Create RepoBot For TF Module Private Repos

1 minute read


In Gihub Actions, you have two main ways you can call multiple Terraform Module private repos at run time, I have only documented and tested two ways:

  • Using Deploy Keys as documented here
  • Using a Github App (this post)

Here I will show you how I used a Github App as it was much easier than people make it out to be.

To Resolve:

  1. First, you need to be an “Organizational Admin” to install Apps but you can be assigned an organizational ‘App Manager’ role that allows you to create applications, but not install them.

  2. Next, I created an app called repo-bot and only gave these permissions only at the “Repository” level:
    • Actions: Read and Write
    • Admin: Read-only
    • Contents: Read-only
    • Deployments: Read-only
    • Metadata: Read-only
    • Pull Requests: Read-only
    • Secrets: Read-only
    • Workflows: Read and Write
  3. I then generated a SSH Key Pair for the Github App and downloaded the private key portion PEM file to my machine.

  4. Next, in repo sic.mgmt, I uploaded the private key to the Actions Secret “REPO_BOT_PEM” and then created a workflow that will use it.

  5. The workflow uses a few actions that is an exact copy of this user’s comment I had saved when trying to set this up using SSH keys.

    • Note: Since our organization does not allow you to use third party actions, what you have to do is go a tag for an action, download it, and upload it into your own repo ( only AFTER reading the code and understanding it of course!) so that is what I did for getsentry/action-github-app-token.

    • NOTE: The App Id is NOT the client id, it is the literal App ID in Github Apps.

  6. I ran the workflow and got an error about Cannot read properties of undefined (reading 'id') . Thankfully there was a Github Issue for this action that told me exactly what I needed to do => Install the Github App to the repo. Thankfully, in Github organizations, you can install to specific repos instead of installing across all repos in the organization, so I was able to install just my Terraform module repos.

  7. NOTE: When using this method, all module calls look like "" , you don’t have to replace anything with special host names like with deploy keys.

  8. Next, I re-ran the same exact workflow and it worked perfectly!