Authentication to Terraform Cloud module registry (from CI/CD - Azure Pipelines)


Is there any way to specify which credentials to use when retrieving a module from a private module registry, which is CI/CD friendly? Something that doesn’t involve a CLI Configuration File, or an interactive terraform login.

Something like:

terraform login -token="TOKEN.atlasv1.TOKEN"

Which is the best practice, of retrieving modules, from a private module registry during a terraform init in CI/CD (this case Azure Pipelines)? Since a CLI Configuration File isn’t optimal in a CI/CD system and so isn’t terraform login, because it’s interactive.

If the answer still is a CLI Configuration File, how should it then be implemented to accept parameter values etc? Without the need to create a file on the machine during build time and replace text in that one (or any other incidence in a way similiar of this). That seems a bit “workaround-ish”, and not very clean.

As always thankful for all input!

Best regards

Is this not doable? :slight_smile:

Hi @aleqsss,

I think the best answer with Terraform’s current features is to generate a temporary CLI configuration file that lives within the workspace of your current CI job and then use the TF_CLI_CONFIG_FILE environment variable to make Terraform read that file instead of the default CLI configuration.

That does involve generating a file, but generating files is something we tend to expect automation to be able to do, similarly to generating backend configuration files and .tfvars files.

Terraform doesn’t have built-in features for templating the CLI configuration file because there are numerous existing solutions for generating files from templates, including – for simple cases like this – shell interpolation.

Thank you for your informative reply @apparentlymart. I’ll take in consideration the current “limitations” of Terraform in this manner.

Good to know what’s possible and not, when implementing the workflow.

Best regards