Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terraform 1.6.0 - Host Key Verification Failed when using git ssh regression #34543

Closed
marvelous-melanie opened this issue Jan 18, 2024 · 9 comments · Fixed by #34591
Closed
Labels
bug new new issue not yet triaged v1.6 Issues (primarily bugs) reported against v1.6 releases

Comments

@marvelous-melanie
Copy link

marvelous-melanie commented Jan 18, 2024

Terraform Version

Terraform v1.6.0

Terraform Configuration Files

module "XXXXXXXXXX" {
  source = "git@example.com:site/module.git"
  name   = "XXXXXXXXXX"
}

Debug Output

on linux_amd64
Initializing plugins and modules...

Initializing Terraform Cloud...
Initializing modules...
Downloading git::ssh://git@github.com/company/repo-name.git for module-name...
╷
│ Error: Failed to download module
│ 
│   on module_name.tf line 25:
│   25: module "module_name" {
│ 
│ Could not download module "module_name" (module_name.tf:25)
│ source code from
│ "git::ssh://git@github.com/company/repo-name.git": error
│ downloading 'ssh://git@github.com/company/repo-name.git':
│ /usr/bin/git exited with 128: Cloning into
│ '.terraform/modules/module_name'...
│ Host key verification failed.
│ fatal: Could not read from remote repository.
│ 
│ Please make sure you have the correct access rights
│ and the repository exists.
│

Expected Behavior

This module should successfully download. We have multiple other workspaces running with the same exact configuration (same SSH key, specified in the same way, accessing the same remote module using the exact same module source line) but lower versions of Terraform.

Those all work perfectly, and this workspace also worked perfectly until starting to fail yesterday, again with no configuration change on our end. Reverting this workspace to 1.5.7 caused the module to begin downloading properly again.

Actual Behavior

The module fails to download.

Steps to Reproduce

  1. Using a v1.6.0 remote Terraform Cloud workspace, configure Terraform Cloud to use a GitHub SSH key
  2. Create a module with a remote git source
  3. terraform init
  4. terraform plan

Additional Context

No response

References

I believe this bug was previously opened and closed in this issue, but given that we started experiencing it again a few days ago, I suspect it has been reintroduced.

@marvelous-melanie marvelous-melanie added bug new new issue not yet triaged labels Jan 18, 2024
@apparentlymart apparentlymart added the v1.6 Issues (primarily bugs) reported against v1.6 releases label Jan 18, 2024
@jbardin
Copy link
Member

jbardin commented Jan 18, 2024

Hi @marvelous-melanie,

That linked issue was fixed after version v1.6.0, you should be using the latest patch release, which is v1.6.6. Can you confirm if the problem still exists in a current release?

Thanks!

@marvelous-melanie
Copy link
Author

Hi @jbardin , to my understanding, the issue was fixed with a backport to all of 1.6? We have been running on 1.6.0 for months and the issue just started occurring yesterday/today, hence my thinking that this is a new issue

@jbardin
Copy link
Member

jbardin commented Jan 18, 2024

@marvelous-melanie, there is no way to retroactively change code that has already been released. In order to get a new patched version of the binary, you would need to download that patched version. The latest patch release for v1.6 is here:v1.6.6, which will include the fix from that issue. If that does not solve your problem, then it is a different issue and we can investigate further.

@josiahwitheford
Copy link

Our pipelines started failing today with this issue. Setting the tf client version to 1.6.6 did indeed resolve the issue.

I tested with the latest 1.7.0 and it seems that was causing the host key verification error. Has the fix perhaps not made it into that release yet? Interesting 1.6.0 works fine for us.

@jbardin
Copy link
Member

jbardin commented Jan 22, 2024

@josiahwitheford, Terraform v1.6 and v1.7 use the exact same go-getter code which calls git, so I would first look for some other discrepancy between the two systems.

@levid0s
Copy link

levid0s commented Jan 22, 2024

I'm having issues too, although first time configuring this, I've been trying now for two days to set up Git SSH between TFC and Gitlab using Terraform.

Edit: I realised my error is coming from the Gitlab runner and not the TFC runner. It's confusing, because terraform init clones the modules on the Gitlab runner, but terraform plan will do another clone of the modules on the TFC runner side. So the git authentication to the module repos has to be set up on both places.

I fixed the error on the Gitlab side by following this guide:

- eval $(ssh-agent -s) > /dev/null
- ssh-add <(echo "$GITLAB_CI_READER_SSH_KEY") > /dev/null
- mkdir -p ~/.ssh
- echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config

I was getting this error on the TFC runner side too, but for that, I opened a separate issue.

@marvelous-melanie
Copy link
Author

I want to reiterate that we did not change anything with our configuration when these failures started. The timeline was as follows:

  1. In October 2023, we set up a Terraform Cloud workspace running 1.6.0. This workspace was immediately configured to pull a remote module from a private GitHub repository.
  2. Runs on this workspace succeeded and the remote module successfully pulled.
  3. 9 days ago, on Friday, January 12, a plan was run and succeeded on our Terraform config, including pulling the remote module.
  4. 5 days ago, with absolutely no code changes between the two runs, same commit, same config, not a single setting on TF Cloud or GitHub touched, the remote module failed to pull with the info in this bug report.

This seems to indicate to me that something on Terrraform's end has changed which is why I opened the issue. Is it possible something changed with the way Terraform Cloud uses go-getter or sets up SSH keys? I do understand your response here, but the inconsistent behavior isn't really explained.

@brandonc
Copy link
Contributor

When initiating a run on Terraform Cloud using terraform CLI 1.7.0, the .terraform/modules directory was being unintentionally excluded from the configuration upload and in turn Terraform Cloud would then attempt to download module sources. This could cause new authentication errors during initialization. This is fixed in hashicorp/go-slug#54 and should be addressed in the next terraform 1.7 patch release.

Copy link
Contributor

github-actions bot commented Mar 1, 2024

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug new new issue not yet triaged v1.6 Issues (primarily bugs) reported against v1.6 releases
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants