How-To: Pull Terraform modules from private git repositories

Learn how to setup your Radius environment to pull Terraform Recipe templates from a private git repository.

This how-to guide will describe how to:

  • Configure a Radius Environment to be able to pull Terraform Recipe templates from a private git repository.

Prerequisites

Before you get started, you’ll need to make sure you have the following tools and resources:

Step 1: Create a personal access token

Create a personal access token, this can be from GitHub, GitLab, Azure DevOps, or any other Git platform.

The PAT should have access to read the files inside the specific private repository.

Step 2: Define a secret store resource

Configure a Radius Secret Store with the personal access token or username + password you previously created, which has access to your private git repository. Define the namespace for the cluster that will contain your Kubernetes Secret with the resource property.

While this example shows a Radius-managed secret store where Radius creates the underlying secrets infrastructure, you can also bring your own existing secrets. Refer to the secrets documentation for more information.

Create a Bicep file env.bicep, import Radius, and define your resource:

extension radius

@description('Required value, refers to the personal access token or password of the git platform')
@secure()
param pat string

resource secretStoreGit 'Applications.Core/secretStores@2023-10-01-preview' = {
  name: 'my-git-secret-store'
  properties: {
    resource: 'my-secret-namespace/github'
    type: 'generic'
    data: {
      pat: {
        value: pat 
      }
    }
  }
}

The property pat is required and refers to your personal access token or password, while username is optional and refers to a username, if your git platform requires one.

Step 3: Configure Terraform Recipe git authentication

recipeConfig allows you to configure how Recipes should be setup and run. One available option is to specify git credentials for pulling Terraform Recipes from git sources. For more information refer to the Radius Environment schema page.

In your env.bicep file add an Environment resource, along with Recipe configuration which leverages the previously defined secret store for git authentication.

resource env 'Applications.Core/environments@2023-10-01-preview' = {
  name: 'my-env'
  properties: {
    compute: {
      kind: 'kubernetes'
      namespace: 'my-namespace'
    }
    recipeConfig: {
      terraform: {
        authentication: {
          git: {
            pat: {
              // The hostname of your git platform, such as 'dev.azure.com' or 'github.com'
              'github.com':{
                secret: secretStoreGit.id
              }
            }
          }
        }
      }
    }
  }
}

Step 4: Add a Terraform Recipe

Update your Environment with a Terraform Recipe, pointing to your private git repository. Note that your templatePath should contain a git:: prefix, per the Terraform module documentation.

resource env 'Applications.Core/environments@2023-10-01-preview' = {
  name: 'my-env'
  properties: {
    compute: {
      kind: 'kubernetes'
      namespace: 'my-namespace'
    }
    recipeConfig: {
      terraform: {
        authentication: {
          git: {
            pat: {
              // The hostname of your git platform, such as 'dev.azure.com' or 'github.com'
              'github.com':{
                secret: secretStoreGit.id
              }
            }
          }
        }
      }
    }
    recipes: {
      'Applications.Datastores/redisCaches': {
        default: {
          templateKind: 'terraform'
          // Git template path
          templatePath:'git::https://github.com/my-org/my-repo'
        }
      }
    }
  }
}

Step 5: Deploy your Radius Environment

Deploy your new Radius Environment:

rad deploy ./env.bicep -p pat=******

Done

Your Radius Environment is now ready to utilize your Radius Recipes stored inside your private registry. For more information on Radius Recipes visit the Recipes overview page.

Cleanup

You can delete a Radius Environment by running the following command:

rad env delete my-env

Further reading