Terragrunt for Beginners
Terragrunt Modules
Sourcing a Module From a Git Repository
In this guide, you’ll learn how to reference Terraform modules hosted in a private Git repository (GitHub, GitLab, Bitbucket, etc.) and manage authentication securely. By the end, you’ll be able to pin module versions for reproducible Terraform runs.
Prerequisites
- A Terraform module stored in a private Git repository
- Credentials configured in your local environment (HTTPS token or SSH key)
- Terraform CLI installed on your workstation
Authentication Methods
Choose one of the following authentication options to securely fetch private modules:
Method | Description | Setup Commands |
---|---|---|
HTTPS + Personal Access Token | Use a PAT stored in an environment variable. | bash<br>export GIT_TOKEN="your_token_here"<br> <br>Configure ~/.netrc or a Git credential helper. |
SSH Keys | Authenticate via your SSH keypair. | bash<br>eval "$(ssh-agent -s)"<br>ssh-add ~/.ssh/id_rsa<br> <br>Add your public key to your Git provider. |
Note
Avoid hard-coding tokens or keys in your .tf
files. Instead, use environment variables, ~/.netrc
, or a Git credential helper.
Referencing a Module in Terraform
Insert one of the following snippets into your main.tf
. Replace <org>
, <repo>
, and modules/my_module
with your repository and path.
HTTPS Example
module "my_module" {
source = "git::https://<username>:${var.GIT_TOKEN}@github.com/<org>/<repo>.git//modules/my_module?ref=v1.0.0"
# Module inputs
example_var = "foo"
}
SSH Example
module "my_module" {
source = "git::ssh://[email protected]/<org>/<repo>.git//modules/my_module?ref=v1.0.0"
# Module inputs
example_var = "foo"
}
- The double slash (
//modules/my_module
) specifies the subdirectory within the repository. - The
?ref=v1.0.0
suffix pins the module to a tag, branch, or commit.
Warning
Embedding credentials in URLs can expose sensitive data if your configuration is shared. Use variables and environment-based authentication whenever possible.
Initializing and Updating Modules
- Initialize Terraform and download referenced modules:
terraform init
- After updating the remote module, refresh your local cache:
terraform get -update
- Review and apply your changes:
terraform apply
Best Practices
- Always pin module sources with
?ref=
to ensure reproducibility. - Store API tokens and SSH keys outside of version control.
- Test module updates in a non-production workspace before rolling out.
Links and References
Watch Video
Watch video content