Unable to reference module from minIO backed registry about boring-registry HOT 9 CLOSED

Hi @wortner, sorry for the late reply!

Which version of the boring-registry are you using? The latest release 0.7.0 or latest main?
What does your configuration look like? Could be, that you're using an API key within the registry, therefore the 403?

I'm using it like this with the latest main:

module "consul_example" {
  source = "localhost:5601/hashicorp/consul/aws"
  version = "0.11.0"
}

or

module "consul_example" {
  source = "boring-registry.example.com/hashicorp/consul/aws"
  version = "0.11.0"
}

behind a reverse proxy

In my case I'm using an API key, so I need to configure it in my .terraformrc:

credentials "boring-registry.example.com" {
  token = "secretToken"
}

from boring-registry.

Maybe the setup I am using is wrong. Using latest main.

• running ./minio server registry
• I have been able to upload to Minio my module
• now I try to run boring-registry server --storage-s3-bucket=registry --storage-s3-pathstyle=true --storage-s3-endpoint=http://localhost:9000 --storage-s3-region=us-west-2 having AWS_DEFAULT_REGION, AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID set to service account created in minio GUI
• running terraform init with localhost gives download not supported for scheme 'localhost'

from boring-registry.

Thanks!

The download not supported for scheme 'localhost' message suggests that the schema is not valid. To be honest, I haven't tested localhost out, as my setup is a little different.
I think I had this problem before as well. I needed a name with multiple dots:

Module "consul_example" (declared at main.tf line 3) has invalid source address "localhost:5601/hashicorp/consul/aws": invalid module registry hostname: must contain at least one dot.

Another problem is that with source = "127.0.0.1:5601/hashicorp/consul/aws", Terraform is using HTTPS, so you need to pass a valid certificate with --tls-cert-file=self-signed.crt and --tls-key-file=self-signed.key.

I'm using boring-registry behind a reverse proxy with a certificate from let's encrypt :)

from boring-registry.

It is taking so much time just for being able to run TF locally. Can you please elaborate more on how do you setup your proxy?

from boring-registry.

I agree, Terraform registries are not really made to be run locally. In that case it's probably easier to use local paths.

Personally, I run boring-registry on Kubernetes behind ingress-nginx. cert-manager takes care of issueing a certificate from Let's Encrypt. I'm sure many other people do run it in a similar way.

For local testing, I'm generating the certificates with:

#!/usr/bin/env bash
set -eu
org=host.example.com
domain=host.example.com

sudo trust anchor --remove self-signed.crt || true

openssl genpkey -algorithm RSA -out self-signed.key
openssl req -x509 -key self-signed.key -out self-signed.crt \
    -subj "/CN=$domain/O=$org" \
    -days 365 \
    -config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
    ) -extensions x509_ext

sudo trust anchor self-signed.crt

This generates a self-signed certificate and loads it into the trust anchor of the operating system (linux in my case) so that Terraform trusts the self-signed certificate. I then run boring-registry with

boring-registry server \
--tls-cert-file=self-signed.crt \
--tls-key-file=self-signed.key \
--storage-s3-region=eu-east-1 \
--storage-s3-bucket=boring-registry-test \
--storage-s3-endpoint=https://minio.example.com \
--storage-s3-pathstyle=true

The Terraform module source is specified like this:

module "consul_example" {
  source = "host.example.com:5601/hashicorp/consul/aws"
  version = "0.11.0"
}

The example.com is my own domain in that case, and host.example.com resolves to the machine where boring-registry is running. Similarly, minio.example.com points to my minIO installation. Hope that helps, let me know if you have any other questions

from boring-registry.

I would be happy using just override files. But it is not possible to override just the source, the version is still merged in and local does not work with versions.

from boring-registry.

I'm not familiar with your use-case and problem you're trying to solve. It sounds like you're in a complex situation, though. Not sure how I can help you here unfortunately

from boring-registry.

I'm getting some strange communication using cert generated by your script. So far I will give up. Thanks for valuable help.

│ Error: Failed to download module
│ 
│ Could not download module "firewall_rules_external" (external-rules_override.tf:1) source code from "https://host.example.com/azurerm/company/firewall-rules": error downloading 'https://host.example.com/azurerm/company/firewall-rules': Get
│ "https://host.example.com/azurerm/company/firewall-rules?terraform-get=1": dial tcp 182.78.122.11:443: connect: connection refused
╵

╷
│ Error: Failed to download module
│ 
│ Could not download module "firewall_rules_internal" (internal-rules_override.tf:1) source code from "https://host.example.com:5601/azurerm/company/firewall-rules": error downloading 'https://host.example.com:5601/azurerm/company/firewall-rules': Get
│ "https://host.example.com:5601/azurerm/company/firewall-rules?terraform-get=1": x509: certificate signed by unknown authority
╵

from boring-registry.

The dial tcp 182.78.122.11:443: connect: connection refused indicates that there is no port exposed or process listening on port 443. And x509: certificate signed by unknown authority indicates that Terraform is not able to find the certificate in the trusted store of the OS.

If you give up, feel free to close the issue. I'm glad you tried it. Best of luck!

from boring-registry.