35
Connect Terraform to Azure Devops Git Repos over SSH
Terraform supports many different Module Sources. In todays tutorial we look at how we can configure an Azure DevOps repo with SSH and use this repo as a module source in terraform. We will also take a look at how we can use the install SSH key DevOps task in a pipeline that runs terraform so that the DevOps agent running the terraform deployment can connect to the DevOps repo as a source over SSH.
First we have to create a SSH key pair:
- Install Git for windows.
- In a powershell console run:
ssh-keygen
. This will create a private key:id_rsa
and a public key:id_rsa.pub
under the following path:%UserProfile%/.ssh
. - If a passphrase was used in the creation of the key pair, make a note of the passphrase as we will need it later on.
- Next run:
ssh-keyscan -H -t rsa ssh.dev.azure.com > $env:userprofile/.ssh/known_hosts
. The content of the file will be used later on in the setup of the Install SSH Key devops task in our DevOps pipeline.
- Copy the private key file created in the previous step
id_rsa
into azure pipelines -> Library -> Secure files. The file can be renamed to make it more friendly to use later on in the Install SSH Key devops task. In my case I have renamed my private key toterraform_rsa
.
- Under the user settings in Azure Devops go to SSH public keys and select Add. Give a name and add the contents of the file created
id_rsa.pub
. In my case I have renamed my public key toterraform_rsa.pub
.
When using an Azure DevOps pipeline to execute terraform code from a DevOps agent referencing an Azure Devops git Repo as a module source, we can make use of the Install SSH Key devops task to install the SSH key pair we just created onto the DevOps agent that will be executing the terraform code.
We will create a few variables next. These variables can either be created inside of a variable group or a key vault and accessed using the Azure key vault task in our devops pipeline.
- Create a ssh public key variable that will be used in our pipeline:
terraform-git-ssh-pub
and add the content of fileid_rsa.pub
. This can also be stored as a secret in Azure key vault instead and can be accessed as variables in our pipeline using the azure key vault devops task. - Create a known hosts variable that will be used in our pipeline:
git_ssh_known_hosts
and add the content of fileknown_hosts
created earlier withssh-keyscan
. This can also be stored as a secret in Azure key vault instead and can be accessed as variables in our pipeline using the azure key vault devops task. - (Optional) If a passphrase was used in the generation of the ssh key pair in step one, you can create a variable that will be used in our pipeline:
git_ssh_pass
and add the secret value. This can also be stored as a secret in Azure key vault instead and can be accessed as variables in our pipeline using the azure key vault devops task. - Create the Install SSH Key devops task and use the following parameters:
- Display Name: Install an SSH key
- Known Hosts Entry: $(git_ssh_known_hosts)
- SSH Public Key: $(terraform-git-ssh-pub)
- Passphrase: $(git_ssh_pass) (Note: if no passphrase was used when the ssh key pair was generated, this can be left as [none])
- SSH Key: terraform_rsa (This was the private key we uploaded into secure files library in step2, which we renamed from
id_rsa
)
Thats it, the Install SSH Key Devops task will now install the SSH key on the Azure DevOps agent, allowing our terraform deployment to connect securely to our Azure DevOps git repo hosting our modules over ssh.
Here is a yaml pipeline example of the tasks/steps to read in secrets as variables from the key vault task and including the install SSH keys task.
steps:
### Link to key vault.
- task: AzureKeyVault@1
displayName: Keyvault
inputs:
azureSubscription: TerraformSP #ADO service connection (Service principal)
KeyVaultName: 'mykeyvault'
secretsFilter: '*'
runAsPreJob: true
### Install SSH key on ADO agent to access terraform modules git repo.
- task: InstallSSHKey@0
displayName: 'Install an SSH key'
inputs:
knownHostsEntry: '$(git_ssh_known_hosts)' #Variable pulled in from key vault via key vault task above.
sshPublicKey: '$(terraform-git-ssh-pub)' #Variable pulled in from key vault via key vault task above.
sshPassphrase: '$(git_ssh_pass)' #Variable pulled in from key vault via key vault task above.
sshKeySecureFile: 'terraform_rsa' #This was originally renamed from id_rsa and uploaded into secure files library on the project hosting our TF modules repo
Here is an example of how we can reference our Azure DevOps repo containing our module code in our terraform deployment.
module "mymodule" {
source = "git::[email protected]:v3/Org/Project/repo"
}
I hope you have enjoyed this post and have learned something new. You can also find the code samples used in this blog post on my Github page. ❤️
35