Atlantis: Support git ssh key authentication

Not sure this answers your request, but for fetching modules using ssh you can add GIT_SSH_COMMAND environment variable when running Atlantis.

        - name: GIT_SSH_COMMAND
          value: "ssh -i /home/atlantis/.ssh/yourkey.pem -o 'StrictHostKeyChecking no'"

and then point the source of the module to a ssh git endpoint where the module resides.

module "x" {
  source = "[email protected]:yourorg/yourrepo.git?ref=xyz"
}

Oh I see, that's great, thanks! I'll close this for now then and try that out.

Thanks for the workaround @psalaberria002! I'm going to re-open this because it would still be a good feature though.

I'm going to close this because for modules, there is a solution outlined above and otherwise I think it makes sense that Atlantis clones the repos using https and the credentials already given to it for making API calls to the VCS system.

+1, those solutions work for me!

@psalaberria002 where would I add in the first configuration snippet mentioned in https://github.com/runatlantis/atlantis/issues/176#issuecomment-403723892?

GIT_SSH_COMMAND is an environment variable @robatwave

@psalaberria002 I know, but your snippet seemed to imply it being defined in atlantis.yaml somehow, and I can't seem to find reference to that capability in the documentation, so I'm missing the context as to where exactly that code snippet is supposed to go?

It's a snippet taken from a Kubernetes deployment env section. It's not part of any atlantis yaml.

If you are using the helm chart you can override the gitconfig

gitconfig: |
    [url "https://[email protected]"]
      insteadOf = ssh://[email protected]

I would like to +1 for adding SSH support to atlantis, but am OK with the workaround.

Can somebody tell me what i am doing wrong?

You can see the GIT_SSH_COMMAND set inside the atlantis container.
You can see that i have no problem executing the SSH command manually.

docker-host$ sudo docker exec -it atlantis bash
bash-4.4# env | grep COMMAND
GIT_SSH_COMMAND="ssh -o 'StrictHostKeyChecking=no' -i /home/atlantis/.ssh/atlantis-github.pem"
bash-4.4# ssh -o 'StrictHostKeyChecking=no' -i /home/atlantis/.ssh/atlantis-github.pem [email protected]
Warning: Permanently added 'github.com,192.30.255.112' (RSA) to the list of known hosts.
PTY allocation request failed on channel 0
Hi [karl-tpio]! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.

But when i atlantis plan on a pull request, i get:

exit status 1: running "sh -c terraform init -input=false -no-color" in "/home/atlantis/.atlantis/repos/[my-org]/terraform/5/default/some/folder"
Initializing modules...
- module.esearch-cluster
  Getting source "[email protected]:[my-org]/terraform-modules//some-module"
Error downloading modules: Error loading modules: error downloading 'ssh://[email protected]/[my-org]/terraform-modules': /usr/bin/git exited with 128: Cloning into '.terraform/modules/<snip>'...
"ssh -o 'StrictHostKeyChecking=no' -i /home/atlantis/.ssh/atlantis-github.pem": line 1: ssh -o 'StrictHostKeyChecking=no' -i /home/atlantis/.ssh/atlantis-github.pem: not found
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I can confirm that atlantis-github.pem is a private key that has sufficient privileges. as a test, i used the same private key that initial pushed the terraform into the repo from my workstation and it worked!

@karl-tpio You wrapped the environment variable value with double quotes. That's the issue.

$ export GIT_SSH_COMMAND="\"ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'\""
$ env | grep COMM                                                                              
GIT_SSH_COMMAND="ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'"
$ terraform get
- module.modulex
  Getting source "[email protected]:org/terraform-modules//modulex"
Error loading modules: error downloading 'ssh://[email protected]/org/terraform-modules': /usr/local/bin/git exited with 128: Cloning into '.terraform/modules/1d5d97f9a6f3bfb0983734a950ff9b3f'...
"ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'": ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no': No such file or directory
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

$ export GIT_SSH_COMMAND="ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'"
$ env | grep COMMAND                                                                              
GIT_SSH_COMMAND=ssh -i /Users/myuser/.ssh/mykey -o 'StrictHostKeyChecking=no'
$ terraform get                                                                            
- module.modulex
  Getting source "[email protected]:org/terraform-modules//modulex"

@psalaberria002 Doh. good catch. removed the "" from my docker env file and all is good in the world. :).

Possible implementation: https://gist.github.com/sryabkov/39f20f263c5edfa650522c6a2e9484b6

For all the users of the https://github.com/terraform-aws-modules/terraform-aws-atlantis
To make solution from @psalaberria002 work, you need to

• copy the private key to the docker image of atlantis. Do not forget to modify access rights for the key. User atlantis must be able to read it!
• add the env variable - it can be done via

custom_environment_variables = ["${map("name","GIT_SSH_COMMAND", "value","ssh -i /home/atlantis/.ssh/your_key.pem -o 'StrictHostKeyChecking no'")}"]