Authenticate to Git with SSH Keys

There are many ways to authenticate to VCS providers to be able to pull down Terraform modules. Scalr has its own module registry, but we understand the need to have the path of least disturbance during a migration. Sourcing modules from Git is fully supported by Scalr out of the box when HTTPs method is used, but some customers prefer to use SSH keys. In this case there are only a few extra steps to achieve using SSH keys.

In this tutorial we’ll talk about how to pull down Git sourced modules using the SSH authentication method during your Terraform runs.

There are ways to add the key to a Scalr agent as a way of doing the authentication, but we prefer the following method as the key is stored as an encrypted shell variable and the key file is added to the .gitignore file to ensure users do not accidentally leak it anywhere.

Equally important, this method will work for any workflow, VCS based or through the Terraform CLI.

Prerequisites

  • An account on scalr.io

  • Access to custom hooks on the pro tier (or ask for a free trial if you’re just testing)

  • VCS provider connected to Scalr or the Terraform CLI locally

  • Access to a VCS repository to pull the Terraform code from

Steps

First, you’ll need to create a Terraform module that is in a repository that requires authentication, specifically SSH authentication. You can use existing code, or simply copy the following into a main.tf :

resource "null_resource" "example" {
  provisioner "local-exec" {
    command = "echo 'Congrats on your first run!'"
   }
}

Now, create a new repository, which will store the code that will be used in the workspace. First, we’ll create a main.tf to call the repository:

module "null_resource" {
       source  = "[email protected]:<your-repo>/null_resource_module.git"
}

Be sure to update <your-repo> above to point to your repository.

Now lets create a pre-init.sh which will be used as part of a custom hook to add the SSH key to the Scalr runner. The Scalr runners only last the lifetime of the run.

#!/bin/bash

printenv GIT_SSH_KEY > git-ssh.pem
chmod 400 git-ssh.pem
export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -i $(pwd)/git-ssh.pem"

The last thing that needs to be done is adding the git-ssh.pem file to a .terraformignore file to ensure it is not accidentally leaked:

git-ssh.pem

There should now be three files in your working directory/repository: main.tf, pre-init.sh, .terraformignore .

Now, lets flip over to the UI to configure the workspace. Create the workspace and point to the repo which references the module:

../_images/git_ssh1.png

Drop down the custom hooks section and add the pre-init.sh (. $PWD/pre-init.sh) :

../_images/git_ssh2.png

Lastly, add the SSH key as a shell variable with the name GIT_SSH_KEY:

../_images/git_ssh3.png

And now execute the run:

../_images/git_ssh4.png

Scalr successfully pulls down the module using the SSH protocol you can see in the plan output:

../_images/git_ssh5.png