Automating VM Creation with Terraform and Cloning a Private GitHub Repository via SSH

Question

The process I want to automate with Terraform is given, at a high level, by the following 2 steps:

• Creating a VM in the Hetzner cloud provider.
• Clone via SSH a private GitHub repository, inside the VM, using cloud-init. What I have so far is the following Terraform snippet:

terraform {
  required_providers {
    hcloud = {
      source  = "hetznercloud/hcloud"
      version = "~> 1.42.1"
    }
  }
}

variable "HETZNER_API_KEY" {
  description = "API key for Hetzner cloud provider"
  type = string
  sensitive = true
}

# Configure the Hetzner Cloud Provider
provider "hcloud" {
  token = var.HETZNER_API_KEY # You need to define an environment variable called TF_VAR_HETZNER_API_KEY
}

data "template_file" "user_data" {
  template = file("cloud-init.yaml")
}

# Create a server
resource "hcloud_server" "costprediction" {
  name        = "costprediction"
  image       = "docker-ce"
  server_type = "cx21"
  location = "fsn1"
  user_data = data.template_file.user_data.rendered
  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }
  ssh_keys = [hcloud_ssh_key.cost_prediction_ssh.id]
}

# Create a new SSH key
resource "hcloud_ssh_key" "cost_prediction_ssh" {
  name       = "cost_prediction_ssh"
  public_key = file("~/.ssh/id_ed25519.pub")
}

The idea is that the initialization script of cloud-init.yaml is in charge of cloning the private repository. The problem is that, obviously, when creating an instance from scratch, it doesn't have permissions to connect to GitHub via SSH, so I can't clone the repository automatically on initialization. I understand that this is a fairly typical case, but I find it strange that I have not been able to find information about it. My thoughts would go for:

• Create an SSH peer on the VM and somehow, using perhaps the GitHub API, add the public key dynamically to the account to subsequently clone the repository.
• Add previously a public key to GitHub and using terraform incorporate this public key to the VM after its creation (I don't know if this is possible).

Does anyone know if there is a standard way to approach this problem?

Answer 1

Clone via SSH a private GitHub repository, inside the VM, using cloud-init.

There is a test in the cloud-init codebase that clones a private repo using Github Deploy Keys.

It does a bunch of other stuff that you don't necessarily want too, so you don't want to copy verbatim. It sounds like you want to write a cloud-config that:

1. drops a deploy key on the instance using the write_files module (see aforementioned example)
2. in runcmd module include a git clone <url>