Support git ssh key authentication

[julianvmodesto]

Currently, Atlantis clones git repos with the https remote.

It would be great if Atlantis also supported ssh remotes with ssh key authentication.

[psalaberria002]

Not sure this answers your request, but for fetching modules using ssh you can add GIT_SSH_COMMAND environment variable when running Atlantis.

        - name: GIT_SSH_COMMAND
          value: "ssh -i /home/atlantis/.ssh/yourkey.pem -o 'StrictHostKeyChecking no'"

and then point the source of the module to a ssh git endpoint where the module resides.

module "x" {
  source = "git@github.com:yourorg/yourrepo.git?ref=xyz"
}

[julianvmodesto]

Oh I see, that's great, thanks! I'll close this for now then and try that out.

[lkysow]

Thanks for the workaround @psalaberria002! I'm going to re-open this because it would still be a good feature though.

[lkysow]

I'm going to close this because for modules, there is a solution outlined above and otherwise I think it makes sense that Atlantis clones the repos using https and the credentials already given to it for making API calls to the VCS system.

[julianvmodesto]

+1, those solutions work for me!

[robatwave]

@psalaberria002 where would I add in the first configuration snippet mentioned in #176 (comment)?

[psalaberria002]

GIT_SSH_COMMAND is an environment variable @robatwave

[robatwave]

@psalaberria002 I know, but your snippet seemed to imply it being defined in atlantis.yaml somehow, and I can't seem to find reference to that capability in the documentation, so I'm missing the context as to where exactly that code snippet is supposed to go?

[psalaberria002]

It's a snippet taken from a Kubernetes deployment env section. It's not part of any atlantis yaml.

[sstarcher]

If you are using the helm chart you can override the gitconfig

gitconfig: |
    [url "https://TOKEN@github.com"]
      insteadOf = ssh://git@github.com

[karl-tpio]

I would like to +1 for adding SSH support to atlantis, but am OK with the workaround.

Can somebody tell me what i am doing wrong?

You can see the GIT_SSH_COMMAND set inside the atlantis container.
You can see that i have no problem executing the SSH command manually.

docker-host$ sudo docker exec -it atlantis bash
bash-4.4# env | grep COMMAND
GIT_SSH_COMMAND="ssh -o 'StrictHostKeyChecking=no' -i /home/atlantis/.ssh/atlantis-github.pem"
bash-4.4# ssh -o 'StrictHostKeyChecking=no' -i /home/atlantis/.ssh/atlantis-github.pem git@github.com
Warning: Permanently added 'github.com,192.30.255.112' (RSA) to the list of known hosts.
PTY allocation request failed on channel 0
Hi [karl-tpio]! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.

But when i atlantis plan on a pull request, i get:

exit status 1: running "sh -c terraform init -input=false -no-color" in "/home/atlantis/.atlantis/repos/[my-org]/terraform/5/default/some/folder"
Initializing modules...
- module.esearch-cluster
  Getting source "git@github.com:[my-org]/terraform-modules//some-module"
Error downloading modules: Error loading modules: error downloading 'ssh://git@github.com/[my-org]/terraform-modules': /usr/bin/git exited with 128: Cloning into '.terraform/modules/<snip>'...
"ssh -o 'StrictHostKeyChecking=no' -i /home/atlantis/.ssh/atlantis-github.pem": line 1: ssh -o 'StrictHostKeyChecking=no' -i /home/atlantis/.ssh/atlantis-github.pem: not found
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I can confirm that atlantis-github.pem is a private key that has sufficient privileges. as a test, i used the same private key that initial pushed the terraform into the repo from my workstation and it worked!

[psalaberria002]

@karl-tpio You wrapped the environment variable value with double quotes. That's the issue.

$ export GIT_SSH_COMMAND="\"ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'\""
$ env | grep COMM                                                                              
GIT_SSH_COMMAND="ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'"
$ terraform get
- module.modulex
  Getting source "git@github.com:org/terraform-modules//modulex"
Error loading modules: error downloading 'ssh://git@github.com/org/terraform-modules': /usr/local/bin/git exited with 128: Cloning into '.terraform/modules/1d5d97f9a6f3bfb0983734a950ff9b3f'...
"ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'": ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no': No such file or directory
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

$ export GIT_SSH_COMMAND="ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'"
$ env | grep COMMAND                                                                              
GIT_SSH_COMMAND=ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'
$ terraform get                                                                            
- module.modulex
  Getting source "git@github.com:org/terraform-modules//modulex"

[karl-tpio]

@psalaberria002 Doh. good catch. removed the "" from my docker env file and all is good in the world. :).

[sryabkov]

Possible implementation: https://gist.github.com/sryabkov/39f20f263c5edfa650522c6a2e9484b6

[ivanmartos]

For all the users of the https://github.com/terraform-aws-modules/terraform-aws-atlantis
To make solution from @psalaberria002 work, you need to

• copy the private key to the docker image of atlantis. Do not forget to modify access rights for the key. User atlantis must be able to read it!
• add the env variable - it can be done via

custom_environment_variables = ["${map("name","GIT_SSH_COMMAND", "value","ssh -i /home/atlantis/.ssh/your_key.pem -o 'StrictHostKeyChecking no'")}"]

[m00lecule]

I would like to propose a git-ssh-clone flag, that would allow clone using ssh over https

[majormoses]

I would like to propose a git-ssh-clone flag, that would allow clone using ssh over https

I think we want something that can be specified on a per use case basis. The problem with a global setting is that this will not work work well if you rely on https for external module sources and git for internal modules.

[m00lecule]

I would like to propose a git-ssh-clone flag, that would allow clone using ssh over https

I think we want something that can be specified on a per use case basis. The problem with a global setting is that this will not work work well if you rely on https for external module sources and git for internal modules.

Actually this setting would be only useful in scenario when organisation has enforced cloning over ssh from internal git service - it would not block cloning external terraform modules - because the git-hostname provided in config.yaml will not match.

Morivation:
If the git service enforces cloning over ssh, then set git-ssh-clone: true. Because no matter what (repo, tg module etc.) You will be cloning, it has to be ssh

[mustafa89]

For anyone struggling with getting Atlantis to clone over SSH because HTTP endpooint is disabled, both the .gitconfig and env var are needed to get redirection to SSH to work. the .gitconfig should look like this:

[url "git@gitlab.yourorg.com:"]
        insteadOf = https://<gitlab_user>:<gitlab_token>@gitlab.yourorg.com

Notice here, contrary to all the examples, the insteadOf attribute is the HTTPS endpoint. So any request that will match this URL will be redirected to the SSH endpoint.
and then we need the env var for GIT_SSH_COMMAND

export GIT_SSH_COMMAND="ssh -i /home/atlantis/.ssh/yourkey.pem -o 'StrictHostKeyChecking no'"

It is quite surprising that such an important feature is missing from Atlantis, took a lot of effort to figure this out.

[nitrocode]

I use the following which works locally for me as well as in Atlantis v0.20.1 using ATLANTIS_WRITE_GIT_CREDS=true

module "private_submodule" {
  source = "git::ssh://git@github.com/<org>/<repo>//modules/<some-module-name>?ref=v1.2.3"
}

[FrancoisPoinsot]

I just hit some issue with terraform 1.6 where GIT_SSH_COMMAND seems to be ignored.
The update of go-getter include that change that removes this envar from the context of git subprocess: https://github.com/hashicorp/go-getter/pull/300/files

Got it to work again by using ~/.ssh/config file instead

[RafPe]

For anyone else coming over to look for support in setting up SSH to work this is how I did address the setup while using helm deployment.

Outline is:

• Have SSH key ( or any other credentials you need ) as b64 encoded env var
• Create a lifecycle hook in the container
• Pass the GIT_SSH_COMMAND variable

That is what we get

  lifecycle:
    postStart:
      exec:
        command:
        - /bin/sh
        - -c
        - |
          ATLANTIS_HOME="/home/atlantis"

          if [ -n "$CREDENTIALS_SSH_KEY" ]; then
            if [ ! -d "$ATLANTIS_HOME/.ssh" ]; then
              mkdir "$ATLANTIS_HOME/.ssh"
            fi  

            if [ ! -f "$ATLANTIS_HOME/.ssh/id_rsa" ]; then
              echo $CREDENTIALS_SSH_KEY | base64 -d >  "$ATLANTIS_HOME/.ssh/id_rsa"

              chmod 600 "$ATLANTIS_HOME/.ssh/id_rsa"

              ssh-keyscan github.com >> "$ATLANTIS_HOME/.ssh/known_hosts"

              chown atlantis:atlantis "$ATLANTIS_HOME/.ssh/id_rsa"
              chown atlantis:atlantis "$ATLANTIS_HOME/.ssh/known_hosts"                  
            fi   
          else
            echo "CREDENTIALS_SSH_KEY parameter not supplied."
          fi

          if [ -n "$CREDENTIALS_AKAMAI_EDGERC" ]; then
            if [ ! -f "$ATLANTIS_HOME/.edgerc" ]; then
              echo $CREDENTIALS_AKAMAI_EDGERC | base64 -d >  "$ATLANTIS_HOME/.edgerc"

              chmod 600 "$ATLANTIS_HOME/.edgerc"

              chown atlantis:atlantis "$ATLANTIS_HOME/.edgerc"
            fi   
          else
            echo "CREDENTIALS_AKAMAI_EDGERC parameter not supplied."
          fi     

Once that is added I define the ENV var for SSH command.

GIT_SSH_COMMAND: "ssh -i /home/atlantis/.ssh/id_rsa -o 'StrictHostKeyChecking no'"

Now in my case there is external operator that streams in the secrets ENV vars into the container and then the postStart hook just takes it over and reconfigure as needed.