Terraform does not read local git config or the GIT_CONFIG env variable

[arongate]

Terraform Version

1.11.1

Terraform Configuration Files

terraform {
  required_version = "~> 1.8"
}
module "this" {
  source = "git::https://github.com/arongate/my-private-repository.git?ref=master"
}

Debug Output

outputs

cd tfenv install
Terraform v1.11.1 is already installed
terraform init --upgrade
Initializing the backend...
Initializing modules...
Downloading git::https://github.com/arongate/my-private-repository.git?ref=master for this...
Username for 'https://github.com': ^C╷
│ Error: Failed to download module
│ 
│   on main.tf line 4:
│    4: module "this" {
│ 
│ Could not download module "this" (main.tf:4) source code from "git::https://github.com/arongate/my-private-repository.git?ref=master": error downloading
│ 'https://github.com/arongate/my-private-repository.git?ref=master': /usr/bin/git exited with -1: Clonage dans '.terraform/modules/this'...
│ 
╵

╷
│ Error: Module installation was canceled by an interrupt signal.
│ 
│ 
╵
╷
│ Error: Failed to download module
│ 
│   on main.tf line 4:
│    4: module "this" {
│ 
│ Could not download module "this" (main.tf:4) source code from "git::https://github.com/arongate/my-private-repository.git?ref=master": error downloading
│ 'https://github.com/arongate/my-private-repository.git?ref=master': /usr/bin/git exited with -1: Clonage dans '.terraform/modules/this'...
│ 

Log file content
TF_LOG_PATH=tf_trace.log

2025-03-06T07:31:37.910Z [INFO]  Terraform version: 1.11.1
2025-03-06T07:31:37.910Z [DEBUG] using github.com/hashicorp/go-tfe v1.70.0
2025-03-06T07:31:37.910Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.23.0
2025-03-06T07:31:37.910Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2025-03-06T07:31:37.910Z [DEBUG] using github.com/zclconf/go-cty v1.16.0
2025-03-06T07:31:37.910Z [INFO]  Go runtime version: go1.23.3
2025-03-06T07:31:37.910Z [INFO]  CLI args: []string{"/usr/local/tfenv/versions/1.11.1/terraform", "init", "--upgrade"}
2025-03-06T07:31:37.910Z [TRACE] Stdout is a terminal of width 211
2025-03-06T07:31:37.910Z [TRACE] Stderr is a terminal of width 211
2025-03-06T07:31:37.910Z [TRACE] Stdin is a terminal
2025-03-06T07:31:37.910Z [DEBUG] Attempting to open CLI config file: /home/gitlab-runner/.terraformrc
2025-03-06T07:31:37.910Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2025-03-06T07:31:37.911Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2025-03-06T07:31:37.911Z [DEBUG] ignoring non-existing provider search directory /home/gitlab-runner/.terraform.d/plugins
2025-03-06T07:31:37.911Z [DEBUG] ignoring non-existing provider search directory /home/gitlab-runner/.local/share/terraform/plugins
2025-03-06T07:31:37.911Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2025-03-06T07:31:37.911Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2025-03-06T07:31:37.911Z [DEBUG] ignoring non-existing provider search directory /var/lib/snapd/desktop/terraform/plugins
2025-03-06T07:31:37.911Z [INFO]  CLI command args: []string{"init", "--upgrade"}
2025-03-06T07:31:37.914Z [TRACE] Meta.Backend: built configuration for "s3" backend with hash value 4106656520
2025-03-06T07:31:37.915Z [TRACE] Meta.Backend: working directory was previously initialized for "s3" backend
2025-03-06T07:31:37.915Z [TRACE] backendConfigNeedsMigration: failed to decode cached config; migration codepath must handle problem: unsupported attribute "assume_role_duration_seconds"
2025-03-06T07:31:37.915Z [TRACE] Meta.Backend: backend configuration has changed (from type "s3" to type "s3")
2025-03-06T07:31:37.915Z [TRACE] ModuleInstaller: installing child modules for . into .terraform/modules
2025-03-06T07:31:37.922Z [DEBUG] Module installer: begin this
2025-03-06T07:31:37.922Z [TRACE] ModuleInstaller: cleaning directory .terraform/modules/this prior to install of this
2025-03-06T07:31:37.922Z [TRACE] ModuleInstaller: this address "git::https://github.com/arongate/my-private-repository.git?ref=master" will be handled by go-getter
2025-03-06T07:31:37.922Z [TRACE] getmodules: fetching "git::https://github.com/arongate/my-private-repository.git?ref=master" to ".terraform/modules/this"
2025-03-06T07:31:41.860Z [TRACE] modsdir: writing modules manifest to .terraform/modules/modules.json

Expected Behavior

Terraform should use the credentials in the local git config file .git/config of the project directory.

Actual Behavior

Terraform ignores local git config file and keep prompting for username and password to download module from my private repository.
I had the same behaviour using github token or gitlab token with a private repository on gitlab.com.
It works when using global configuration.

Steps to Reproduce

In the terraform code above replace the private repository with any of your private repository and generate a github personal access token with repo permission. Instructions here.

1. Create a new folder: mkdir test
2. Copy content from the code above
3. Replace arongate/my-private-repository.git with your repository slug. eg. <your_username or org>/<your repository name>.git
4. git init
5. Make sure you don't have any github.com credentials configured in the $HOME/.gitconfig file or in $PROJECT_DIR/.git/config file
6. export GITHUB_TOKEN=<your_token_here>
7. git config --local url."https://arongate:${GITHUB_TOKEN}@github.com".insteadOf "https://github.com"
8. terraform initMust ask for username. Do

git config --global url."https://arongate:${GITHUB_TOKEN}@github.com".insteadOf "https://github.com"`
terraform init

It would works without asking your github credentials.

Additional Context

Terraform commands are run on a shared machine where multiple terraform project are managed by different users (service accounts). Each user uses its own token to download private modules so I can't use the git global configuration.

References

No response

Generative AI / LLM assisted development?

No response

[liamcervante]

Hi @arongate, thanks for filing this!

Unfortunately, I can't replicate this currently. I noticed in your output that Terraform isn't actually asking for a password the repository in github.com but instead for Username for 'https://git.it01.aws.vocalcom.org': . Do you know where that git address is being sourced from?

Thanks!

[arongate]

Hi @liamcervante ,

I updated steps to reproduce and put in the correct logs.

Make sure you have no credentials in ~/.gitconfig, .git/config or the test project , ~/.git-credentials or any other git credentials storage system depending on your OS.

[liamcervante]

Thanks for the extra context! Internally, Terraform just calls out to the git client it has available locally for any git related functionality it needs. I think this isn't an issue with Terraform, but something that is not currently possible with git at all.

For example, I can't get git clone to work with a local config even outside of Terraform:

~/terraform/git-test (main) > git config --local url."https://liamcervante:${GITHUB_TOKEN}@github.com".insteadOf "https://github.com" 
~/terraform/git-test (main) > git clone https://github.com/liamcervante/test-terraform.git                                           
Cloning into 'test-terraform'...
Username for 'https://github.com': ^C

With the above, I only set my git configuration using the --local flag, and git clone still prompts me for a username. But, if I apply the same config globally then git can clone the repository:

~/terraform/git-test (main) > git config --global url."https://liamcervante:${GITHUB_TOKEN}@github.com".insteadOf "https://github.com"
~/terraform/git-test (main) > git clone https://github.com/liamcervante/test-terraform.git                                            
Cloning into 'test-terraform'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 3 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (3/3), done.
~/terraform/git-test (main) > 

This makes sense to me, as all Terraform is doing is calling git clone to fetch the module anyway.

Can you double check the local configuration works for you even outside of Terraform? Thanks!

[arongate]

Hi @liamcervante ,

I checked and you're right. I think this is more related to git client config handling when cloning.

Sorry, I'll will close this issue then.

Thanks