Select Language:
If you’re working with a self-hosted Ubuntu agent on Azure DevOps and running into issues with Terraform modules failing to download from Azure DevOps repositories, you’re not alone. This problem often stems from how Git credentials are managed during pipeline runs. Here’s a simple guide to help you fix this problem and keep things running smoothly.
First, understand the root of the issue. When your pipeline uses the command git config --global to add the System.AccessToken to Git’s global configuration, it can cause a hiccup. This token is only valid for a short time and rotates with each run, but because the global configuration remains, Git might mistakenly try to use an outdated token on subsequent runs. This leads to authentication failures during terraform init, particularly when Terraform tries to download modules. Since pipelines disable terminal prompts, Git cannot ask for new credentials, leading to this intermittent failure.
To solve this, follow these options:
One of the best solutions is to avoid modifying Git’s global configuration altogether. Instead, rely on Azure DevOps’ built-in authentication using the persistCredentials: true option. This way, your pipeline can securely authenticate with Azure DevOps without risking credential leaks or stale tokens. Here’s what you should do:
Replace your checkout step with this:
yaml
- checkout: self
persistCredentials: true
By doing this, the pipeline will automatically handle authentication securely, and Terraform will be able to download modules without hiccups, even on a long-running agent.
If you need to configure Git credentials manually for some reason, make sure you set them only for the current repository, not globally. Use this command:
bash
git config –local http.https://dev.azure.com/.extraheader \
“AUTHORIZATION: bearer $(System.AccessToken)”
This way, the credential setting is scoped locally to the current repository, avoiding issues with stale global credentials.
Sometimes, as a quick fix or workaround, you might need to clean out cached data to reset the state. Before running terraform init, you can delete cached Git and Terraform data with this command:
bash
rm -rf ~/.gitconfig ~/.terraform.d .terraform
This clears out saved credentials and caches, helping to resolve temporary issues, but it’s better to implement the more permanent solutions above for long-term stability.
By following these steps, you’ll prevent credential issues from interrupting your Terraform deployments and keep your pipelines running smoothly.
ChatGPT
Perplexity
Gemini AI
Grok AI
