search

AzBuilder / terrakube

Open source IaC Automation and Collaboration Software.
https://docs.terrakube.io
Apache License 2.0
523 stars 44 forks source link

Unable to load remote states in 2.23.1 #1360

Closed adamlc closed 1 month ago

adamlc commented 1 month ago

Bug description 🐞

When trying to use terraform_remote_state resource it no longer works and errors with the following:

Error: Error downloading state: 403 Forbidden

Error: data.terraform_remote_state.****: Unable to read remote state

Nothing particularly useful in the executor or API logs. I have made sure my team has the new manage state permission. Not sure if it's related!

Steps to reproduce

Reference a state from another workspace and run a plan

Expected behavior

No response

Example repository

No response

Anything else?

No response

alfespa17 commented 1 month ago

hello @adamlc quick question are you using the remote or local execution?

adamlc commented 1 month ago

Remote :)

alfespa17 commented 1 month ago

Local execution are working correctly


user@pop-os:~/git/simple-terraform/shared-state$ terraform plan
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI
│ configuration:
│  - alfespa17/terrakube in /home/user/go/bin
│ 
│ Provider development overrides are only configured locally and the remote
│ operation won't be affected by them
╵
Acquiring state lock. This may take a few moments...
data.terraform_remote_state.remote_creation_time: Reading...
data.terraform_remote_state.remote_creation_time: Still reading... [10s elapsed]
data.terraform_remote_state.remote_creation_time: Read complete after 11s

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # null_resource.next will be created
  + resource "null_resource" "next" {
      + id = (known after apply)
    }

  # null_resource.previous will be created
  + resource "null_resource" "previous" {
      + id = (known after apply)
    }

  # time_sleep.wait_30_seconds will be created
  + resource "time_sleep" "wait_30_seconds" {
      + create_duration = "2m"
      + id              = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Releasing state lock. This may take a few moments...

I think the issue might be when the executor is trying to get the current workspace state in this line when using the remote execution mode

https://github.com/AzBuilder/terrakube/blob/36c1537dd8bb112025f8b05515312e8d1cb1b009/api/src/main/java/org/terrakube/api/plugin/storage/controller/TerraformStateController.java#L72

Because the functions that validates the manage state permission is not validating correctly when the executor is calling the API to download the state

https://github.com/AzBuilder/terrakube/blob/36c1537dd8bb112025f8b05515312e8d1cb1b009/api/src/main/java/org/terrakube/api/plugin/security/state/StateService.java#L18

I will do some test today and I will add the missing validation

alfespa17 commented 1 month ago

@adamlc this should be fixed in version 2.23.2

adamlc commented 1 month ago

@alfespa17 I can confirmed this is fixed. Thank you once again for the quick turnaround, you guys are awesome :D