You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
tchupp opened this issue
Nov 17, 2021
· 2 comments
Labels
backend/remotebugcloudRelated to Terraform Cloud's integration with Terraformnewnew issue not yet triagedv1.0Issues (primarily bugs) reported against v1.0 releasesv1.2Issues (primarily bugs) reported against v1.2 releases
When using Terraform Cloud as the backend in "local" mode, there is inconsistent behavior for non-sensitive variable resolution between terraform import and terraform plan.
I believe this is inconsistent behavior introduced by the interaction with Terraform Cloud. I don't think this behavior is caused by Terraform Cloud specifically.
Terraform Version
The most recent test was with v1.0.11, although this behavior has been present since at least v0.13.1.
$ terraform version
Terraform v1.0.11
on darwin_amd64
Terraform Configuration Files
I can provide some configuration here, but this behavior is present regardless of configuration files.
variable"aws_access_key" {
type =string
description ="visible in Terraform Cloud"
}
variable"aws_secret_key" {
type =string
description ="sensitive in Terraform Cloud"
}
provider"aws" {
access_key =var.aws_access_key
secret_key =var.aws_secret_key
}
terraform {
backend"remote" {
hostname ="app.terraform.io"
organization ="<org name>"workspaces {
name ="<workspace name>"
}
}
}
resource"aws_s3_bucket""the-bucket" {
bucket ="super-duper-unique-bucket-name"
}
Debug Output
TODO
Expected Behavior
My expectation is that terraform import should use the same variables as terraform plan when the Terraform Cloud workspace is set to "Local".
Actual Behavior
terraform import pulls non-sensitive variables from Terraform Cloud, where terraform plan only uses locally defined variables.
Steps to Reproduce
create a workspace in Terraform Cloud with the mode "remote"
add a non-sensitive variable. If using the example above, you'll see the most obvious result by putting incorrect AWS credentials as the variables in Terraform Cloud.
change the Terraform Cloud workspace to "local"
on your computer, create a local.auto.tfvars file with the same variable name you have remote, but with correct AWS credentials
run a terraform plan locally, see that the plan uses the value from local.auto.tfvars
run a terraform import locally, see that the import uses the value from Terraform Cloud
Additional Context
Terraform is running directly from my CLI. Commands are exactly terraform plan and terraform import '<address>' '<id>'
References
I couldn't find any other open issues with similar issues.
When debugging locally, I can see the variables are correctly set after the c.collectVariableValues() step here
But during the local.LocalRun(..)here it grabs the remote variables here and overrides existing local variables here
The text was updated successfully, but these errors were encountered:
Thank you for this good writeup. I experienced the same issue today as well with Terraform CLI v1.2.4 backed by Terraform Cloud... but using remote execution mode.
I'm really surprised this ticket doesn't have more traction...
backend/remotebugcloudRelated to Terraform Cloud's integration with Terraformnewnew issue not yet triagedv1.0Issues (primarily bugs) reported against v1.0 releasesv1.2Issues (primarily bugs) reported against v1.2 releases
Summary
When using Terraform Cloud as the backend in "local" mode, there is inconsistent behavior for non-sensitive variable resolution between
terraform import
andterraform plan
.I believe this is inconsistent behavior introduced by the interaction with Terraform Cloud. I don't think this behavior is caused by Terraform Cloud specifically.
Terraform Version
The most recent test was with v1.0.11, although this behavior has been present since at least v0.13.1.
Terraform Configuration Files
I can provide some configuration here, but this behavior is present regardless of configuration files.
Debug Output
TODO
Expected Behavior
My expectation is that
terraform import
should use the same variables asterraform plan
when the Terraform Cloud workspace is set to "Local".Actual Behavior
terraform import
pulls non-sensitive variables from Terraform Cloud, whereterraform plan
only uses locally defined variables.Steps to Reproduce
local.auto.tfvars
file with the same variable name you have remote, but with correct AWS credentialsterraform plan
locally, see that the plan uses the value fromlocal.auto.tfvars
terraform import
locally, see that the import uses the value from Terraform CloudAdditional Context
Terraform is running directly from my CLI. Commands are exactly
terraform plan
andterraform import '<address>' '<id>'
References
I couldn't find any other open issues with similar issues.
Investigation
It seems this step in the import workflow isn't necessary when the backend is a Terraform Cloud workspace set to "Local" execution: https://github.com/hashicorp/terraform/blob/v1.1.0-beta1/internal/backend/remote/backend_context.go#L95
When debugging locally, I can see the variables are correctly set after the
c.collectVariableValues()
step hereBut during the
local.LocalRun(..)
here it grabs the remote variables here and overrides existing local variables hereThe text was updated successfully, but these errors were encountered: