_SSH_KEY < ~/.ssh/terrateam-ssh-key
  1. Clean up your SSH key from your local workstation
rm -f ~/.ssh/terrateam-ssh-key ~/.ssh/terrateam-ssh-key.pub
  1. Create or modify your .terrateam/config.yml to SSH keyscan your Git repository domain before a Plan or Apply operation
hooks:
  plan:
    pre:
      - type: run
        cmd: ['ssh-keyscan-pre-hook', 'example1.com', 'example2.com']
  apply:
    pre:
      - type: run
        cmd: ['ssh-keyscan-pre-hook', 'example1.com', 'example2.com']

The ssh-keyscan-pre-hook script is a simple wrapper for the ssh-keyscan command. Source code found here.