» Configuring Bitbucket Server/Data Center Access

These instructions are for using Bitbucket Server for Terraform Cloud's VCS features.

These instructions also apply to Bitbucket Data Center, which is a variant of Bitbucket Server that supports clustering. Terraform Cloud treats these two products identically, and Bitbucket Data Center users will select Bitbucket Server as their VCS Provider type. Unless stated otherwise, any reference to Bitbucket Server in this document also applies to Bitbucket Data Center.

Configuring a new VCS provider requires permission to manage VCS settings for the organization. (More about permissions.)

Bitbucket Cloud has separate instructions, as do the other supported VCS providers.

Note that Bitbucket Server requires both OAuth authentication and an SSH key, both of which are covered in the instructions below.

» Before You Begin: Determine Your Bitbucket Server Version

Terraform Cloud requires support for the delivery of webhooks to perform many operations, including tracking newly available configuration versions. When using Bitbucket Server version 5.3 or below (deprecated), Atlassian's webhooks plugin is required to be configured on Bitbucket Server. If using version 5.4 or above, no plugin is required, as webhooks are supported natively.

  1. Open your Bitbucket server instance in your browser and log in as an admin user.
  2. In the footer of every page is a reference to the instance's current version. If your version is greater than v5.4.0, you may skip all remaining steps in this section.
  3. Go to the "Manage add-ons" page. You can click the gear icon in the upper right corner and then use the "Manage add-ons" link in the sidebar, or go directly to https://<BITBUCKET INSTANCE HOSTNAME>/plugins/servlet/upm.
  4. Look for an add-on named "Web Post Hooks for Bitbucket Server", and make sure it is installed and enabled. The plugin is disabled by default. Clicking Enabled will toggle the plugin on.
  5. If the plugin isn't present, click "Find new add-ons" in the sidebar navigation. Search for the plugin by name and install it.

    Make sure to install the correct plugin. Terraform Cloud is designed to work with Web Post Hooks for Bitbucket Server by Atlassian .

    Atlassian Marketplace screenshot: the Web Post Hooks for Bitbucket Server plugin, published by Atlassian

  6. Visit the repository's settings, click on Hooks and check that the plugin is enabled there as well.

There is an option to configure a webhook URL on the plugin. Leave this optional field blank. Terraform Cloud will dynamically update the webhook URL after the VCS connection is established.

Leave the page open in a browser tab, and remain logged in as an admin user.

» Step 1: On Terraform Cloud, Begin Adding a New VCS Provider

  1. Open Terraform Cloud in your browser and navigate to the "VCS Provider" settings for your organization. Click the "Add VCS Provider" button.

    If you just created your organization, you might already be on this page. Otherwise:

    1. Make sure the upper-left organization menu currently shows your organization.
    2. Click the "Settings" link at the top of the page (or within the ☰ menu)
    3. On the next page, click "VCS Providers" in the left sidebar.
    4. Click the "Add VCS Provider" button.
  2. The next page has several steps to guide you through adding a new VCS provider. Select "Bitbucket" then select "Bitbucket Server" from the dropdown.

  3. (Optional) Enter a Name for this VCS connection.

  4. Enter the URL of your Bitbucket Server instance in the HTTP URL and API URL fields.

    If your Bitbucket Server instance does not have a context path set, the API URL should be the same as the HTTP URL.

    If your Bitbucket Server instance has a context path set:

    1. Set the HTTP URL to the URL of your Bitbucket Server instance with the context path included, https://<BITBUCKET INSTANCE HOSTNAME>/<CONTEXT PATH>.
    2. Set the API URL to the URL of your Bitbucket Server instance without the context path, https://<BITBUCKET INSTANCE HOSTNAME>.

    Terraform Cloud screenshot: text fields for adding a Bitbucket Server VCS provider

  5. Click "Create VCS Provider." This will take you back to the VCS Provider page, which now includes your new Bitbucket Server client.

  6. Leave this page open in a browser tab. In the next step, you will copy and paste the unique Consumer Key and Public Key.

    Terraform Cloud screenshot: Consumer key and public key

  1. While logged in as an admin user, go to Bitbucket Server's "Application Links" administration page. You can use the sidebar navigation in the admin pages, or go directly to https://<BITBUCKET INSTANCE HOSTNAME>/plugins/servlet/applinks/listApplicationLinks.

    This page has a text field for creating a new application link, followed by a list of existing application links.

    Bitbucket Server screenshot: The application links page

  2. Enter Terraform Cloud's URL in the text field (https://app.terraform.io, or the hostname of your Terraform Enterprise instance) and click the "Create new link" button.

  3. In the "Configure application URL" dialog, confirm that you wish to use the URL exactly as you entered it. If you used Terraform Cloud's main URL, click "Continue;" if you used an organization URL, click the "Use this URL" checkbox and then click "Continue."

    Bitbucket Server screenshot: confirming main URL Bitbucket Server screenshot: confirming organization URL

  4. In the "Link applications" dialog, fill out the form fields as follows:

    Field Value
    Application Name (text) Terraform Cloud (<ORG NAME>)
    Application Type (drop-down) Generic Application
    Create incoming link (checkbox) ✔️ (enabled)

    Leave all the other fields blank, and click "Continue."

    Bitbucket Server screenshot: filling the first page of the link applications form

  5. This takes you to another dialog, also titled "Link applications," with three text fields. In the "Consumer Key" and "Public Key" fields, copy and paste the values from step 1. In the "Consumer Name" field, enter "Terraform Cloud (<ORG NAME>)." Click "Continue." This takes you to a page on your Bitbucket Server instance, asking if you want to authorize Terraform Cloud. Double-check that you're logged in as the user account Terraform Cloud will be using, and not as a Bitbucket administrator.

    Bitbucket Server screenshot: the authorization page

    If this results in a 500 error, it usually means Terraform Cloud was unable to reach your Bitbucket Server instance.

  6. Click the "Allow" button. This returns you to Terraform Cloud to enter a SSH key.

» Step 3: On Workstation: Create an SSH Key for Terraform Cloud

On a secure workstation, create an SSH keypair that Terraform Cloud can use to connect to Bitbucket Server. The exact command depends on your OS, but is usually something like ssh-keygen -t rsa -m PEM -f "/Users/<NAME>/.ssh/service_terraform" -C "service_terraform_enterprise". This creates a service_terraform file with the private key, and a service_terraform.pub file with the public key.

This SSH key must have an empty passphrase. Terraform Cloud cannot use SSH keys that require a passphrase.

» Important Notes

  • Do not use your personal SSH key to connect Terraform Cloud and Bitbucket Server; generate a new one or use an existing key reserved for service access.
  • In the following steps, you must provide Terraform Cloud with the private key. Although Terraform Cloud does not display the text of the key to users after it is entered, it retains it and will use it for authenticating to Bitbucket Server.
  • Protect this private key carefully. It can push code to the repositories you use to manage your infrastructure. Take note of your organization's policies for protecting important credentials and be sure to follow them.

» Step 4: On Bitbucket Server, Switch Users and Add an SSH Key

  1. If you are still logged in to Bitbucket Server as an administrator, log out now.
  2. Log in as whichever account you want Terraform Cloud to act as. For most organizations this should be a dedicated service user, but a personal account will also work.

  3. Go to the "SSH keys" page. You can click the profile icon in the upper right corner, choose "Manage account," then click "SSH keys" in the sidebar navigation, or you can go directly to https://<BITBUCKET INSTANCE HOSTNAME>/plugins/servlet/ssh/account/keys.

    Bitbucket Server screenshot: the SSH keys page

  4. Click the "Add key" button. Paste the text of the SSH public key you created in step 4 (from the .pub file) into the text field, then click the "Add key" button to confirm.

» Step 5: On Terraform Cloud, Request Access and Add an SSH Private Key

  1. Click the "Add a private SSH key" link. A large text field will appear. Paste the text of the SSH private key you created in step 3, and click the "Add SSH Key" button.

    Terraform Cloud screenshot: Pasting an SSH private key

» Finished

At this point, Bitbucket Server access for Terraform Cloud is fully configured, and you can create Terraform workspaces based on your organization's shared repositories.