New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remote
backend does not allow imports with sensitive remote variables
#26494
Comments
@pkolyvas If this is considered an enhancement, is there a blessed workaround? We've migrated our team to Terraform Cloud for state management, but are still importing some legacy infrastructure, and this prevents us from doing so without some really dangerous, manual state modification. |
@Schoonology It surely is a bug. The only workaround possible without a code change is:
I've been pulling hairs for months after we switched to TFC and this above is the only thing that works. I tried many others things like setting default values locally, |
@pkolyvas As our TFC plans grew big, we can't use |
From what I see, this is not solved in |
I agree that this is a bug, not an enhancement. (But I guess maybe our definitions are different than Hashicorp's?) How are we supposed to import any existing infrastructure into TF cloud like this? Seems like it should just automatically override sensitive remote values with anything provided locally during import (unless there's a surprise TF Cloud import feature coming! Although I feel like this might also apply to other commands?) |
One alternative solution to at least provide a sensible workaround would be to allow us to mark a variable in TF cloud as "disabled" so that we don't have to delete and re-create the sensitive data (which is the most cumbersome part) |
At a minimum, we should be able to use the Using TF Cloud, the only way I've gotten around this is to:
This "worked", but it basically defeats the purpose of sensitive remote variables and the use of the cloud for locks and version control. Edit: I'm using terraform 0.14.4 |
@pkolyvas Respectfully, I think marking this as an The workarounds documented in this issue are not workable in a large team with many changes happening, as they bypass locks and version control. |
I got around this issue by doing the following:
|
I completely agree with @jbg, all of the workarounds we have tried on our team seem to be clunky at best. The import command needs to behave more like plan and apply in terms of how handles remote state and sensitive variables. Imports are key to working with larger infrastructure setups, and trying to migrate existing infrastructure to terraform. Marking this as a bug as opposed to an enhancement seems more appropriate. |
Another workaround from #26549 is to manually (and temporarily) replace all references to sensitive variables with the secret values directly. This is obviously dangerous but may have fewer moving parts than the suggestions above. Hard to see how this is not a bug due to unintended interactions of:
|
I faced the same issue, and the situation is grim. Due to all the checks If you're a paying customer is impossible to look at this as an enhancement, as is a major issue for one of the key flows for Terraform when migrating already existing infrastructure. Not only that, but sensitive Terraform variables and sensitive environment variables behave differently (cc @pkolyvas, as you removed the A workaround I found that is effective and simple: instead of using Terraform variables, use environment variables. From TFC is possible to set an environment variable as sensitive, and the So:
This workaround has worked reliably for me. I'm not particularly happy, as variables are more explicit and The great benefit is that there are no code changes or state management involved. Hope this helps and works for you too! PS: note that as the author highlights, using |
Is there any movement on this from terraform? This is an annoying bug indeed. I've currently got static overrides in files in a pycharm dont-commit list - but that is a security disaster waiting to happen. |
Agree with other posters - this definitely seems a bug and leaves Enterprises with hacky workarounds. A response from Hashicorp on this would be greatly appreciated. Cheers guys. |
I've just hit this - what a total PITA. We're a paying customer. I shall file a support ticket. |
Hello all, Terraform CLI Support Engineer here. Thanks for reaching out, Robin. I'd like to share what we discussed here for the benefit of the community. There are a few ways you can work around this situation. In my experience, the simplest is to change the way the provider is defined locally so that local credentials can be used, and the easiest way to do that is to make an override file. For example, consider importing an EIP, where the credentials for the AWS provider are given using sensitive variables in TFC / TFE:
Terraform import will fail, which is what is reported in this issue. To unobtrusively rewrite the provider block, create an override file:
Because configurations from overrides are merged, it's necessary to be explicit about unsetting the arguments by using This issue has high visibility internally and addressing it is a part of a larger effort. The Brent W. |
Heh, you beat me to it, @brenthc I can confirm that this approach worked for me. In my case, I am using the TFE provider, and have the following provider declaration:
I added an override file containing the following:
This allowed me to import the resources I wanted to import. Thanks again, Brent. |
Hi just wondering if there was any update on this? Quite annoying to have to override this as I have about 20 sensitive variables! |
Any update @brenthc ? This bug is a big nuisance in our move to Terraform :/ |
My team is also experiencing the same issue, any news on this? |
@phred-unity Are you on v1.1? It seems that things have changed since v1, but I didn't get a chance to test if the issue still exists in v1.1. |
yes the issue still exists in v1.1, tested on debian amd64. @nikolay |
Is there any ETA on this? This really convolutes the config that we cannot just override the variabel when running import locally. |
Thanks for adding your v1.1 experience to this issue. The team is investigating, however there is no targeted release version for a change at this time. When that changes, we'll let you know on this issue thread. Thanks! |
the issue still remains with |
@philippeboyd I haven't tried it as we, but this is saddening! |
Due to this bug we migrated away from Terraform Cloud, would recommend that others do the same. It's one thing to kneecap your product like this, but it's another thing to ignore the feedback for 1.5 years. |
There's a few things I should clarify about this as there's multiple issues being conflated. The good news is, I think they're all solved!
Hopefully that helps. |
@crw @brenthc I'm running into this issue as well, currently using Terraform v1.1.9. Curious if there are any updates from your side? I've upgraded to the (e.g. The values I have in Updated: Oops, according to this Changelog entry, this fix is coming in 1.2.0? |
@case That is my understanding as well, based on the comments in the associated PR (#29972). Although 1.2 is not yet at a production-ready release state, you should be able to experiment with this in the latest beta release. See: https://releases.hashicorp.com/terraform/ |
Using the secret cloud env as the fallback, allowed local imports to work for me (gcp.key is not in the repo)
|
Can confirm upgrading my tf version to 1.2.5 (latest at this time) fixed this error. |
Just to clarify to get |
Current Terraform Version
Terraform Configuration Files
Debug Output
Note: Same logs for all attempts:
sensitive.auto.tfvars
with the appropriate values - Ignored-var
and-var-file
arguments - IgnoredTF_VAR_
environment variables - IgnoredCLICK ME
Expected Behavior
Actual Behavior
Steps to Reproduce
Additional Context
Support for reading remote backend variables for local operations was added in Terraform 0.12.13.
Variables marked as sensitive in TFE cannot have their values retrieved via the API. So for a local operation such as import, the variables are set with empty or null placeholder values so that some kinds of local operations can succeed.
However, there's currently not a way to overwrite these null/empty placeholder values with the standard CLI options (eg.
-var
,-var-file
,TF_VAR_
env setting)Relevant code:
terraform/backend/remote/backend_context.go
Line 212 in bad0adb
8f27409
References
Related issue from the TFE Provider:
The text was updated successfully, but these errors were encountered: