Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE] Host Key Verification downloading TF Modules after implementing Dual Auth for Github.com and Github Enterprise. #4343

Open
jared-bloomer opened this issue Dec 3, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@jared-bloomer
Copy link

Describe the bug
While implementing and testing the solution on issue #2947, I ran into Host Key Verification Errors when terraform was trying to download custom terraform modules hosted on our Github Enterprise (GHE) server.

2024-12-02T19:01:43.653Z	error	downloader/getter.go:105	failed to download "git::ssh://[email protected]/MyOrg/tf_aurora_cluster.git?ref=v2.1.0". error: 'error downloading 'ssh://[email protected]/MyOrg/tf_aurora_cluster.git?ref=v2.1.0': /usr/bin/git exited with 128: Cloning into '/tmp/odgne5'...
  Host key verification failed.
  fatal: Could not read from remote repository.

To Reproduce
Steps to reproduce the behavior:

  1. Create a repository on Github Enterprise server that requires authentication for all repositories
  2. setup a terraform project that pulls the remote code from the repository created on the Github Enterprise server using SSH instead of https. git::ssh://[email protected]/MyOrg/tf_manheim_tags.git?ref=v2.2.0 for example
  3. Execute Mega Linter tflint and terrascan linters using the default oxsecurity/megalinter@v8 action with the unsecured variables in issue #2947 to provide dual authentication for both Github.com and Github Enterprise.
  4. See error

Expected behavior
Expecting Host Keys from both Github.com and GHE to be combined in the SSH known_host file to allow pulling things from either environment.

Screenshots

Skipped setting git safe.directory DEFAULT_WORKSPACE:  ...
Setting git safe.directory GITHUB_WORKSPACE: /github/workspace ...
Setting git safe.directory to /tmp/lint ...
[MegaLinter init] ONE-SHOT RUN
[config] /github/workspace/.mega-linter.yml + Environment variables

    .:oool'                                  ,looo;                           
    .xNXNXl                                 .dXNNXo.                          
     lXXXX0c.                              'oKXXN0;                           
     .oKNXNX0kxdddddddoc,.    .;lodddddddxk0XXXX0c                            
      .:kKXXXXXXXXXXXXNXX0dllx0XXXXXXXXXXXXXXXKd,                             
        .,cdkOOOOOOOO0KXXXXXXXXXXK0OOOOOOOkxo:'                               
                      'ckKXNNNXkc'                                            
              ':::::;.  .c0XX0l.  .;::::;.                                    
              'xXXXXXx'   :kx:   ;OXXXXKd.                                    
               .dKNNXXO;   ..   :0XXXXKl.                                     
                .lKXXXX0:     .lKXXXX0:                                       
                  :0XXXXKl.  .dXXXXXk,                                        
                   ;kXXXXKd:cxXXXXXx'                                         
                    'xXNXXXXXXXXXKo.                                          
                     .oKXXXXNXXX0l.                                           
                      .lKNNXNNXO:                                             
                        ,looool'                                              

==========================================================
=============   MegaLinter, by OX.security   =============
=========  https://ox.security?ref=megalinter  ===========
==========================================================

----------------------------------------------------------------------------------------------------
------------------------------------ MegaLinter, by OX Security ------------------------------------
----------------------------------------------------------------------------------------------------
 - Image Creation Date: 2024-11-23T10:46:00Z
 - Image Revision: 1fc052d03c7a43c78fe0fee19c9d648b749e0c01
 - Image Version: v8.3.0
----------------------------------------------------------------------------------------------------
The MegaLinter documentation can be found at:
 - https://megalinter.io/8.3.0
----------------------------------------------------------------------------------------------------
MegaLinter initialization (expand for details)
MegaLinter now collects the files to analyse (expand for details)
Processing linters on [8] parallel cores… (can be decreased with variable PARALLEL_PROCESS_NUMBER in case of performance issues)
✅ Linted [BASH] files with [bash-exec] successfully - (0.0s) (expand for details)
✅ Linted [ACTION] files with [actionlint]: Found 4 non blocking error(s) - (0.02s) (expand for details)
✅ Linted [BASH] files with [shellcheck]: Found 3 non blocking error(s) - (0.02s) (expand for details)
✅ Linted [BASH] files with [shfmt] successfully - (0.02s) (expand for details)
✅ Linted [JSON] files with [jsonlint] successfully - (0.18s) (expand for details)
  - Using [jsonlint v16.0.0] https://megalinter.io/8.3.0/descriptors/json_jsonlint
  - MegaLinter key: [JSON_JSONLINT]
  - Rules config: identified by [jsonlint]
  - Number of files analyzed: [1]
  - Command: [jsonlint --quiet environments-to-provision.json]
✅ Linted [MARKDOWN] files with [markdownlint]: Found 3 non blocking error(s) - (0.36s) (expand for details)
  - Using [markdownlint v0.43.0] https://megalinter.io/8.3.0/descriptors/markdown_markdownlint
  - MegaLinter key: [MARKDOWN_MARKDOWNLINT]
  - Rules config: [.markdownlint.json]
  - Number of files analyzed: [2]
  - Command: [markdownlint --fix -c /action/lib/.automation/.markdownlint.json .github/pull_request_template.md README.md]
  --Error detail:
  .github/pull_request_template.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## Description"]
  .github/pull_request_template.md:7:48 MD042/no-empty-links No empty links [Context: "[This Job]()"]
  README.md:12:401 MD013/line-length Line length [Expected: 400; Actual: 417]
  
✅ Linted [YAML] files with [prettier] successfully - (0.5s) (expand for details)
✅ Linted [YAML] files with [yamllint] successfully - (0.36s) (expand for details)
✅ Linted [MARKDOWN] files with [markdown-link-check]: Found 13 non blocking error(s) - (1.13s) (expand for details)
✅ Linted [JSON] files with [v8r] successfully - (1.47s) (expand for details)
  - Using [v8r v4.2.0] https://megalinter.io/8.3.0/descriptors/json_v8r
  - MegaLinter key: [JSON_V8R]
  - Rules config: identified by [v8r]
  - Number of files analyzed: [1]
  - Command: [v8r --ignore-errors environments-to-provision.json]
✅ Linted [MARKDOWN] files with [markdown-table-formatter] successfully - (0.24s) (expand for details)
✅ Linted [JSON] files with [prettier] successfully - (0.31s) (expand for details)
✅ Linted [TERRAFORM] files with [tflint]: Found 1 non blocking error(s) - (3.35s) (expand for details)
  - Using [tflint v0.54.0] https://megalinter.io/8.3.0/descriptors/terraform_tflint
  - MegaLinter key: [TERRAFORM_TFLINT]
  - Rules config: [.tflint.hcl]
  - Command: [tflint -c /action/lib/.automation/.tflint.hcl --recursive]
  [Pre][TERRAFORM_TFLINT] run: [tflint --init --config /action/lib/.automation/.tflint.hcl] in cwd [/github/workspace]
  [Pre][TERRAFORM_TFLINT] result:
  Installing "azurerm" plugin...
  Installed "azurerm" (source: github.com/terraform-linters/tflint-ruleset-azurerm, version: 0.27.0)
  Installing "aws" plugin...
  Installed "aws" (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.35.0)
  Installing "google" plugin...
  Installed "google" (source: github.com/terraform-linters/tflint-ruleset-google, version: 0.30.0)
  
  --Error detail:
  4 issue(s) found:
  
  Warning: [Fixable] data "aws_caller_identity" "current" is declared but not used (terraform_unused_declarations)
  
    on data.tf line 1:
     1: data "aws_caller_identity" "current" {}
  
  Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.10.0/docs/rules/terraform_unused_declarations.md
  
  Warning: [Fixable] data "aws_region" "current" is declared but not used (terraform_unused_declarations)
  
    on data.tf line 5:
     5: data "aws_region" "current" {}
  
  Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.10.0/docs/rules/terraform_unused_declarations.md
  
  Warning: [Fixable] data "aws_vpc" "aws_account" is declared but not used (terraform_unused_declarations)
  
    on data.tf line 21:
    21: data "aws_vpc" "aws_account" {
  
  Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.10.0/docs/rules/terraform_unused_declarations.md
  
  Warning: [Fixable] data "aws_ssm_parameter" "SSMParameter" is declared but not used (terraform_unused_declarations)
  
    on data.tf line 36:
    36: data "aws_ssm_parameter" "SSMParameter" {
  
  Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.10.0/docs/rules/terraform_unused_declarations.md
  
  
✅ Linted [YAML] files with [v8r] successfully - (5.15s) (expand for details)
✅ Linted [TERRAFORM] files with [terrascan]: Found 1 non blocking error(s) - (4.59s) (expand for details)
  - Using [terrascan v1.19.9] https://megalinter.io/8.3.0/descriptors/terraform_terrascan
  - MegaLinter key: [TERRAFORM_TERRASCAN]
  - Rules config: identified by [terrascan]
  - Command: [terrascan scan --iac-type terraform --verbose]
  --Error detail:
  2024-12-02T19:01:43.653Z	error	downloader/getter.go:105	failed to download "git::ssh://[email protected]/MyOrg/tf_aurora_cluster.git?ref=v2.1.0". error: 'error downloading 'ssh://[email protected]/MyOrg/tf_aurora_cluster.git?ref=v2.1.0': /usr/bin/git exited with 128: Cloning into '/tmp/odgne5'...
  Host key verification failed.
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  '
  2024-12-02T19:01:43.653Z	error	commons/load-dir.go:421	failed to download remote module "git::ssh://[email protected]/MyOrg/tf_aurora_cluster.git?ref=v2.1.0". error: 'error downloading 'ssh://[email protected]/MyOrg/tf_aurora_cluster.git?ref=v2.1.0': /usr/bin/git exited with 128: Cloning into '/tmp/odgne5'...
  Host key verification failed.
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  '
  2024-12-02T19:01:43.653Z	error	utils/dir.go:64	directory  does not exist.
  2024-12-02T19:01:43.684Z	error	downloader/getter.go:105	failed to download "git::ssh://[email protected]/MyOrg/tf_manheim_tags.git?ref=v2.2.0". error: 'error downloading 'ssh://[email protected]/MyOrg/tf_manheim_tags.git?ref=v2.2.0': /usr/bin/git exited with 128: Cloning into '/tmp/hnemlg'...
  Host key verification failed.
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  '
  2024-12-02T19:01:43.684Z	error	commons/load-dir.go:421	failed to download remote module "git::ssh://[email protected]/MyOrg/tf_manheim_tags.git?ref=v2.2.0". error: 'error downloading 'ssh://[email protected]/MyOrg/tf_manheim_tags.git?ref=v2.2.0': /usr/bin/git exited with 128: Cloning into '/tmp/hnemlg'...
  Host key verification failed.
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  '
  2024-12-02T19:01:43.684Z	error	utils/dir.go:64	directory  does not exist.
  2024-12-02T19:01:43.725Z	error	downloader/getter.go:105	failed to download "git::ssh://[email protected]/MAN-VehicleInformationRTC/tf_rds?ref=v2.6.0". error: 'error downloading 'ssh://[email protected]/MAN-VehicleInformationRTC/tf_rds?ref=v2.6.0': /usr/bin/git exited with 128: Cloning into '/tmp/jrdnv7'...
  Host key verification failed.
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  '
  2024-12-02T19:01:43.725Z	error	commons/load-dir.go:421	failed to download remote module "git::ssh://[email protected]/MAN-VehicleInformationRTC/tf_rds//modules/vanity_url?ref=v2.6.0". error: 'error downloading 'ssh://[email protected]/MAN-VehicleInformationRTC/tf_rds?ref=v2.6.0': /usr/bin/git exited with 128: Cloning into '/tmp/jrdnv7'...
  Host key verification failed.
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  '
  2024-12-02T19:01:43.725Z	error	utils/dir.go:64	directory  does not exist.
  2024-12-02T19:01:43.725Z	warn	commons/load-dir.go:170	failed to build unified config. errors:
  <nil>: Failed to read module directory; Module directory  does not exist or cannot be read.
  <nil>: Failed to read module directory; Module directory  does not exist or cannot be read.
  <nil>: Failed to read module directory; Module directory  does not exist or cannot be read.
  
  2024/12/02 19:01:43 [DEBUG] GET https://registry.terraform.io/v1/providers/hashicorp/random/versions
  
  
  Scan Errors -
  
  	IaC Type            :	terraform
  	Directory           :	/github/workspace/megalinter-reports
  	Error Message       :	directory '/github/workspace/megalinter-reports' has no terraform config files
  	
  	-----------------------------------------------------------------------
  	
  	IaC Type            :	terraform
  	Directory           :	/github/workspace/megalinter-reports/linters_logs
  	Error Message       :	directory '/github/workspace/megalinter-reports/linters_logs' has no terraform config files
  	
  	-----------------------------------------------------------------------
  	
  	IaC Type            :	terraform
  	Directory           :	/github/workspace
  	Error Message       :	failed to build unified config. errors:
  <nil>: Failed to read module directory; Module directory  does not exist or cannot be read.
  <nil>: Failed to read module directory; Module directory  does not exist or cannot be read.
  <nil>: Failed to read module directory; Module directory  does not exist or cannot be read.
  
  	
  	-----------------------------------------------------------------------
  	
  
  
  Scan Summary -
  
  	File/Folder         :	/github/workspace
  	IaC Type            :	terraform
  	Scanned At          :	2024-12-02 19:01:44.982818321 +0000 UTC
  	Policies Validated  :	137
  	Violated Policies   :	0
  	Low                 :	0
  	Medium              :	0
  	High                :	0

Additional context
N/A

@nvuillam
Copy link
Member

nvuillam commented Dec 5, 2024

I'm not a SSH expert, but basically you would need ssh keys to be locally defined within MegaLinter container, from environment variables, so the git clone can work ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants