Using dependabot for terraform with modules from a private AzDO source

[waltervos]

The title is a bit long perhaps :). In my team we use terraform in Azure Pipelines with modules sourced from (other) private Azure DevOps repositories. A simple example would be:

Repo: terraform_modules, file greeting/main.tf

variable "name" {
  type        = string
}
output "greeting" {
  value       = "Hello, ${var.name}"
}

Repo: IAC

module "walter" {
  source   = "git::https://dev.azure.com/ns-topaas/MYPROJECT/_git/terraform_modules/greeting"
  name = "Walter"
}

When dependabot runs for the IAC repo in this example, this error comes up:

Using 'https://dev.azure.com:443/' as API endpoint
Fetching terraform dependency files for my-org/MYPROJECT/_git/IAC
Targeting 'default' branch under '/' directory
Parsing dependencies information
Checking if walter::azure::my-org/MYPROJECT/_git/terraform_modules needs updating
/home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.196.0/lib/dependabot/git_metadata_fetcher.rb:58:in fetch_upload_pack_for': The following git URLs could not be retrieved: https://dev.azure.com/my-org/MYPROJECT/_git/terraform_modules (Dependabot::GitDependenciesNotReachable) from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.196.0/lib/dependabot/git_metadata_fetcher.rb:17:in upload_pack'
from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.196.0/lib/dependabot/git_metadata_fetcher.rb:37:in head_commit_for_ref' from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.196.0/lib/dependabot/git_commit_checker.rb:83:in head_commit_for_current_branch'
from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-terraform-0.196.0/lib/dependabot/terraform/update_checker.rb:126:in latest_version_for_git_dependency' from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-terraform-0.196.0/lib/dependabot/terraform/update_checker.rb:17:in latest_version'
from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-terraform-0.196.0/lib/dependabot/terraform/update_checker.rb:37:in updated_requirements' from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.196.0/lib/dependabot/update_checkers/base.rb:285:in changed_requirements'
from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.196.0/lib/dependabot/update_checkers/base.rb:275:in requirements_up_to_date?' from /home/dependabot/dependabot-script/vendor/ruby/2.7.0/gems/dependabot-common-0.196.0/lib/dependabot/update_checkers/base.rb:35:in up_to_date?'
from ./update-script.rb:308:in block in <main>' from ./update-script.rb:286:in each'
from ./update-script.rb:286:in `

'

How can I deal with this situation effectively? ignore doesn't seem to work, because that only takes effect after the dependencies have been checked, and I don't see a way to pass git credentials to dependabot in a way that will work. Any ideas?

P.S. When deploying this terraform project, we use this command in our Azure Pipelines job to ensure that terraform can access the required repo's:

git config --global http.$(System.TeamFoundationCollectionUri)$(System.TeamProject)/_git/.extraheader "AUTHORIZATION: bearer $(System.AccessToken)"