Terraform: Using versioned modules stored in AWS CodeCommit

Question

Currently have a repository for terraform modules stored in AWS CodeCommit. Between Dev and Prod we want to use the same repository for the modules but be able to have Dev and Prod use different versions.

I've attached tags to particular commits in order to more easily distinguish a version. But I can't seem to find any documentation of how to reference that tag.

I've found the below as an example of how it's done on github

module "stage_vpc" {
  source = "git::[email protected]:gruntwork-io/module-vpc.git//modules/vpc-app?ref=v0.0.4"

  vpc_name         = "stage"
  aws_region       = "us-east-1"
  num_nat_gateways = 3
  cidr_block       = "10.2.0.0/18"
}

But trying to do the same for CodeCommit doesn't seem to work. It reports back "bad response code: 401"

Trying to ascertain whether this ?ref is the correct way to reference a tag in codecommit.

https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules/modules/subnets?ref=subnets-v0.0.1

Can anyone confirm if this is the right method? Or if there is another way?

EDIT: I have now followed a setup guide where I have created a SSH key which I have put into my IAM user.

module "subnets" {
  source = "git::ssh://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules/Modules//subnets.git"

Which has generated the following error

[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The ./ssh folder exists with the correct credentials, not sure what else I am missing. I've also checked I can connect from Git Bash and it works.

FINAL EDIT: This is now working, after switching from https to SSH and creating the ./ssh directory as per The AWS documentation

I just needed to add // rather than / in the path as below

  source = "git::ssh://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules//Modules//modules-orchestration//subnets

Terraform successfully found and applied the module.

Answer 1

In order to fix this, follow the AWS documentation for setting up SSH connections

Then using the path format below for the subnets module.

  source = "git::ssh://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules//Modules//modules-orchestration//subnets

Then after perfoming a Terraform init, Terraform successfully fetches the correct module.

Additionally, after tagging a commit with the name subnets-v0.0.1 and adding it as a reference as below, you can lock your deployment to a particular commit.

  source = "git::ssh://git-codecommit.eu-west-1.amazonaws.com/v1/repos/reddwarf-terraform-infrastructure-modules//Modules//modules-orchestration//subnets?ref=subnets-v0.0.1"

Answer 2

For anyone coming here wondering if you can use git-remote-codecommit with terraform to clone from CodeCommit. The answer is yes, you can!

As per the terraform docs

Terraform installs modules from Git repositories by running git clone, and so it will respect any local Git configuration set on your system, including credentials.

This means that as long as your AWS Profile is set up correct, you can set your module source to a codecommmit repository using either of the following formats

• codecommit://<profile>@<repository>
• codecommit::<region>://<profile>@<repository>

It also respects configuration via environment variables like AWS_PROFILE and AWS_DEFAULT_REGION

Answer 3

To be able to successfully set my module source I had to define it like this:

module = "example" {
  source.     = "git::codecommit::<region>://<repository-name>"
  example_var = "<fancy-var>"
  providers   = {
    aws = aws.<provider-alias>
  }

Additionally, I had to export the AWS_PROFILE which is granted on the codecommit repository before executing any terraform commands and as mentioned by @tedsmitt git-remote-codecommit has to be installed.