Terraform: Using versioned modules stored in AWS CodeCommit

Question

Currently have a repository for terraform modules stored in AWS CodeCommit. Between Dev and Prod we want to use the same repository for the modules but be able to have Dev and Prod use different versions.

I've attached tags to particular commits in order to more easily distinguish a version. But I can't seem to find any documentation of how to reference that tag.

I've found the below as an example of how it's done on github

module "stage_vpc" {
  source = "git::git@github.com:gruntwork-io/module-vpc.git//modules/vpc-app?ref=v0.0.4"

  vpc_name         = "stage"
  aws_region       = "us-east-1"
  num_nat_gateways = 3
  cidr_block       = "10.2.0.0/18"
}

But trying to do the same for CodeCommit doesn't seem to work. It reports back "bad response code: 401"

Trying to ascertain whether this ?ref is the correct way to reference a tag in codecommit.

https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules/modules/subnets?ref=subnets-v0.0.1

Can anyone confirm if this is the right method? Or if there is another way?

EDIT: I have now followed a setup guide where I have created a SSH key which I have put into my IAM user.

module "subnets" {
  source = "git::ssh://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules/Modules//subnets.git"

Which has generated the following error

bobscutter@git-codecommit.eu-west-1.amazonaws.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The ./ssh folder exists with the correct credentials, not sure what else I am missing. I've also checked I can connect from Git Bash and it works.

FINAL EDIT: This is now working, after switching from https to SSH and creating the ./ssh directory as per The AWS documentation

I just needed to add // rather than / in the path as below

  source = "git::ssh://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules//Modules//modules-orchestration//subnets

Terraform successfully found and applied the module.

What does "doesn't seem to work" mean? Do you get an error? If yes, what is that error? Please update your question with the information needed to help you get an answer. — Parsifal, Jun 22 '20 at 14:40

score 3 · Answer 1 · answered Jul 21 '21 at 11:40

For anyone coming here wondering if you can use git-remote-codecommit with terraform to clone from CodeCommit. The answer is yes, you can!

As per the terraform docs

Terraform installs modules from Git repositories by running git clone, and so it will respect any local Git configuration set on your system, including credentials.

This means that as long as your AWS Profile is set up correct, you can set your module source to a codecommmit repository using either of the following formats

codecommit://<profile>@<repository>
codecommit::<region>://<profile>@<repository>

It also respects configuration via environment variables like AWS_PROFILE and AWS_DEFAULT_REGION

Michael Aicher · Answer 2 · 2022-08-29T12:20:42.703

To be able to successfully set my module source I had to define it like this:

module "example" {
  source      = "git::codecommit::<region>://<repository-name>"
  example_var = "<fancy-var>"
  providers   = {
    aws = aws.<provider-alias>
  }
}

Additionally, I had to export the AWS_PROFILE which is granted on the codecommit repository before executing any terraform commands and as mentioned by @tedsmitt git-remote-codecommit has to be installed.

score 1 · Accepted Answer · answered Jun 24 '20 at 13:44

In order to fix this, follow the AWS documentation for setting up SSH connections

Then using the path format below for the subnets module.

  source = "git::ssh://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules//Modules//modules-orchestration//subnets

Then after perfoming a Terraform init, Terraform successfully fetches the correct module.

Additionally, after tagging a commit with the name subnets-v0.0.1 and adding it as a reference as below, you can lock your deployment to a particular commit.

  source = "git::ssh://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules//Modules//modules-orchestration//subnets?ref=subnets-v0.0.1"

Dmitrii Kalashnikov · Answer 4 · 2023-02-22T17:20:45.383

dears! The solutions above don't work for me and I found another solution not beautiful but it works.

1. Create a new ssh key

ssh-keygen

Enter file in which to save the key (/home/kda/.ssh/id_rsa):

then add

path/to/the-ssh-key/.ssh/unique-ssh-key-name

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

double press Enter

$ eval "$(ssh-agent -s)"

$ ssh-add unique-ssh-key-name  // eg.(not .pub)

retrieve public key

cat path/to/the-ssh-key/.ssh/unique-ssh-key-name.pub

2. In the AWS console go to the IAM -> Users -> username(this is your user)-> security credentials then scroll down SSH public keys for AWS CodeCommit press upload public key and paste your public key(From the step above 'retrieve public key'). Then you can get SSH Key ID

3 In terraform module add SSH Key ID as below:

module "ecr" {
  source               = "git::ssh://AAAAR55KXXKM8VPADBBW@git-codecommit.us-east-1.amazonaws.com/v1/repos/terraform-module-ecr"
  name                 = "${var.ecr_names[0]}-${terraform.workspace}"
  scan_on_push         = true
  image_tag_mutability = "MUTABLE"

  tags = {
    Project   = "project"
    Terraform = true
  }

}

Of Course, it is hard code and here is impossible to use the AWS Systems Manager Parameter Store to hide your SSH key id

Terraform: Using versioned modules stored in AWS CodeCommit

4 Answers4